Re: CSV (Crocker's draft) good! (evaluation, big suggestion:NBB)

For the purposes of discussion, let's call my proposed enhancement NBB 
(no bogus bounce).
NBB is:
Take CSV, and add a new requirement: mail that has failed (as in
there is a MARID record AND the sending IP isn't there AND there's no
?all) a 2821.FROM check MUST NOT be bounced; instead it MUST either be
refused at SMTP time, or accepted and destroyed.   In other words, DON'T
require SRS, but DO require that mail that goes via non-SRS systems not
lead to bounces to  systems that didn't originate the original message.

Hope to hear from Crocker soon. 

Meng Wong said:

> Thank you for the review of CSV.
>
> I have a question.  Can you walk us through the scenario where a
> spammer, in response to CSV, uses a HELO domainname "goodguy.com"
> where:
> ...
> - goodguy.com does not have a CSV record (maybe goodguy.com is too busy to set 
> up CSV right now)
>
> what does a receiver do?
>  
Use the filters they use today, report the abuse to goodguy, suggesting 
CSV+NBB.  The score SpamAssassin contributes to mail from machines with 
unvalidated HELO will be very low and rise only later, but at the early 
adopters stage, validated HELO would have a strong negative/non-spam 
score, and be accreditation- & rhsbl- protected. Perhaps also report it 
to a RHSBL specifically for domains forged in HELOs.  It wouldn't make 
sense to use such an RHSBL for anything but score-based tagging - for 
the reason you point out below.  An RHSBL of domains with SPF records 
that have spam from their authorized IPs would be a stronger spamsign, 
I'll grant you that.  But CSV is so quick and easy to implement that 
goodguy.com's admin, being a good guy, would have the time to set it 
up.  At least it would be if it had the kind of assistance your site 
provides, and moreso if it used TXT records, which more DNS providers 
support.  Thanks for helping explore my idea.
> I should point out that goodguy.com's MTAs also use HELO goodguy.com,
> and their IP addresses do not match the A record for goodguy.com
> either.

On 5/3/04 7:04 AM, Hallam-Baker, Phillip sent forth electrons to convey:

> The thing I don't understand about HELO schemes is what they buy that we
> would not get from simply requiring senders to give a domain name that
> correctly resolves to the ip address of the sender sever.
>
> And pleas stop the fud 
Wow, someone from Microsoft saying pleas(e) stop the FUD.  I'm in shock 
and awe!
Seriously...
Here's a real example.  Elvey.com doesn't have its own outgoing SMTP 
server. 
With SPF or C-ID, I have to communicate with every end user of the 
domain, and find out what outgoing SMTP servers they use (one user uses 
at least 4 different smtp servers (home:rr.com's, work: earthlink?, 
wireless:blackberry, road:verio, ?) , and I know one of them uses 3 
outgoing IPs when sending, and list these in the elvey.com MARID 
record.  Or I could set up an smtp server on a stable connection with 
authentication, and walk each user through changing their smtp server to 
that server.  Understand now?  And then there's the factor that CSV 
records would be much shorter and easier to maintain than SPF or C-ID 
records.  Hence my factor of ~100 claim.
Greg Connor said:

> Right, because only HELO is validated, it's a tad easier to set up... 
> but that's because it accomplishes far less.
That's not a logical statement.  Water is easy to get; does that mean 
it's not useful?
My main point is that it (CSV+NBB) actually doesn't accomplish much 
less, and I explain my reasoning. 
If you disagree, provide a real argument.
See http://spf.pobox.com/faq.html#churn for more on rhsbls; yes they'd 
start to be applied to HELO.
WRT the rest of your comments, what you say later in your email makes 
them irrelevant - they indicate you hadn't read the NBB stuff.

[[I think PHB claimed that C-ID would have prevented that anti-M$ screed 
forgery.]]
Perhaps C-ID could be modified to do so, but it certainly doesn't now.  
The forger could have added a header, e.g. Sender:, to fool C-ID.
I don't recall whether the modifications Harry proposed would.  Can't 
find 'em... [rant]not an I-D[/rant]. Obviously IF C-ID is changed to 
strongly
protect From:, THEN will strongly protect From:.  That's almost a 
tautology. 
Take-away idea: yes, mailing lists can and should protect From: with a 
strong MARID check.