Re: CSV (Crocker's draft) good! (evaluation, big suggestion:NBB)
2004-05-03 13:23:54
For the purposes of discussion, let's call my proposed enhancement NBB
(no bogus bounce).
NBB is:
Take CSV, and add a new requirement: mail that has failed (as in
there is a MARID record AND the sending IP isn't there AND there's no
?all) a 2821.FROM check MUST NOT be bounced; instead it MUST either be
refused at SMTP time, or accepted and destroyed. In other words, DON'T
require SRS, but DO require that mail that goes via non-SRS systems not
lead to bounces to systems that didn't originate the original message.
Hope to hear from Crocker soon.
Meng Wong said:
Thank you for the review of CSV.
I have a question. Can you walk us through the scenario where a
spammer, in response to CSV, uses a HELO domainname "goodguy.com"
where:
...
- goodguy.com does not have a CSV record (maybe goodguy.com is too busy to set
up CSV right now)
what does a receiver do?
Use the filters they use today, report the abuse to goodguy, suggesting
CSV+NBB. The score SpamAssassin contributes to mail from machines with
unvalidated HELO will be very low and rise only later, but at the early
adopters stage, validated HELO would have a strong negative/non-spam
score, and be accreditation- & rhsbl- protected. Perhaps also report it
to a RHSBL specifically for domains forged in HELOs. It wouldn't make
sense to use such an RHSBL for anything but score-based tagging - for
the reason you point out below. An RHSBL of domains with SPF records
that have spam from their authorized IPs would be a stronger spamsign,
I'll grant you that. But CSV is so quick and easy to implement that
goodguy.com's admin, being a good guy, would have the time to set it
up. At least it would be if it had the kind of assistance your site
provides, and moreso if it used TXT records, which more DNS providers
support. Thanks for helping explore my idea.
I should point out that goodguy.com's MTAs also use HELO goodguy.com,
and their IP addresses do not match the A record for goodguy.com
either.
On 5/3/04 7:04 AM, Hallam-Baker, Phillip sent forth electrons to convey:
The thing I don't understand about HELO schemes is what they buy that we
would not get from simply requiring senders to give a domain name that
correctly resolves to the ip address of the sender sever.
And pleas stop the fud
Wow, someone from Microsoft saying pleas(e) stop the FUD. I'm in shock
and awe!
Seriously...
Here's a real example. Elvey.com doesn't have its own outgoing SMTP
server.
With SPF or C-ID, I have to communicate with every end user of the
domain, and find out what outgoing SMTP servers they use (one user uses
at least 4 different smtp servers (home:rr.com's, work: earthlink?,
wireless:blackberry, road:verio, ?) , and I know one of them uses 3
outgoing IPs when sending, and list these in the elvey.com MARID
record. Or I could set up an smtp server on a stable connection with
authentication, and walk each user through changing their smtp server to
that server. Understand now? And then there's the factor that CSV
records would be much shorter and easier to maintain than SPF or C-ID
records. Hence my factor of ~100 claim.
Greg Connor said:
Right, because only HELO is validated, it's a tad easier to set up...
but that's because it accomplishes far less.
That's not a logical statement. Water is easy to get; does that mean
it's not useful?
My main point is that it (CSV+NBB) actually doesn't accomplish much
less, and I explain my reasoning.
If you disagree, provide a real argument.
See http://spf.pobox.com/faq.html#churn for more on rhsbls; yes they'd
start to be applied to HELO.
WRT the rest of your comments, what you say later in your email makes
them irrelevant - they indicate you hadn't read the NBB stuff.
[[I think PHB claimed that C-ID would have prevented that anti-M$ screed
forgery.]]
Perhaps C-ID could be modified to do so, but it certainly doesn't now.
The forger could have added a header, e.g. Sender:, to fool C-ID.
I don't recall whether the modifications Harry proposed would. Can't
find 'em... [rant]not an I-D[/rant]. Obviously IF C-ID is changed to
strongly
protect From:, THEN will strongly protect From:. That's almost a
tautology.
Take-away idea: yes, mailing lists can and should protect From: with a
strong MARID check.
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Do it yourself CSV, (continued)
Re: Do it yourself CSV, Matthew Elvey
Re: CSV (Crocker's draft) good! (evaluation, big suggestion), Hallam-Baker, Phillip
Re: CSV (Crocker's draft) good! (evaluation, big suggestion), Dave Crocker
Re: CSV (Crocker's draft) good! (evaluation, big suggestion:NBB),
Matthew Elvey <=
RE: CSV (Crocker's draft) good! (evaluation, big suggestion), Hallam-Baker, Phillip
RE: CSV (Crocker's draft) good! (evaluation, big suggestion), Hallam-Baker, Phillip
RE: CSV (Crocker's draft) good! (evaluation, big suggestion), Tony Finch
RE: CSV (Crocker's draft) good! (evaluation, big suggestion), Hallam-Baker, Phillip
Re: CSV (Crocker's draft) good! (evaluation, big suggestion), Tony Finch
|
|
|