(Posted on 6/9 just to Markus, perhaps by mistake; haven't heard back;
the minimum price of a domain is important!)
On 6/9/2004 2:58 PM, Markus Stumpf sent forth electrons to convey:
<Agree with you up to this point.>
And a point which is deliberately ignored is the problem of 0.10 USD
throwaway domains and short-TTL bot networks.
Sorry, where can I get a domain for $0.10 US? (And I don't mean
foo.cjb.net or foo.cjb.co.uk)
If these are coming or here, as you and Gordon seem to be saying they
are, then MARID won't work as well as I had thought it would.
You think an icann-authorized TLD will start selling domains at this
price? Please explain in more detail.
Yeah, I know, this will be
solved anytime later with accreditation services.
CSV:
Is an SMTP client authorized to use a particular domain name in its
SMTP EHLO command? [CSV] attempts to answer this question. It
suffers from the fact that the EHLO name has a tenuous relationship,
at best, with the contents of any mail message.
So what? It is MTA authorization records not message authorization
records, even if the group morphed to it.
Indeed! Watch this point be studiously ignored.
A EHLO identifier is the
way one MTA tells another MTA about himself and his identity. It is
an important fact to know if this identity is faked. However this
could probably also partially accomplished by requiring the EHLO
to match at least one PTR record and have the forward lookup of this
record match the connecting IP (aka EHLO must match paranoid lookup).
Some of the syntax and semantics of SPF records provide useful
additional functionality without weakening the effectiveness with which
an MTA is authorized by a domain.
The benefit is that it allows every legit MTA to pass MARID inspection,
even the 1-10% of legit MTAs don't have control over rDNS, and hence
don't pass the rDNS test. And yet it ties that MTA to a domain that has
a valuable reputation. That being the goal of MARID.
RMX/SPF:
These suffer from the fact that the MAIL FROM address really
describes where to send NDRs to, and in many third-party and
forwarder situations this address is unrelated to the domain that is
resending the message.
This has not more or less backdraws than to check a Resent-From:
This provides no more or less authentication for a faked Resent-From:
of a throwaway domain and in that case if the message is not checked
during the SMTP transaction the bounce goes where to?
The faked envelope sender? To the SUBMITTER, which is an address
the originator of the message will never be able to check for mistyped
addresses. What have we won?
Nothing but big headaches, IMO.
... the XML hype ...
I think the vocal opponents of XML have RSI.
Or perhaps their jaws dropped open and they're speechless.