ietf-mxcomp
[Top] [All Lists]

Re: Drive Towards Consensus [was Re: On Extensibility in MARID Records]

2004-06-21 14:11:27


----- Original Message ----- 
From: "Luis Bruno" <lbruno(_at_)republico(_dot_)estv(_dot_)ipv(_dot_)pt>
To: "IETF MARID WG" <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Monday, June 21, 2004 4:31 PM
Subject: Re: Drive Towards Consensus [was Re: On Extensibility in MARID
Records]



Jonathan Gardner wrote:
If we decide that Sender ID will only authenticate whether a particular
MTA
at an IP address is allowed to send messages for a domain, then Sender
ID
is sufficient.

Sufficient, but not necessary; in other words, overkill.

Paging Hector Santos: I couldn't get email directly to you; 550 Return
Path
not verifiable after RCPT TO: (and postmaster@ didn't work :-) )

Oh, I got something this morning directly from you?

----- Original Message ----- 
From: "Luis Bruno" <lbruno(_at_)republico(_dot_)estv(_dot_)ipv(_dot_)pt>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
Sent: Monday, June 21, 2004 7:01 AM
Subject: Re: MARID Records and the standards process

And I replied to this.

Let me check the anti-spam logs.  Ok, your 7am message was validated
successfully via CBV:

20040621 07:04:31 -------------------------------------
20040621 07:04:31 version    : 1.62 / 1.54
20040621 07:04:31 calltype   : SMTP
20040621 07:04:31 state      : rcpt
20040621 07:04:31 srvdom     : winserver.com
20040621 07:04:31 srvip      : 208.247.131.9
20040621 07:04:31 cip        : 193.137.7.30
20040621 07:04:31 cdn        : republico.estv.ipv.pt
20040621 07:04:31 from       : 
<lbruno(_at_)republico(_dot_)estv(_dot_)ipv(_dot_)pt>
20040621 07:04:31 rcpt       : <hsantos(_at_)santronics(_dot_)com>
20040621 07:04:31 ruid       : 228947
20040621 07:04:31 testorder  : FLT RBL SPF CEP CBV
20040621 07:04:31 sapfilter  : pass (time:62)
20040621 07:04:31 saprbl     : testing 30.7.137.193.sbl.spamhaus.org
20040621 07:04:33 saprbl     : testing 30.7.137.193.list.dsbl.org
20040621 07:04:34 saprbl     : testing 30.7.137.193.bl.spamcop.net
20040621 07:04:35 saprbl     : pass (time:3485)
20040621 07:04:40 sapspf     : none (time:4921)
20040621 07:04:40 sapcep     : test from=republico.estv.ipv.pt
20040621 07:04:44 sapcep     : none (time:4875)
20040621 07:04:46 sapcbv     : total mx records: 0
20040621 07:04:51 try domain : republico.estv.ipv.pt ip: 193.137.7.30
20040621 07:04:51 # connecting to 193.137.7.30
20040621 07:04:52 S: 220 republico.estv.ipv.pt ESMTP Exim 4.22 Mon, 21 Jun
2004 12:02:15 +0100
20040621 07:04:52 C: NOOP WCSAP v1.62 Wildcat! Sender Authentication
Protocol http://www.santronics.com
20040621 07:04:52 S: 250 OK
20040621 07:04:52 C: HELO mail.winserver.com
20040621 07:04:52 S: 250 republico.estv.ipv.pt Hello ntbbs.winserver.com
[208.247.131.9]
20040621 07:04:52 C: MAIL FROM: <>
20040621 07:04:53 S: 250 OK
20040621 07:04:53 C: RCPT TO: 
<lbruno(_at_)republico(_dot_)estv(_dot_)ipv(_dot_)pt>
20040621 07:04:53 S: 250 Accepted
20040621 07:04:53 C: RCPT TO: 
<wcsap-openrelay-test-123sxa23(_at_)alqwejad(_dot_)com>
20040621 07:04:53 S: 550 relay not permitted
20040621 07:04:53 C: QUIT
20040621 07:04:53 sapcbv     : 250
20040621 07:04:53 result     : accept (-1)
20040621 07:04:53 wcsap finish (22172 msecs)
20040621 07:06:17 -------------------------------------

Why no SPF record?  <g>

I sent a reply to you, and I see a 10am transaction from you which failed
due to your return domain failed.

A 451 response was issued to allow you to try again.  It was tried 2-3 more
times.

20040621 10:18:42 -------------------------------------
20040621 10:18:42 version    : 1.62 / 1.54
20040621 10:18:42 calltype   : SMTP
20040621 10:18:42 state      : rcpt
20040621 10:18:42 srvdom     : winserver.com
20040621 10:18:42 srvip      : 208.247.131.9
20040621 10:18:42 cip        : 193.137.7.30
20040621 10:18:42 cdn        : republico.estv.ipv.pt
20040621 10:18:42 from       : 
<lbruno(_at_)republico(_dot_)estv(_dot_)ipv(_dot_)pt>
20040621 10:18:42 rcpt       : <hsantos(_at_)santronics(_dot_)com>
20040621 10:18:42 ruid       : 228947
20040621 10:18:42 testorder  : FLT RBL SPF CEP CBV
20040621 10:18:42 sapfilter  : pass (time:63)
20040621 10:18:42 saprbl     : testing 30.7.137.193.sbl.spamhaus.org
20040621 10:18:42 saprbl     : testing 30.7.137.193.list.dsbl.org
20040621 10:18:43 saprbl     : testing 30.7.137.193.bl.spamcop.net
20040621 10:18:49 saprbl     : pass (time:6906)
20040621 10:18:49 sapspf     : none (time:703)
20040621 10:18:49 sapcep     : test from=republico.estv.ipv.pt
20040621 10:18:50 sapcep     : none (time:1282)
20040621 10:19:00 sapcbv     : rejected - can not resolve
republico.estv.ipv.pt
20040621 10:19:00 result     : reject (0)
20040621 10:19:00 smtp code  : 450
20040621 10:19:00 reason     : Rejected by WCSAP CBV
20040621 10:19:00 wcsap finish (19094 msecs)
20040621 10:19:50 -----------------------------------

I just tried again manually and your domain still fails MX and A record
lookups:

d:\wc5beta>nslookup -query=mx republico.estv.ipv.pt

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to ns1.mia.bellsouth.net timed-out

d:\wc5beta>nslookup -query=a republico.estv.ipv.pt

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to ns1.mia.bellsouth.net timed-out

Lesson/Notes here learned?

Strict SMTP compliancy works for valid return addresses works.  Spammers
will not complain about False Positives. However, legitimate people will.
But I don't see the FAULT in the SMTP operation.  It did its job as it
suppose to behave with a strong enforcment of SMTP compliancy - meaning that
ADDRESS better be good!    By far, this approach as eliminate a majority of
the anonymous mail abuse.

When MARID is implemented, the 2821 portion of it will replace MCEP (SAPCEP)
logic above.  At some point, I hope it to replace SPF, but SPF will probably
not be removed with the initial implementation.

The MARID 2822 logic will be added AFTER the 2821 is validated.  Nothing
from I see in Microsoft MCEP logic will validate this type of transaction
with a high degree of trust.  That address better be good when it is
provided at MAIL FROM:

-- Hector



<Prev in Thread] Current Thread [Next in Thread>