On Mon, 2004-06-21 at 17:04, Roy Badami wrote:
"Margaret" == Margaret Olson <margaret(_at_)margaretolson(_dot_)com>
writes:
Margaret> The rate limiting needs to occur on the sending side,
Margaret> but the receiver needs to know what it is.
But there's no need for the sender to publish the rate limiting
information, because there's little reason for you to trust them. It
make more sense for the sender to simply refer to a rate limit policy
published by their ISP (which could be achieved by an SPF modifier).
The reciever would then query the ISPs rate limiting policy for this
domain and (assuming positive accreditation of the ISP) the recipient
would then believe it.
Obviously the ISP's rate limiting policy would have to specify the IP
addresses that they're responsible for (they can't rate limit mail you
send out via another source) but this is all information that should
be published by the ISP, not the sender.
So I don't believe it belongs in policies published by the sender, but
in a completely new type of policy published by ISPs who send mail on
behalf of their customers.
Though, as I said before, I'd like to see a move towards (return to)
sites originating (and being responsible for) their own mail rather
than relaying through their ISP...
Those sending mail must be accountable whether originating or relaying.
Finding a practical way to assess accountability for the administrative
entity is the challenge. There are many different schemes to access
identities of the author, if the author so wishes. With mechanisms
defined in the Fenton "Identified Internet Mail" proposal, organizations
can assure recipients of having received valid mail from the indicated
author through the use of an HTTP key serving scheme. Although DNS is
not able to handle this type of query, the HTTP key server both
minimizes queries and leaves the current mail infrastructure intact.
Publishing outbound mail paths to restrict the function of error returns
essentially hinders posting mail from various access points. As a fix,
rewriting envelopes transfers the accountability of the sending
administration (the current outbound host) in an effort to repair the
damage and allow mail to travel over otherwise unpublished channels.
The recipient may see the same name as being the author of the message
but must also be wary that my-pda.com is not the same as my-pda.co.jp
when these entities are acting as the accountable sending
administration. In addition, anyone within such a domain is still able
to mimic these headers as being checked. How is this different than
authenticating the MTA and _always_ holding this entity accountable?
The envelope information is not exposed to the recipient, but even doing
so may not be an effective means of countering fraudulent mail.
Countering fraudulent mail requires evaluating policies of the
administrative entities and refusing service to those known to cause or
allow abuse unabated. Rate limiting the receiver could be effective for
administrative entities not yet evaluated. Accreditation services could
assess the rates of mail by various means (perhaps by way of
queries) and tally complaints or evidence of abuse. These accreditation
services may also provide a uniform query mechanism to ascertain
accreditation, affiliations, as well as authorization and authentication
of the address in conjunction with the administrative domain. Such
accreditation could combine all these functions into a single query
(perhaps in logarithmic form)!
ipaddr.helo-domain.accredit.com -> affiliations.time.size.complaints
Expecting the MTA to query several records in sequence to assess each
message to uncover possible relationships between an author and their
means of access results in undefined levels of recursion and extensive
computational resources to build complex maps from these distributed
structures. Expecting access providers to enable direct SMTP
connectivity to simplify this process removes methods for monitoring and
controlling abuse. This would drop one form of protection for a dubious,
expensive, and highly prone alternative.
Already a scheme such as SPF could be considered over extended. Further
extensions will only cause greater harm. Instead, ensure the author with
an end-to-end scheme such as the Fenton proposal. Insert simple DNS
records to assert the authority and authenticity of the MTA by way of
CIDR notation or SRV records for a single administrative domain. These
records may acquire assistance from the accreditation service, however
no scheme will be able to curtail abuse without accreditation services.
Policing the channel at the MTA will scale, but not at the message.
Expect abusers to be the first to implement all manner and means of
affecting a pretense of legitimate commerce. Stop the abuse and then
end-to-end remains possible. Don't break mail and DNS with a burden of
excessive and complex structures and, in doing so, make the system even
more prone.
-Doug