On Tue, 2004-60-29 at 21:47:42 -0400, Andrew Newton stated:
I have in my notes an interesting tidbit from the MAAWG meeting in DC:
Carl Hutzler of AOL said that >70% of spam comes through the mail
servers of ISPs.
This is not the case for AOL and is perhaps close to a figure of UCE
advertising major ISP servers and perhaps this percentage of ISPs not
using SAP. It is also close to this figure with respect to the amount
of UCE emerging from major ISP networks but specifically from their
"servers"? (Although these are often spoofed.)
On Wed, 2004-06-30 at 07:28, Andrew Newton asked:
Difference between a HELO check vs. a MAILFROM/PRA/SUBMITTER check?
Checking a sending SMTP against 2822 identities may provide a
confirmation of permissions granted, via a sequence of DNS TXT records,
for a message with this identity to emerge from a particular server.
These checks may improve effectiveness of filtering, until abusers adapt
or simply "take-out" these checks. Never the less, such confirmation
SHOULD NOT be trusted to have been generated by the identity indicated.
The mail channel is NOT SECURE and checks at administrative boundaries
may not fully ensure mail had not been injected unchecked. The methods
of injecting mail is legion and currently 70% of the ISPs do not use
SAP!
Checking a sending SMTP against the HELO 2821 identity (its own
identity) via a DNS record that establishes both authorization and
authenticity provides a reasonable level of assurance of the SMTP
identity. If there is abuse seen from this server, the administration
of this server can be held accountable. As a message MUST NEVER BE
TRUSTED without end-to-end checks, the SMTP server offers the only
identity where accreditation is applicable. It is the administration of
the server that ensures mail is not injected by abusive individuals, and
if so, that such abuse is abated.
HELO/EHLO is the best method to stop abuse through the use of
accreditation of the SMTP administration of policy. MALFROM/PRA
/SUMBITTER offers no reliable identity for accreditation of the SMTP
administration of policy. Without proper SMTP administration of policy,
nothing is abated and there is no means to follow-up on abuse.
Differences between a CSV check on HELO and an SPF/Sender-ID check on
HELO?
The CSV check establishes the Authorization and Authentication of the
SMTP server identity with a single DNS record to allow follow-up with
the server administration (a single domain).
SPF/Sender-ID provides correlations between the domain of the message
and SMTP server. The identity of the server is obfuscated by a large
and complex domain matrix spread over many DNS TXT records that must be
parsed, expanded, compiled, and executed (many domains).
Is it clear to you that CSV has definite security advantages over
SPF/Sender-ID?
CSV is needed to ward off an exponential rise in mail abuse. CSV does
offer security through its ability to establish sender SMTP identity and
thereby provide a method of accountability.
SPF/Sender-ID offers a substantial security risk through miss use of
DNS. It obfuscates the sender SMTP identity and thus prevents any method
of accountability. Claims regarding assurance of the 2822 identity are
irresponsible with the lack of security existing within the mail
channel.
-Doug