ietf-mxcomp
[Top] [All Lists]

Re: (DEPLOY) In Support of Sender ID

2004-09-03 16:28:11

On Fri, 2004-09-03 at 12:48, Yakov Shafranovich wrote:
Rand Wacker wrote:
On Fri, 3 Sep 2004, Matt Sergeant wrote: 
On 2 Sep 2004, at 23:06, Rand Wacker wrote:

As I said before, there is a large majority of mail that goes from
large commercial sites (or consumer ISPs) merely one hop to another
large commercial ISP, so the From: header will be successfully
authenticated.

You're talking about the positive evaluation proposition of Sender-ID -
that the From address is authenticated. Yet both Cyphertrust and
SpamAssassin's stats show that the spammers are more on top of this
than the legit mailers.


*NO*.  I am talking about using authentication status as the basis for a
new set of checks such as whitelisting.  I have been saying since the
beginning that spammers would authenticate their outbound mail in hipes
that someone would make the brain-dead assumption that "authenticated" ==
"wanted".

It can also serve as a basis for reputation and accreditation systems.

For an identification to useful for reputation assessment, there needs
to be certainty this identity has not been spoofed.  This is not
achievable with Sender-ID.  There are many scenarios where Sender-ID can
be spoofed, as the mail channel is not secure.

It is possible to establish an authenticated name for the MTA however,
and then assert a mailbox domain relationship with MTA names.  The MTA
name, as the stronger identification, and not the mailbox domain, could
be used for reputation assessment.  The use of the mailbox/MTA
relationship would be helpful in lowering odds of being tagged by a
filter.  This type of arrangement overcomes the high DNS overhead
problem plaguing Sender-ID.  This arrangement is no worse than endemic
use of Resent-From headers for administrators to understand, and it has
far less overhead to implement than Sender-ID.
 
-Doug