Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
i.e. 100% of messages from a domain pass RFC 2821 DNS checks, and
are spam: the recipient may choose to blacklist the domain.
I would restrict this to the EHLO domain. Using the MAIL FROM is making
an assumption of the integrity of the mail channel providing the
message.
Perhaps you didn't read the sentence you quoted. I explicitly
stated that the message passed DNS checks, and there is therefore NO
need to make assumptions about the integrity of the mail channel
providing the message. In the scenario I described, by *definition*,
the mail channel has been verified to have integrity, so far as the
RFC 2821 headers go.
Please address that issue. Repeating the claim that a blacklist is
based on "assumptions" when I explicitly described a scenario where it
could be based on verifiable information is... not nice.
There is naturally a reasonably strong authentication of the IP
address through transport protocol interaction.
Yes, you've said that many, many times. I understand that's your
position. I'm trying to get you to understand my position.
Those checks with respect to MAIL FROM and even the more extreme From
with Sender-ID, still assumes the mail channel is secure.
For Sender-Id, maybe. For MAIL FROM checks, absolutely not.
Security != authentication. You can authenticate someone in an
insecure system.
MAIL FROM checks work in an insecure mail channel. They *don't*
interact well with ".forward" systems, but that's an authentication
issue, not a security issue.
In fact, MAIL FROM checks use the source IP address (which you claim
is the only secure/verifiable entity) to answer the question "is this
IP permitted to use this domain name in MAIL FROM?" If we put
additional conflicts with ".forward" systems aside for a moment, then
MAIL FROM and EHLO based checks are identical in security.
Shared services means shared accountability. If the recipient is
unable to distinguish between a "good" party on a shared MTA and a
"bad" party, then by definition, both parties fall into the same
classification.
Sharing an MTA is a highly effective method used by ISPs to abate abuse.
Reserve painting this technique with such a broad brush.
I'm not. I'm talking about what information is out there, and what
decisions can possibly be made, independent of any technical proposal.
If someone can't tell the difference between two things, then it
MUST treat the two things as identical. This is a well-known concept,
and based solely on the available information. If you choose to
disagree with this, that's your perogative, but it means that any
system you come up with will be based on using information which is
unavailable to anyone.
Holding those unable to take immediate corrective action accountable
will cause a most unwelcome backlash.
This is a political response to a technical problem: the recipients
cannot technically distinguish between two parties, and therefore
treats both the same. If one party doesn't like it, the solution
isn't political, it's technical: give the recipient additional
information which lets him distinguish the two parties.
The party that must be held accountable is the entity administrating
policies of the MTA. That party is only identified by an
authenticated EHLO domain or the IP address.
And other parties using that MTA will, by definition, get associated
with the reputation of that MTA. This is what you call "a broad brush".
Alan DeKok.