"Alan DeKok" <aland(_at_)ox(_dot_)org> wrote:
"Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:
A DNS check that obtains a list of addresses for a mailbox-domain, MUST
assume channel integrity when holding the apparent originator of the
message accountable.
What channel? The only parties involved are:
a) SMTP client
b) SMTP server
c) DNS server being queried
The MAIL FROM mailbox-domain was passed through the mail channel, for
messages not originating at the SMTP client. This is normally the case
for the SMTP client performing public delivery. This adds at least an
additional SMTP client/server pair.
The DNS server may return one, or a billion IP's "permitted" to send
MAIL FROM with it's name. Any particular message may have traversed
zero, or a billion intermediate SMTP hops before arriving at the
current SMTP client, and being sent to the SMTP server.
I fail to see how any party other than the three listed above could
possibly be involved in "MAIL FROM" DNS checks. There is no "channel"
beyond the current hop, which can be verified to exist.
For accountability based upon the mailbox-domain, each hop is involved
passing this identity through the mail channel. Holding the administrator
of the mailbox-domain accountable would be ignoring the complexity of the
mail channel, and the potential change of validation status moving from
hop to hop. Publishing an SPF record is not tantamount to a contract
accepting accountability for all published addresses.
Due to forwarding issues, expect many lists to be left "open" to allow
other unknown domains to forward messages.
As has been noted here, as elsewhere, users affected by forwarding
issues are a very, very small percentage of people on the net. As a
result, the reasonable expectation is that very few domains will have
"open" or permissive records.
While it may be a small percentage of users forward mail or use a type of
list server, this generalization must not be applied to the mailbox
domain, as there are typically many users per domain. SPF records are not
typically user based, but are domain based. There will be expensive
support issues caused by closing these records.
There are clearly two steps needed, but these two steps have been
collapsed into a one very broken step with SPF or Sender-ID.
Step 1: Authenticate the MTA EHLO name.
Step 2: Compare the mailbox-domain/EHLO list to this name.
I'm not sure what you mean by the second step.
First, authenticate the name of the MTA. Second, check against list of
MTA names referenced by the mailbox-domain for a match. See the marid-mpr
draft for more details. This list is obtained using a single DNS lookup,
unlike SPF which may require dozens or hundreds of sequential lookups.
This list can safely be declared "nominal" without being used as an
authorization exploit, as with SPF. Depending upon the nature of the
list, comprehensive or nominal, the message can be rejected at the MTA or
"colored" at the MUA respectively. If the message was abusive, the MTA
and NOT the mailbox-domain MUST be held accountable.
One can not defend assumptions of accountable entities by suggesting
the mail channel is "defined" to have integrity.
You're not addressing my scenario, or my reasons for my position.
You're just labelling my position as based on "assumptions", and
therefore any "definition" I come up with is, in your opinion, defined
to be indefensible.
I am not attempting to dodge your scenario. I do not agree you have
adequately described the situation or considered risks involved making
negative assessments against a name.
Listing a name and blocking their mail because you don't care which
entity actually caused the message to be sent is also... not nice.
Which is why I didn't say that. Please don't accuse me of saying "I
don't care", it's rude and insulting. My position, if you had read my
messages, is that IF the recipient cannot tell the difference between
"good" and "bad" originators, then he MUST treat them as identical.
Because, by definition, he has no information by which to distinguish
them.
I should have said "one" does not care. Sorry for my phrasing. I did not
intend to be rude. I would hope the goal of the MARID group would be to
provide a method that accurately distinguishes those accountable for
abusive actions. Currently the group seems intent upon skipping a vital
step.
Unless.. do you have a way for the recipient to treat "good" and
"bad" originaters differently, in the absence of any data which can be
used to distinguish them? If you do, I would be... surprised.
Except for the case where the mailbox-domain referenced a comprehensive
list and could not match the MTA name for authorization, no other
assertions are safe. The concept of good and bad should be reserved for
reputations of the MTA name.
What entity should be held accountable? The entity authenticated as
sending the mail, or the mailbox-domain that authorized the mail to be
sent?
Each has a different role, therefore their accountability should be
different.
Yes, but with respect to a reputation service, only the MTA name may be
safely assessed.
Obtaining an authorization is not the same as authentication of the
acting entity.
I'm not sure how that applies to the issues on this list.
An SMTP server can obtain authentication information from a DNS
server for an SMTP client, and use that information to authorize the
client.
The client MUST be authenticated and the authorization validated when
holding the MTA name accountable and asserting a reputation for the MTA
name. A message (or message action) authorization is not sufficient to
hold the mailbox-domain accountable and asserting a reputation for the
mailbox domain.
If there's no authentication information available, then the
SMTP server cannot use that information to authorize the user.
The alternative becomes an IP address blacklist.
MAIL FROM and EHLO based checks are identical in security.
These checks are not the same.
Which is why I didn't say they were the same.
You seem to suggest the MAIL FROM and EHLO identities are equally strong.
They are not.
You are devising a system that requires mailbox-domains authorize
other domains to send their mail.
No. "domains" don't send mail. SMTP clients send mail, and use
domain names in fields in SMTP. The difference is crucial. SMTP
clients can be correlated to domain names via:
- rDNS
- EHLO
- MAIL FROM
I don't wish to get bogged down in semantics and protocol details. The
MAIL FROM name may not correlate to the to entity accountable for the
actions of the MTA.
And not much else. Because there is no easily available mapping of
"domain" to SMTP client, other than those fields, SMTP servers cannot
use anything other than those fields to tie the SMTP client to a
domain name. So talking about "authorizing domains" is a
misconception. SMTP clients are authorized, nothing else can be.
Forgive my generalizations that failed to include the protocol.
If the sending MTA EHLO name is authenticated and authorized by the
EHLO domain, then it does not matter what mailbox-domain is sent,
this EHLO entity can be safely held accountable for the MTA actions.
How?
The name of the MTA is held accountable. A name, by any other name, is
still a name. :^)
In contrast, by checking MAIL FROM, you can at least have some
confidence that a bounce path exists, and any errant message will be
accepted by the originator.
This is only true for the comprehensive list. But this does not mean it
is safe to hold this entity accountable for the messages being sent by the
MTA. If anything, the MTA entity (EHLO name) should come into question.
If someone can't tell the difference between two things, then it
MUST treat the two things as identical.
But these things can be identified by an authenticated EHLO name. They
MUST NOT be treated as identical.
If two domains use the same MTA, which uses only one authenticate
EHLO name, then by your definition, only the domain in EHLO can be
held accountable, and all recipients must therefore treat the two
domains identically.
Hmm... have I used your definitions to prove my point?
You missed the concept of what entity is safely accountable for messages
sent. It can not be determined by the mailbox-domain. When the name
affected by reputation services is the provider, then either this MTA is
rehabilitated, or their customers move to a different provider. The
reputation service has not harmed the wrong party.
A reputation service spends most of their efforts ensuring information.
Using the IP address makes this process rather straight forward. Using
an authenticated EHLO name follows the same model and directly identifies
those sending the messages.
It authenticates the MTA sending the messages, which is a little
different.
Again, I was not including the protocol while explaining the entities
involved.
To suggest that because the EHLO domain was not considered, means a
reputation service can safely hold entities accountable for the
action of others will not have much sway.
It's not unreasonable to hold multiple parties accountable for a
message. ISP's are already holding other ISP's responsible for the
actions of their customers. It's not unreasonable to use MAIL FROM
accountability in addition to EHLO.
Reasonable will be determined by those unfairly harmed by overly broad
concepts of what a DNS record suggests. Likely there will also be a fair
amount of painful litigation in the case of SPF or Sender-ID.
Perhaps there should be a warning in the SPF draft:
Publishing SPF records may result in a negative reputation status through
events beyond the control of the administrator. Publishing "open" records
at your peril.
These and many other problems do not exist for CSV and MPR. The other
potential effort. :^)
-Doug