"Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:
WHAT "mail channel"? I have described what I think of as the "mail
channel", and given reasons for my conclusions. You haven't.
Mail is normally passed from MTA to MTA on its journey to the destination.
How does that affect MAIL FROM authentication via records in DNS?
The MTA making the public delivery is often not where the message was
created. The sequence of Mail Transfer Agents carrying the MAIL FROM
identifier is what I had referred to as the mail channel.
None of which is relevant to MAIL FROM authentication via records in
DNS. The previous hops are invisible to MAIL FROM checks.
You are saying one can not be sure of the origin of the MAIL FROM, but it
is okay to use this identity to assert a reputation assessment against the
actions of the SMTP client.
I'm saying that the recipient may not know the "true" origin, and
that that "true" origin may be un-knowable. The recipient CAN know
that the current hop is authenticated, if the MAIL FROM satisfies
authentication records in DNS. For the recipient, nothing else is
verifiable, and therefore nothing else is relevant.
All I'm doing here is taking your EHLO argument, and applying it to
MAIL FROM. Your opposition to this process indicates conflict or
confusion somewhere in the conversation.
Now you are saying publishers should also expect to be black-listed
when they publish an "open" record as have AOL.
Publishers should expect recipients to do the most curious things,
for the most inane reasons.
Showing the name being blocked is the entity that actually sent the
abusive mail will greatly aid the defense of the reputation service.
Replace "sent" with "accepted responsibility for", and MAIL FROM
checking is perfectly valid, if all parties agree.
Why? I've explained why and how MAIL FROM accountability can be
safely applied.
You have not. You simply say you can hold the MAIL FROM entity
accountable because they published with the clear warning within some
discussion within this WG.
No... that's dumb. "MTA's don't read mailing lists".
In any protocol implementation, all parties involved agree as to
what the information means, and how to interpret it. MARID
implementations are nothing special in this regard. If this WG
publishes standards defining accountability, then it's entirely
reasonable to expect that implementors of the standard have accepted
that accountability.
But where does it say publishing an SPF record is accepting
accountability for any message using this mailbox domain coming from
an SMTP client? That is the million dollar question.
That spec isn't under consideration by this group, so any answer
would be out of scope. But in general, I believe close examination of
email scenarios may lead to such statements.
I am of the opinion these assumptions are caviler and needlessly risky.
This risk will represent the demise of the reputation service.
Which is why I have great skepticism that any reputation system will
work.
Having my ability to run an MTA depend on kissing up to some third
party? Sure... that fits into the freedom, and the "end to end"
nature of the net.
Alan DeKok.