[Top] [All Lists]

Re: Site policy vs. HELO

2005-03-08 10:11:07


I'm not going to try for a complete response here; much too busy this week...

        * Any time I answer a question on this list about 2821
        and what it says, I'm answering in terms of my
        understanding, as editor, of what is in that document
        and what the WG wanted.  There are things in it that I
        don't like, but the document is as close to instructions
        from the WG as I could make it.   If I'm answering in
        terms of personal opinions about that spec, I'll be
        pretty clear about it.
        * In principle, it wouldn't be hard to produce an
        applicability statement document that changed 2821's
        conformance rules to ban legacy (821-only)
        implementations.  In practice, if the IETF were to
        consider such a thing, I'd predict a lot of controversy
        and either a "no" decision or a standard that was widely
        ignored: while you might make a rational site decision
        to reject HELO, I can't imagine any sane implementer of
        a commercial implementation removing the backward

If you want to pursue the above, _write a draft_, then contact the applications ADs and discuss a WG charter. Ranting on this mailing list is fairly useless, whether you are right or wrong.


--On Tuesday, March 08, 2005 11:36 AM -0500 Hector Santos <winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:

----- Original Message -----
From: "John C Klensin" <john(_at_)jck(_dot_)com>
To: "Keith Moore" <moore(_at_)cs(_dot_)utk(_dot_)edu>
Cc: "Vince Sabio" <vince(_at_)vjs(_dot_)org>; "ietf-smtp"
<ietf-smtp(_at_)imc(_dot_)org> Sent: Tuesday, March 08, 2005 8:40 AM
Subject: Re: Site policy vs. HELO

Over the pass year and a half, we have proved that by
increasing the level of SMTP compliancy required by senders,
you can address an extremely high rejection rate with a very
low to non-existence false positives.   100% based on SMTP

That should not be a surprise to no one:  By industry
measurements, over 60-80% of all transactions are spoofed, bad
user or NXDOMAIN.

The questions we need to face are:

How much longer do we accept malicious transactions to use
non-compliant SMTP transactions?

The argument of legacy issues as a reason not to even consider
stronger SMTP compliant is not only a red herring but old

Most modern SMTP systems are compliant and legitimate senders
are indeed compliant.

It is the exact segment of the population of malicious
transaction who are not SMTP compliant thus exploiting the
weak provisions by not applying pressure to comply.

<Prev in Thread] Current Thread [Next in Thread>