Hector,
I'm not going to try for a complete response here; much too busy
this week...
* Any time I answer a question on this list about 2821
and what it says, I'm answering in terms of my
understanding, as editor, of what is in that document
and what the WG wanted. There are things in it that I
don't like, but the document is as close to instructions
from the WG as I could make it. If I'm answering in
terms of personal opinions about that spec, I'll be
pretty clear about it.
* In principle, it wouldn't be hard to produce an
applicability statement document that changed 2821's
conformance rules to ban legacy (821-only)
implementations. In practice, if the IETF were to
consider such a thing, I'd predict a lot of controversy
and either a "no" decision or a standard that was widely
ignored: while you might make a rational site decision
to reject HELO, I can't imagine any sane implementer of
a commercial implementation removing the backward
compatibility.
If you want to pursue the above, _write a draft_, then contact
the applications ADs and discuss a WG charter. Ranting on this
mailing list is fairly useless, whether you are right or wrong.
john
--On Tuesday, March 08, 2005 11:36 AM -0500 Hector Santos
<winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:
----- Original Message -----
From: "John C Klensin" <john(_at_)jck(_dot_)com>
To: "Keith Moore" <moore(_at_)cs(_dot_)utk(_dot_)edu>
Cc: "Vince Sabio" <vince(_at_)vjs(_dot_)org>; "ietf-smtp"
<ietf-smtp(_at_)imc(_dot_)org> Sent: Tuesday, March 08, 2005 8:40 AM
Subject: Re: Site policy vs. HELO
...
Over the pass year and a half, we have proved that by
increasing the level of SMTP compliancy required by senders,
you can address an extremely high rejection rate with a very
low to non-existence false positives. 100% based on SMTP
compliancy.
That should not be a surprise to no one: By industry
measurements, over 60-80% of all transactions are spoofed, bad
user or NXDOMAIN.
The questions we need to face are:
How much longer do we accept malicious transactions to use
non-compliant SMTP transactions?
The argument of legacy issues as a reason not to even consider
stronger SMTP compliant is not only a red herring but old
thinking.
Most modern SMTP systems are compliant and legitimate senders
are indeed compliant.
It is the exact segment of the population of malicious
transaction who are not SMTP compliant thus exploiting the
weak provisions by not applying pressure to comply.
...