ietf-smtp
[Top] [All Lists]

Re: 2821bis-03

2007-04-27 11:11:34

John C Klensin <john(_at_)jck(_dot_)com> wrote:
--On Friday, 27 April, 2007 03:57 +0200 Frank Ellermann
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:

| However, in practice, some servers do not perform recipient
| verification until after the message text is received.  These
| servers SHOULD treat a failure for one or more recipients as
| a "subsequent failure" and return a mail message as discussed
| in Section 6 and, in  particular, in Section 6.1.

No, that's precisely what they SHOULD NOT do, because it's net
abuse in the case of unverified reverse paths.  It will get
them blacklisted, and after that they won't be able to report
serious problems.  There should not be any "you SHOULD spam"
in 2821bis.

Issue 25.

] Change all text that implies non-delivery messages to prohibit them
] entirely or permit them only with source authentication.

   Related, yes; same, no.

   I've got to agree with Frank: There should not be any "you SHOULD spam"
in 2821bis. There's quite a distance between MUST NOT send a NDN and
SHOULD send a NDN (to a doubtful MailFrom).

   Further, I agree with Frank that sending indiscriminate NDNs _will_
get you blacklisted.

   Let me try stepping back a few paces...

   However much we try to assign lawyer-like meanings to MUSTard, a
MUST is something that means failure to do it indicates you're not
talking SMTP; a SHOULD means there might be exceptions, but in general
failure means you're not talking SMTP.

   OTOH, a lower-case "should" is merely a recommendation -- not an
indication of protocol violation.

   Frank is arguing that forged MailFroms are more common than valid
ones (an easily-observed fact); thus their use (lower-case) should
be deprecated as justification for sending unsolicited email.

   Instead, this text amounts to an accusation of failing to speak
SMTP if you _don't_ send unsolicited email, which IMHO is a rather
silly thing to say.

   NDNs, IMHO, are a historic artifact of a time when it was OK to
trust anyone using the Internet. Given trustworthy users, and given
the ordinary case of needing multiple hops, they were a reasonable
kludge.

   Today the vast majority of NDNs merely indicate that some spammer
forged your email address into a MailFrom -- often without any
particular evil intent except to bypass Verizon's dumb CBV. We need
to admit that spammers aren't going away anytime soon, nor is
Verizon's practice of callback verification.

   In running my ISP, I have to blackhole tens of thousands of NDNs
daily. I'm sure others simply blackhole _all_ NDNs. We should _stop_
encouraging folks to send them.

   I'd like to seriously suggest a middle ground where servers MAY
send NDNs, but (lower-case) should try to verify that the address
they send to represents a person or role account likely to take
corrective action.

   I don't believe we can retreat from SHOULD to SHOULD NOT; but a
retreat to MAY seems appropriate. Even the perfectly valid NDNs
generally don't reach a person who could take corrective action;
and the vast majority of users ignore them even if they get them.

   In an ideal world, we'd make NDNs opt-in for folks who can
understand what to do with them, and make the usual case to be
merely recording the incident in a log file.

--
John Leslie <john(_at_)jlc(_dot_)net>

<Prev in Thread] Current Thread [Next in Thread>