Douglas Otis wrote:
The benefits from grey-listing are fading,
I dispute that. Our statistics show that greylisting has remained very
effective. For example, login demo/demo at the following URL:
http://www.roaringpenguin.com/canit/statistics.php?pe=1&r=daily-greylisting&domain=&cur_stream_only=0&num_days=30
while bulk emailers have become more aggressive in their retries.
That's probably true, but not much of a bother.
I agree. The TBR Extension should satisfy the desires of bulk emailers,
while also providing an absolutely essential mechanism needed to protect
exhaustive content filtering, the Temp error.
TBR is not needed. You can write an SMTP server that accepts the
message and then just sits on it for any desired amount of time. It can
then do whatever reputation-checking it wants to decide whether or not
to deliver the mail.
The TBR extension can:
1) without burdening the receiver
No, the receiver has to add support for TBR.
a- provide a valid identity of origination
No, how so? Anyone can register domains and set up DNS. That
proves nothing.
b- eliminate back-scatter
Maybe.
2) conserve limited content assessment resources
At some point, you've got to decide on all your mail. So just deferring
processing doesn't help if you can't keep up with the flood.
3) improve delivery integrity
How so?
4) eliminate bulk emailer's aggressive reties
Bulk emailers won't adopt TBR so this is moot.
5) protect valid email-address confidentiality
There are many other ways to do this without SMTP extensions.
6) defer and enhance assessments of questionable messages
Greylisting does that now without SMTP extensions.
7) avoid the DATA phase for abusive sources
Can be done already anyway.
8) avoid unintended DDoS effects
Or magnify them. Look, suppose I decide I want to hurt "example.com".
I register a domain "example.net" and make my example.net URL point at
the IP address of example.com's Web server. I then merrily send out
millions of e-mails and poor old example.com's Web server is DoS'd
as TBR implementations attempt to fetch a URL on it.
The fatal flaw is that there's no linkage between the owner of a domain
name and the owner of the IP address its A record points to.
--
David.