[Top] [All Lists]

Re: NDNs considered harmful

2010-08-13 11:34:05
On 2010-08-12 12:58:51 -0400, Hector Santos wrote:
Paul Smith wrote:
 On 12/08/2010 14:28, Rosenwald, Jordan wrote:
True statement, but that means the senders of the other 5% are now left
in the dark as to what happened to their mail.
Is there a proposed solution to that?

Maybe we just recommend sending NDNs to people if their email is DKIMed 
or if it came from a server matching SPF rules, or if the return path  
uses BATV

It's better than never sending them at all, and those provisions make 
it reasonably certain that the sender's email address wasn't forged.

Also, it might encourage people to put in place the anti-forgery methods.


In our implementation, we use CBV (Callback Verification) and this  
resolves at least 50%, 70% to even has high as 90% of the "bad" MAIL  
FROM: problem. Currently it is among the highest filter in our suite of 
SMTP filters.

Apart from other objections agains CBV, this only removes those cases
which were mostly harmless in the first place: If the forged sender
doesn't exist, the NDN cannot be delivered and will be silently
discarded (or sent to a local "double bounce" address where they will
probably be ignored ;-)). If the forged sender *does* exist, CBV won't
detect that it is forged and an NDN may be sent to the hapless victim of
the forgery. SPF, DKIM, BATV, etc. do a better job guarding against
address forgery.


   _  | Peter J. Holzer    | Openmoko has already embedded
|_|_) | Sysadmin WSR       | voting system.
| |   | hjp(_at_)hjp(_dot_)at         | Named "If you want it -- write it"
__/   | |  -- Ilja O. on 

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>