Re: NDNs considered harmful

On 2010-08-12 12:58:51 -0400, Hector Santos wrote:
> Paul Smith wrote:
> >  On 12/08/2010 14:28, Rosenwald, Jordan wrote:
> > > True statement, but that means the senders of the other 5% are now left
> > > in the dark as to what happened to their mail.
> > > Is there a proposed solution to that?
> > Maybe we just recommend sending NDNs to people if their email is DKIMed 
> > or if it came from a server matching SPF rules, or if the return path  
> > uses BATV
> >
> > It's better than never sending them at all, and those provisions make 
> > it reasonably certain that the sender's email address wasn't forged.
> >
> > Also, it might encourage people to put in place the anti-forgery methods.
> +1
>
> In our implementation, we use CBV (Callback Verification) and this  
> resolves at least 50%, 70% to even has high as 90% of the "bad" MAIL  
> FROM: problem. Currently it is among the highest filter in our suite of 
> SMTP filters.
Apart from other objections agains CBV, this only removes those cases
which were mostly harmless in the first place: If the forged sender
doesn't exist, the NDN cannot be delivered and will be silently
discarded (or sent to a local "double bounce" address where they will
probably be ignored ;-)). If the forged sender *does* exist, CBV won't
detect that it is forged and an NDN may be sent to the hapless victim of
the forgery. SPF, DKIM, BATV, etc. do a better job guarding against
address forgery.

        hp

-- 
   _  | Peter J. Holzer    | Openmoko has already embedded
|_|_) | Sysadmin WSR       | voting system.
| |   | hjp(_at_)hjp(_dot_)at         | Named "If you want it -- write it"
__/   | http://www.hjp.at/ |  -- Ilja O. on 
community(_at_)lists(_dot_)openmoko(_dot_)org

signature.asc
Description: Digital signature