Hi Viruthagiri,
At 09:18 PM 27-09-2019, Viruthagiri Thirumavalavan wrote:
Usually noreply addresses are not falling under human-to-human
category. So we highly recommend our users to offload website
related and mailing list related mails to domboxes before enabling
restricted mode. That's because a dombox address gives exclusive
privilege to a domain and its alias domains.
The example which I mentioned in my previous email is an email which
was authored by a person. That email was sent through a web page.
But your concern is a valid concern. I think we should take
precautionary measures for challenge mails. For example, if the MAIL
FROM local-part contains text like "noreply" or "no-reply" and the
RCPT TO address requires CAPTCHA, then we should reject the mails
with an error message like "550 Recipient requires CAPTCHA. Not
possible in noreply addresses.". We can also use headers like
"List-Unsubscribe" to detect non-human mails.
That would cause an email from an IETF reviewer to be rejected. The
"List-Unsubscribe" header in this case is not a good signal for
detecting emails which are not from a person.
For the record, I'm not really a fan of challenge mails. But we
cannot just ignore it due to its annoying nature. For example, you
have a blog post and you see thousands of comments posted by bots
everyday. You get genuine comments monthly once. So it's reasonable
to enable CAPTCHA here.
Ok.
Plenty of people in the world use email address only for signing up
in third party websites like Facebook, Youtube etc. They hardly use
that for human-to-human communication. So CAPTCHA makes sense for such folks.
Ok.
The key takeaway from my work is not the challenge part, it's the
"verified strangers" part. As of now, botnets plays a huge role in
email spam. Last time I checked there are botnets out there that is
capable of sending 92 billion spam mails per day. Mirai botnet
source code is available on the github. So you don't need much
technical skills to create a botnet. My system tries to bring those
spammers inside a circle by dividing the system into human mails and
non-human mails. My system tries to punish the domain rather than IP
addresse. So I believe it's effective in dealing with botnet spam.
I understand that there is some source code which could be used to
send a lot of unwanted mail. According to your proposal (Page 240),
the "verified strangers" uses a "challenge/response mechanism". How
does it prevent those "challenge" emails from being sent to the
domains used by the botnet? Will all emails which are not DKIM or
SPF "authenticated" be discarded?
Regards,
S. Moonesamy
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp