ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: namedroppers, continued

2002-12-06 23:44:46
from [ned . freed] [Permanent Link] 
proposal of mailfrom dns record - http://www.vix.com/~vixie/mailfrom.txt 
or


I've had a look at vixies proposal and it's a good one.  I certainly would
welcome something like the mailfrom dns record.



actually I'd call it a nonstarter in its current form.


I would have to agree.


 given that



- mail from is used for nondelivery reports and other notifications;
  users need to make sure it gets set to an address that they'll read



- nomadic users have valid reasons to post from random places on the net
  (including multiple ISPs) and keep the same mail from address.



- many ISPs won't let you forward or submit mail through someone else's
  SMTP server, even if you have permission to do so.  so you can't
  forward your mail through your "home" ISP's mail server to allow the
  "mail from" check to work.


In addition to these valid concerns I'd add that various sorts of
autoforwarding exist that don't change the MAIL FROM. These would also tend to
break if such a scheme were implemented.

I'm also concerned about the management aspects of having lists of authorized
"multistage relays" and all that implies.


trying to reuse any of the existing return addresses in email as a
spam identifier just won't fly.  a separate identifier might work.


But there's also a problem with NOT using the MAIL FROM -- one of the things
that's being counted on here is that mailing list expanders will (optionally)
check the MAIL FROM against this new DNS record, but then change it
unconditionally to an address associated with the list expander rather than
with the originator.


(actually Sender is the closest thing to what is needed here,
unfortunately it's routinely munged by mailing lists)


To the extent that sender is munged by mailing lists to refer to the 
list expander it would actually be a feature here, not a bug. But just
as you cannot count on it being left alone, you also cannot count on it
being changed.

Perhaps the real problem here isn't the use of MAIL FROM but rather the
assumption that binding ipsource to the MAIL FROM domain is a useful 
validation check. A specific ipsource is just not a property a legitimate user
of a given domain can be expected to have. Although I am reluctant to suggest
anything involving public key crypto, another approach would be to put a
public key in the MAIL-FROM DNS record and add a new header field containing a
signature covering the message's  MAIL FROM and the current date.

                                Ned
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: namedroppers, continued, Keith Moore
Next by Date:  validating source of email (was something about namedroppers), Keith Moore
Previous by Thread:  Re: namedroppers, continued, Keith Moore
Next by Thread:  validating source of email (was something about namedroppers), Keith Moore
Indexes:  [Date] [Thread] [Top] [All Lists]