RE: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[David Van Duzer <dvanduzer () infidels org>]

On Mon, 2002-08-26 at 13:43, Jeroen Massar wrote:
> Read my sentence again, because I really won't see everybody install/use
> it.
> One can also simply see so by the problems related to the fact of
> installing security updates.
> Some 'companies' and individuals are simply too sleezy/lousy or whatever
> to do it.
> And thus open spam relays will be kept alive which is why there are
> RBL's.
>
> This will only help a bit, and tools like SpamAssasin/Razor will keep a
> load of stuff of your servers.

Paul's proposal doesn't require battening down every mail server out
there either.  The particularly useful aspect of this approach is that
clueful administrators of more visible mail servers can cut down on
being spoofed.  This would also be specifically effective against Klez
and similar annoyances.  It doesn't matter if the spammer/virus is
cooperating with the system or not.  If the final destination contacts
the mailfrom callback server, and it says "This definitely isn't
legitimate" then even with a small adoption rate, there will still be a
significant decrease in cruft, and the mail system being spoofed has
something better to point at when they get flooded with complaints from
people who actually trust the <mail from> field.  But then, all this is
fairly clear in the draft.  I can't figure out why it hasn't been more
widely accepted as a Good Idea.  The presumably appropriate topic for
discussion on this list is why a system such as this would be a problem
for network operators who choose not to implement such a callback
feature.  So far the only objection I've seen is "It won't make any
difference" and that seems to be a flimsy argument.  Please correct me
if I'm missing something.


> Making it harder to get into your house is better than putting the doors
> wide open...
> Every bit helps...

Exactly.

-dvd