Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[Brad Knowles <brad.knowles () skynet be>]

At 9:12 PM +0200 2002/08/26, Jeroen Massar wrote:

>  ISP's should actually block port 25 outgoing, or even better,
>  reroute/forward it to their own mail relay.

        Agreed.

>  This will force people to use their upstreams email address though when
>  sending email outbound.

        Yup.

>  IMHO, Paul's idea is quite a good one, but all servers will need to be
>  upgraded, and all dns entries installed.

        I still think that it causes problems for mailing lists.

	Moreover, you need to know the complete outbound path for all 
e-mail, from soup to nuts, so that you can add all those machines to 
the list of known mail-from MX entries for your domain.

	I'm sorry, complete information like this just doesn't exist 
anymore.  Knowledge like this did exist twenty or more years ago, 
back when there were only a few UUCP nodes.  But even then, things 
quickly got to a point where people couldn't possibly know all 
possible paths between any two points, and people just listed their 
address from a small set of "well known" nodes.

>  Unfortunatly that will take some time, installing a tool like
>  spamassasin/razor etc is much more effective
>  even though those tools won't stop spammers.

	I disagree that it would stop spammers.  Even if everything else 
worked, all it would require is that they get more creative in faking 
e-mail addresses.  They just have to make sure that when the mail is 
delivered to you, it comes through a machine that is on the list of 
MXes for the mail-from entry for the domain.  Put a simple wildcard 
MX in there (and nothing else), and it should match anything.


	Moreover, even if all servers on the Internet were secured in 
this manner and there were no open relays, it would also require 
perfect reverse DNS because the MXes are listed by name and not IP 
address -- that's assuming you do a reverse lookup on the IP address 
and require that the returned name is on the list.

	If you do a forward lookup (taking each of the listed MXes for 
mail-from and looking up their IP address), that would require that 
no one use DNS-based or geographical-based load-balancing, because 
then the forward lookup on the name might not match the IP address of 
the sending relay.

>  At least it will help a bit against one of the bigger internet
>  "problems".

	I agree with the overall IETF approach of implementing something 
and seeing if it works (as opposed to talking things to death), but 
this is a case where I fear that the proposed solution could only 
work in a perfect world, and even then it would have some serious 
problems.

--
Brad Knowles, <brad.knowles () skynet be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)