----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: "Doug" <Dougxx2@carolina.rr.com> Cc: <ietf@ietf.org> Sent: Monday, January 06, 2003 1:23 AM Subject: Re: namedroppers, continued >> It seems to me if the mail server administrators would make the decision to >> require people that send emails from their servers to log into a valid > >Your proposal would fix the problem, but end up tossing a large quantity >of babies out with the bathwater. The problem is that for the case of >a mailing list, you have *4* (at least) things to keep track of: There are many comercial email servers that require the people sending email with their server to log into the server using a valid username and pass before doing so. I doubt they are losing any valid emails. All it does is to keep unauthorized users from using the server without a valid password. The reason to require that the sender address in the outgoing email matches the email address refrenced in the account is to keep people from sending spam from these email servers and using fraudulant return and/or sender address. I fail to see how this throws out any babies. perhaps I am missing something. > >1) The RFC821 recipient address. For your copy of this posting, it's "your >email address". >2) The RFC821 sender address. It should be available in the Return-Path: >header in most well-behaved mail systems as you look at your mail. >3) The RFC822 From: address. >4) The RFC822 To: address. I know what the recipient address, sender address, from address, and to address in headers look like. The problem is that many spammers use false information here and change it on a regular basis. This makes it impossible to block their email at the client end. My proposal is very basically to make it mandatory to put valid information in these fields in order to be able to send the email. >Another problem is that I am (fortunately) still receiving more mail >each day that counts as "legitimate unsolicited" (problem reports about >our servers, people who have seen my name and are looking for technical >advice, etc) than I do actual spam. I also never intended for servers to be using filters on unsolicited emails just because they are unsolicited. My intention was to suggest that people who were sending unwanted and unsolicited "comercial" email should be blocked. I suggested that servers that refused to cooperate with the rest of the spam hating world could be blocked just in case but, this may be a bit harsh. In addition the steps I mentioned would allow for the person receiving these emails to gather information to allow them to easily take legal action against the spammers that still managed to get through. IE if everyone is forced to use valid information in the headers to be able to send the email without using some exploit on the server then it should be easy to track them down. If of course they are forced to use exploits to send their anon spam then the admins of the system would eventually find this and take action to block them and/or prosecute them. Perhaps you could be scanning header information as well on the receiving server (not the client or the sending server) to allow you to check for nonsense return addresses like this@for.example or fraudulant source DNS and IP information. Another thing that could be checked for is wether the sending account matches the reply to address. >It's not as easy as it looks... :) Oh no I never said it was easy and I also never said I knew it all. I am just making a suggestion as to a possible solution to the problem. :) Doug >/Valdis P.S. I do seriously want to know how this would stop valid email users from getting/sending their email.