On Dec 19, 2005, at 2:28 PM, Frank Ellermann wrote:
Disrupting v=spf1 at this point also spells doom for SMTP. What
we'll now get is SMPT-3, a new SMTP without most NDNs. Only a few
pockets of resistance with an SPF sender policy will still say that
NDNs are good IFF you reject SPF FAILs.
Perhaps not.
Return-paths with a unique tag could mitigate a too common DSN
exploit used to evade source filtering. Ensuring an auto-response
adopts consistent conventions where return-paths use either "MAILER-
DAEMON@*" or "<>" addresses, and where return-path tag removal
happens at the MDA when delivered (or published into on-line
archives) would improve upon the success of this strategy. Part of
this tag may carry tracking information that could be used to locate
sources of replay abuse. (DKIM will suffer similar problems.)
Rather than hoping for critical mass or strategies to coerce adoption
by a substantial portion of email domain owners, the domain
implementing the return-path tagging reaps benefits immediately,
allowing incremental adoption. Tagging does not demand an inordinate
overhead be imposed upon the recipient which could deter valid DSNs.
Even checking the "authorization" address lists will often be found
open-ended. Authorization may also unfairly shift the burdens
created by open-ended gaps onto the email address domain owner,
rather than the actual sender.
With respect to offering more discriminate source identification,
ensuring EHLO verification by a single DNS lookup could resolve much
of the collateral issues associated with the use of the remote IP
address as the source identifier. A lightweight name-based
reputation check may also leverage the granularity offered by DKIM.
(Who knows, perhaps the same public-key used to sign the message
could also sign a portion of the domain name and the /29 of the IP
address. Only a single lookup would then be needed for both.) : )
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf