This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] DNS RMX records - e-mail sender authorization
- Previous message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
- Next message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hadmut at danisch.de
hadmut at danisch.de
Thu Oct 16 15:07:37 CEST 2003
On Thu, Oct 16, 2003 at 01:07:56PM +0200, Brad Knowles wrote: > At 9:27 AM +0200 2003/10/16, hadmut at danisch.de wrote: > > > - So why is Stephane complaining that these proposals would break his > > ability to use "From: bortzmeyer at nic.fr" ? In fact, none of the > > proposals would stop him from doing so, but since he complained > > about this emotionally, I tried to pick up his argument the same > > way. People should read and understand a draft before attacking it. > > I have read the various drafts, and I understand how they work. > They all rely on someone designating a set of servers that are > allowed to send e-mail from a particular domain or set of domains. Again, Stephane complained that the proposals would stop him from using "From: bortzmeyer at nic.fr" and you explicetely agreed, while at the same time you confirmed that all those proposals do not have anything to do with the header From: line. I still do not understand your opinion and your argument. If the proposals have nothing to do with the header From line (in fact, they don't), so why are you and Stephane complaining? > Regardless of the implementation mechanism, that act alone breaks > .forward, alias-based mailing lists, legitimate third-party relay > when you are travelling, etc.... No. If it doesn't touch the header From line, it doesn't break anything with that. Most mailing lists, all modern mailing list processors I've checked, most forwarding services correctly insert a new sender envelope address and will work with RMX just perfectly. > Right, and nothing you do with an RMX-like proposal is going to > make any difference here. The problem is that it doesn't help you > until everyone (or most everyone) already does it, and until then it > can only hurt. Wrong. If just Hotmail, AOL and Yahoo would provide RMX records and I'd query them, then I already would get rid of a significat amount of spam. And that's only a four party game. And even if I were the only person providing RMX records, it would already help getting rid of wrong delivery failure messages. > With DNS cache poisoning, all that goes out the window. With > over 50% of the ccTLD authoritative nameservers being open public > caching/recursive nameservers, just how clueful do you honestly think > people are going to be? And this is just one of many weaknesses. DNS cache poisoning is possible, but is found rarely. While I see tens of thousands of Spam per day, I didn't find any case of cache poisoning within the last two years. Do you really believe Spammers would be able to poision the DNS caches of a million receivers? That's not an acceptable argument. > If you want to do authentication, you need those cryptographic > methods. Nothing short of that is going to help. Wrong. Nonsense. There's organizational security, e.g. topological authentication, as done by e.g. firewalls. You should be better informed before propagating such claims. > He may not own that domain, but he almost certainly owns that > address. And how should anyone else check this? > And he's already got his MUA configured to use the > appropriate outbound mail server, including all cryptographic > authentication methods required to make the transmission of mail a > smooth and invisible process. So tell me how my receiving MTA can check this. What cryptographic authentication is he using that could be automatically checked by my machine? How do you want to deploy such a mechanism to countries where cryptography is not allowed? Do you believe that a billion of internet users will keep the secret keys on their windows machines secret? That's absurd. > You're not going to invent anything useful using fundamentally > flawed ideas using systemically dain-bramaged DNS infrastructure > around the world. Being insultive is not an argument. > If you think SMTP security is bad, you haven't > begun to look at DNS security. DNS security is still much better than SMTP security, because there is no SMTP security. Spammers using wrong sender addresses do not have to break any security mechanism by now. Breaking DNS is still not trivial, especially not for mass mailings. > That's assuming that the mailbox of the sender isn't already full > of other bounces. That's assuming that the virus doesn't > surreptitiously check the mailbox and delete all bounces, so as to > cover it's tracks. That's foolish. Not stopping spam and viruses because the mailbox could be filled with other rubbish is just ridiculous. And btw my relay has never been infected by a virus. Your argumentation is so farfetched and far from reality, that it doesn't convince in any way. > Something must be done. This is something. Therefore, this must be > done. > > Riiiiiiiiiiiiiiiiiight. We've heard this before. > That's the universal kiddy-argument against everything. Following you would mean to leave it just as it is. The current spam traffic might be suitable to your personal needs, but it isn't to others. > As the former Sr. Internet Mail Administrator for AOL, I've > probably been responsible for stopping more spam than you will ever > see in your life. Aha. AOL has also transported more spam than I will ever see in my life. So what? And what does this mean? That every anti-spam solution requires your personal approval? > As one of the authors of some of the earliest > anti-spam rulesets that were contributed back to the community, I am > probably indirectly responsible for having stopped many, many orders > of magnitude more spam than you can ever possibly see in your entire > life. Aha. And what does this mean? Do you want to tell me that you have the permission to spam-fight and I don't? > We're all suffering. What we shouldn't do is wave large > quantities of weapons of mass destruction around in a crazied attempt > to kill all the bugs -- doing so can only lead to our own > destruction, and minor annoyance for the bugs. So what are you proposing? Leave it as it is? If you have any better and feasible idea, don't hesitate to tell it. World will be happy to get it. I see that you don't like RMX. But I don't see what you want to have. A different mechanism? No spam protection at all? What do you want? Hadmut
- Previous message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
- Next message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]