This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNS RMX records - e-mail sender authorization
- Previous message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
- Next message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Brad Knowles
brad.knowles at skynet.be
Fri Oct 17 01:15:38 CEST 2003
At 3:07 PM +0200 2003/10/16, hadmut at danisch.de wrote: > I still do not understand your opinion and your argument. > If the proposals have nothing to do with the header From line > (in fact, they don't), so why are you and Stephane complaining? Because we want to use the proper envelope sender address, and have the bounces come back to our correct address. We don't want to be forced to use some garbage envelope sender address forced on us by the severely misguided which would cause our bounces to go to the wrong place, while the header would be unchanged. > No. If it doesn't touch the header From line, it doesn't break > anything with that. Most mailing lists, all modern mailing list > processors I've checked, most forwarding services correctly insert > a new sender envelope address and will work with RMX just perfectly. Did I say anything about breaking proper mailing lists? No. I said something about breaking .forward, which does not (and cannot) change the envelope sender address. I said something about breaking alias-based mailing lists (which also don't change the envelope sender address). I said something about breaking legitimate third-party relay when you are travelling. If you're going to argue on some subject, it might be a good idea to pay attention to what the other guy is talking about. > Wrong. If just Hotmail, AOL and Yahoo would provide RMX records and > I'd query them, then I already would get rid of a significat amount > of spam. And that's only a four party game. Wrong. Many people legitimately send e-mail from accounts like that, with return addresses legitimately within domains like this. > And even if I were the only person providing RMX records, it > would already help getting rid of wrong delivery failure messages. No, there would still be plenty of MTAs that would be misconfigured and pay attention to headers like "Errors-to:", and you'd be victim of header address spoofing, and the bounces resulting from them. > DNS cache poisoning is possible, but is found rarely. While I see > tens of thousands of Spam per day, I didn't find any case of cache > poisoning within the last two years. Do you really believe Spammers > would be able to poision the DNS caches of a million receivers? Sure. They can own networks of hundreds of thousands of PCs around the world, and use them to DDoS blacklist providers out of existence, and do so with impunity. It doesn't matter if you know precisely who they are, where they are, and exactly how they're doing it. You can have video of the act. It doesn't matter, because no one in law enforcement gives a flying flip. If they're going to write stealth viruses to take over hundreds of thousands or millions of PCs to act as their conduit for spam, or to act as reverse proxy cache servers for the hidden websites that have the real content, then DNS cache poisoning is a trivially easy step for them. > Wrong. Nonsense. There's organizational security, e.g. topological > authentication, as done by e.g. firewalls. You should be better > informed before propagating such claims. Weak. Spoofable. Easy to work around. Meaningless. These are terms you should become familiar with before you participate in discussions on subjects you do not understand. > And how should anyone else check this? How could anyone else check on this? The only reasonably trustworthy mechanism would involve strong crypto at the core of a secure protocol, and even then that could be subverted by easily guessed passwords (or sniffed passwords), or any of several other attacks. > So tell me how my receiving MTA can check this. What cryptographic > authentication is he using that could be automatically checked > by my machine? At the MTA level, you don't. The best you could do would be to authenticate the connection from the sending MTA to your MTA, in much the same way SSL certification is done today. Oh, wait. We already have this. It's called SMTPAUTH. Then there's TLSSMTP. If you want to authenticate the message itself, you're dependant on the mechanisms that he chooses to put into the message -- PGP, S/MIME, whatever. > How do you want to deploy such a mechanism to countries where > cryptography is not allowed? Do you believe that a billion of > internet users will keep the secret keys on their windows machines > secret? That's absurd. How do you deploy SSL? > DNS security is still much better than SMTP security, because there > is no SMTP security. Spammers using wrong sender addresses do not have > to break any security mechanism by now. If you think there is anything remotely resembling DNS security, you are not familiar with the subject. > Breaking DNS is still not > trivial, especially not for mass mailings. Not at all true. They're already playing these sorts of games. You're just not up-to-date on the techniques they're already using. > That's the universal kiddy-argument against everything. Following you > would mean to leave it just as it is. The current spam traffic might > be suitable to your personal needs, but it isn't to others. No, we are working on actually useful proposals to help deal with the issue. > Aha. AOL has also transported more spam than I will ever see > in my life. So what? If you haven't seen it, you are not likely to be able to come up with ways to successfully combat it. > And what does this mean? That every anti-spam solution requires your > personal approval? No. There are plenty of people who have useful experience to bring to the table. However, I have seen a lot of dain-bramaged ideas in my time, and I am well-suited to pointing out these problems wherever I encounter them. > Aha. And what does this mean? Do you want to tell me that you have the > permission to spam-fight and I don't? No. However, if you're going to try to be part of the solution and not just make a bad situation many orders of magnitude worse, you need to do your homework. You need to do research. You need to talk to people who have more experience in this field, and you need to be willing to learn from them. I have seen no evidence of any of these behaviours on your part. > So what are you proposing? Leave it as it is? If you have any > better and feasible idea, don't hesitate to tell it. World will be > happy to get it. I'm working on that within the auspices of the IETF/IRTF Anti-Spam Research Group (ASRG). As the BCP Coordinator, I'm hoping that we will soon have some "best practices" that we can recommend that sites participate in, and help stem the tide. > I see that you don't like RMX. But I don't see what you want to have. > A different mechanism? No spam protection at all? What do you want? You should see that when the ASRG starts publishing the BCPs. -- Brad Knowles, <brad.knowles at skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
- Previous message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
- Next message (by thread): [dns-wg] DNS RMX records - e-mail sender authorization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]