At 9:27 AM +0200 2003/10/16, hadmut@danisch.de wrote:
- So why is Stephane complaining that these proposals would break his ability to use "From: bortzmeyer@nic.fr" ? In fact, none of the proposals would stop him from doing so, but since he complained about this emotionally, I tried to pick up his argument the same way. People should read and understand a draft before attacking it.
I have read the various drafts, and I understand how they work. They all rely on someone designating a set of servers that are allowed to send e-mail from a particular domain or set of domains. Regardless of the implementation mechanism, that act alone breaks .forward, alias-based mailing lists, legitimate third-party relay when you are travelling, etc....
However, if such a mail turns out to be forged (i.e. it has not been written by the sender specified in the From: line) or is any kind of fraud, worm, virus,... then it needs to be tracked back to where it came from to identify the _sender_ . There is no technical way to verify the author, except for cryptographical signatures, which are undeployable in a world wide scale.
Right, and nothing you do with an RMX-like proposal is going to make any difference here. The problem is that it doesn't help you until everyone (or most everyone) already does it, and until then it can only hurt. That is, unless it is only used as a whitelist mechanism, in which case what has it really bought you (and the entire rest of the Internet) to try to force everyone to do this?
But there is a way to do a light weight verification of the sender of the message by checking the authorization. That's what RMX and the RMX-like proposals do.
No. That is not at all what they do. That is what they *claim* to do. With DNS cache poisoning, all that goes out the window. With over 50% of the ccTLD authoritative nameservers being open public caching/recursive nameservers, just how clueful do you honestly think people are going to be? And this is just one of many weaknesses. If you want to do authentication, you need those cryptographic methods. Nothing short of that is going to help.
You need to understand the technical, legal and semantical difference between sender and author. Otherwise you're lost.
That is precisely what I would say back to you.
- Even if he is the owner of his machine, this does not automatically mean that his is the owner of this particular domain or address.
He may not own that domain, but he almost certainly owns that address. And he's already got his MUA configured to use the appropriate outbound mail server, including all cryptographic authentication methods required to make the transmission of mail a smooth and invisible process.
To invent e-mail security, there must be a technical difference between those who are authorized to use an address and those who are not. This difference must be detectable by receivers. That's how security works.
You're not going to invent anything useful using fundamentally flawed ideas using systemically dain-bramaged DNS infrastructure around the world. If you think SMTP security is bad, you haven't begun to look at DNS security.
- If the virus needs to use a legitimate address, then any error messages of virus filter will be sent back to the person responsible for that machine, and the machine can be fixed or taken offline. This is not possible if the error messages are sent to the wrong address.
That's assuming that the mailbox of the sender isn't already full of other bounces. That's assuming that the virus doesn't surreptitiously check the mailbox and delete all bounces, so as to cover it's tracks. That's assuming that the MTAs all along the chain are properly configured and actually issue bounces back to the envelope sender address, as opposed to paying attention to some easily forged header of some sort. That's assuming a whole hell of a lot of other things.
- I and many other people are currently drowning in error messages from relays which received worm messages with my/their domain as a sender address. This is a much bigger problem than the worms themselves. RMX will stop this imediately.
Something must be done. This is something. Therefore, this must be done. Riiiiiiiiiiiiiiiiiight. We've heard this before. As the former Sr. Internet Mail Administrator for AOL, I've probably been responsible for stopping more spam than you will ever see in your life. As one of the authors of some of the earliest anti-spam rulesets that were contributed back to the community, I am probably indirectly responsible for having stopped many, many orders of magnitude more spam than you can ever possibly see in your entire life. We're all suffering. What we shouldn't do is wave large quantities of weapons of mass destruction around in a crazied attempt to kill all the bugs -- doing so can only lead to our own destruction, and minor annoyance for the bugs. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)