Hi Johanthan,
Post by Jonathan de Boyne PollardL> All other proposals have a deployment problem
L> (namely, the DNS lookup proposals) [...]
They actually have a more fundamental problem than that. They attempt to
correlate (the domain portions of) envelope sender mailbox names with the IP
addresses of SMTP Relay clients. But there is simply no such correlation.
Sure there is. More below...
Post by Jonathan de Boyne PollardThe legitimate owner of a mailbox should be able to send mail with that
mailbox as the envelope sender from anywhere in the world that he or she
likes. Similarly, one should be able to send mail via one's connection to
Internet using as the envelope sender whatever mailbox one might legitimately
own.
Only if he is authenticated and authorized.
First lets not forget a few things.
Fundamentally, this is a "Anonymous Access" issue. As long as the
user is authorized to send mail, the user can connect from anywhere
and send to local or remote mail. That is not the issue. SMTP offers
the traditional IP relay tables, the Extended SMTP AUTH method and
possible the POP BEFORE SMTP method. The latter two was "invented" to
solve the roaming user problem (their machine IP changing for whatever
reason). So the concept of an Unknown Machine is a non-issue as long
as the user is authorized.
Second, the basic rule of thumb with SMTP security is:
anonymous access - can only send mail to local final destination
authorized access - can send local or remote (relay)
If the user authenticates, then there is no problem.
So the problem to be solved is how to control the high cost and REAL
ABUSE of anonymous access clients on the industry at all levels using
the current SMTP specification.
So lets focus on "Anonymous access" because a "legitimate user" is one
that is authorized do what what you describe.
So what is "anonymous access?"
Basically, in terms of "thee problem," it is one that is untrackable
and untracable. Basically, "anonymous" in the pure sense of the word.
The "problem" is the abuse that is costing the industry billions of
dollars.
The efforts in my view to address "the problem" is to add back
tracability and accounability. This is what CAN-SPAM Act attempts to
do. CAN-SPAM does not eliminate spam, in fact, it makes it worst, by
telling spammers:
"Hey, as long as you follow the rules, go ahead and spam!"
What are the basic CAN-SPAM rules?
I summarized them as two things:
- Valid return path, and
- Labeling.
That is all CAN-SPAM is telling spammers to do:
"Don't hide, spell it out, give the users a change to
opt-out and you can spam. If you don't follow the
new rules, then we will come and get you!"
and btw, it says one more thing,
"Follow the specifications set forth by IETF."
and if you listen to Dave Crocker, the "Father of SMTP", he says:
"Lets solve the problem using the current SMTP specification.
Lets not break it!"
With that mind set, industry developers really don't have must to work
with to solve the problem. In fact, many developers have basically
throw up their hands and said "$%#K'em" You now have developer and
vendors going on their own to do things that is basically NON-RFC
compliant concepts.
AOL and RoadRunners and a few others have already SHUT out the dynamic
IP user - technically a violation of the RFC specification as it
currently written because as I said above, if you got local
destination mail to send, anonymous access should be allowed.
But the abuse was too BIG with dynamic IP machines. It was time to put
restrictions. I agree with the idea, but I don't agree with how they
did it.
Now you have the "Alliance", Microsoft, AOL, EarthLink, YAHOO and
VERISIGN who are coming up with their own "Domain Key" specification
concept. Whats funny is that YAHOO says they will rollout this new
system in early 2004, and NO ONE has seen any SPECIFICATION
whatsoever. Atleast I haven't and I wrote to YAHOO three times to
inquire about it - not one response. I think they are full of it.
They were testing the water to see what people will think - "Will
people accept the Alliance controlling the industry mail system?"
Anyway, in the mean time, the rest of us have to deal with current
specifications.
You have three (3) parameters to work with, actually four (4):
CIP Connection IP address
CDN Client DOMAIN provided at HELO/EHLO
RP Sender Return Path provided at MAIL FROM:
RCPT The target recipient(s).
Again, anonymous access - local mail posting only.
The way I view it is as follows:
1) If sending mail to a non-existing local user, then there is no
need to check for access priverledges.
2) It is only when a RCPT exist or the system has decided to receive
mail, should it do an "Access Check"
What is the access check capabilities for anonymous clients?
Right now, according to SMTP specs, NONE! Hence the exploitation by
spammers.
I like the CBV because it is consistent with the RFC specification
that the return path must be validate in order to bounce mail. CBV
does't care where you sending it from. CBV simply wants to verify the
address. If the remote says NOT VALID, then thats is what we are
looking for. Any other result can not be trusted and you move on per
the RFC specifications.
What the DNS proposals do is try to bring in the sending maching
access.
In my view, the best they offer is to check your own local domains.
You can't any other result.
Since it is our SYSTEM POLICY that users must authenticate when they
use our domain name, then proposals like DMP offer us a way to make
sure that spammers are not spoofing our local domain on our system.
In my view, at the protocol level, that is the best you can do with
current specifications. You can check for remote domain DMP
compliants but this is REALLY a big overhead issues because of failed
DNS lookups.
Post by Jonathan de Boyne PollardThis is not their only fundamental problem, either.
L> AOL helps solve the problem.
... and resurrects another problem as a consequence of doing so, taking the
world back to the state that it was in several years ago. There is a
fundamental conflict. "Call back" schemes that verify envelope sender
mailboxes require, in order to be most effective, that envelope recipient
mailbox local parts be verified by the SMTP Relay server. But doing so
enables RCPT Harvesting (aka "Rumpelstilzchen attacks").
I believe that is a red herring. If you accept the address with no
feedback, as far as the SPAMMER is concern it has added weight to the
value of the email address - REGARDLESS whether it is a real address
or not that will be discarded at a later point.
Post by Jonathan de Boyne PollardImplementing the
measures that people have implemented to prevent RCPT Harvesting over the past
few years greatly reduces the utility of "call back" schemes.
Well, empiricically, it doesn't correlate with your view. The data
shows there is VERY little organizations accepting mail for post
processing, because they have realized they will open themselves to
open relay and scalability issues. Again, you need to think as the
outsider, the spammer. As far as the outside is concern you are honey
pot for spam and spammers will exploit your system and your domain
address across other systems to the maximum extent. So the
operational decision to accept all mail at the SMTP level, perpetuates
the problem not only for the company but for the industry as a whole.
While it wasn't a big problem in the past, today, not validation your
address will increase scalability issues on your system and eveyone
elses as YAHOO have problem to show with a majority of all spam having
spoofed YAHOO addresses. So in my view, they put on a burden on
EVERYONE else as well.
Also, as I said, its a red herring, YAHOO will validate the address
at the DATA stage. So if a spammer wanted to "havest" the address,
all they need to do is continue with the DATA transmission. They will
find out very fast whether it is good or not.
In any case, with the exception of YAHOO, the odds are very high that
if a system accepts ROUTED MAIL in an anonymous matter, it is more
than likely a open relay. If it restricts routed mail but accepts all
local addresses, well there is not much you can do here. But again,
a CBV system is not looking for true positives, it is looking for true
negatives which offer 100% and by far, the emperical data have shown
that 80% of all email are spoofed as 100% true rejected addresses.
Post by Jonathan de Boyne PollardL> CBV works!
No scheme to combat unsolicited bulk mail via SMTP works.
Will anything work 100%? No, but emperically, CBV has shown to
eliminate atleast 80% or higher of the spoofing spammers. Thats 100%
TRUE negatives of rejected addresses. Hey, thats a MAJOR improvement
at the protocol level.
Post by Jonathan de Boyne PollardThey either cause
an arms race (biased in favour of the UBM senders; as is the case with
Bayesian filters, for example) that in the long run does little more than
cause SMTP to become less usable and patchy (as all of the various blocks and
the collateral damage from their false positives accumulate), or (as here)
they simply highlight one of the fundamental conflicts in SMTP-based
electronic mail.
Well, as a mail system designed, I have no interest in the
interpretation of mail content, and personally, I believe I am
ethically bound not to deal with it. I am only interested in fixing an
"anonymous access" problem at the protocol level and it JUST so
happens that by doing so, you solve 80% of the spam problem. Thats a
MAJOR improvement. It has nothing to do what SPAM is or what the mail
content really is. It is anonymous access problem.
SMTP has no business in the "interpretation of mail content" game.
That is an system policy or end-user issue. The best SMTP can do is
basically control access by enforcing the specs. We were given a
mandate by CAN-SPAM:
- Validation of the Return Path
- Labeling.
The first one is easy. The second one requires a CHANGE to the SMTP
specification, if we want to offer a SYSTEM POLICY feature to detect
ADV tags at the protocol level. Otherwise, it has to be done a the
DATA stage or post processing.
In my view, the problem is pretty simple :-) We just need to best
way to validate that address. With CURRENT specs, CBV is the only
way.
Those are my views :-)
Hector Santos, CTO
Santronics Software, Inc.