subject:"IETF SMTP Working Group Proposal at smtpng.org"



  I'd like to be able to publish DNS records announcing my 
 domain's *outbound*
 mail servers, with nice abbreviated forms to say they're the 
 same as my
 inbound (MX) records or any IP in x.y.z/24.  Then 
 cooperative ISPs (like say
 America Online) could refuse any email from my domain that 
 originated from some
 random cable modem, instead of accepting it and then flooding 
 me with 2
 bounce messages.

It's almost to the point to where mail servers need their own
registrar, sort of the way domains are tracked now, track mail
servers.  Give mail server admins the option to accept mail from
registered mail servers only or from any mail server.  Of course there
would need to be a ramp up period, like six months to a year, to make
sure all of your mail servers are registered.  And of course one should
only be able to register mail servers if the IP space is actually SWIP
to them.  If the IP space is NOT SWIP, it would need to be registered by
the customer ISP or via owners rwhois server.  Just my $.02; for what
it's worth 

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

When all else fails, let a = 7.  If that doesn't help, then read the
manual.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Ron da Silva



On Wed, Aug 21, 2002 at 10:00:02AM -0400, [EMAIL PROTECTED] wrote:
 
  what are the more basic problems you're trying to fix?

  I'd like to be able to publish DNS records announcing my domain's *outbound*
 mail servers, with nice abbreviated forms to say they're the same as my
 inbound (MX) records or any IP in x.y.z/24.  Then cooperative ISPs (like say
 America Online) could refuse any email from my domain that originated from some
 random cable modem, instead of accepting it and then flooding me with 2
 bounce messages.

What about this email from you which came to me from Merit and not your
mail server?  Would break mailing lists and listserves unless the from
field is overwritten.

-ron

Re: IETF SMTP Working Group Proposal at smtpng.org



Yo Avleen!

On Wed, 21 Aug 2002, batz wrote:

 Spam is very much a security problem.

 Spam would not exist if both MUA's and MTA's had adequate policy
 enforcement features on them, so that users could set granular
 controls on what was allowed into their mailboxes.

Nice try, but not close enough.

Spam is a LEGAL problem.

There are many cases where spammers negotiated a service contract with
out anti-spamming clauses.  Then when the ISP figures out they have
a bulk spammer for a custmoer they can not shut down the spammer because
the spammer gets a court order to enforce the service agreement.

Same goes on the other side.  Many BLs have been sued, AND LOST, for
putting spammers on their BLs.

Put those two together and no technical solution will fix the problem.

If legislatures say Pi is equal to 3 then there is not much we
can do to fix it except fight the legislature.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread batz



On Wed, 21 Aug 2002, Gary E. Miller wrote:

: Spam would not exist if both MUA's and MTA's had adequate policy
: enforcement features on them, so that users could set granular
: controls on what was allowed into their mailboxes.
:
:Nice try, but not close enough.
:
:Spam is a LEGAL problem.

Actually, I'm bang on. :) 

It's not a legal problem, yet. The reason for this is that there 
is no legal definition of spam that is applicable outside a small
number of jurisdictions. In fact, there is no single 
comprehensive definition of spam other than that its most 
consistent attribute, which is users inability to filter it 
without losing legitimate mail. 

Look at CAUCE, Brightmail, SpamAssassin. None of them provide 
a comprehensive definition of all spam, rather, they define it by
some of its effects, or deal with it as a matter of heuristic 
scoring. 

By looking at its one unique attribute, we see that it is a direct
leveraging/exploitation of the openness of the SMTP protocol and 
the culture of the Internet SMTP was designed to serve.  

That openness used to be the social contract of email, now it 
is simply a lack of enforcable policy and tools. 


:There are many cases where spammers negotiated a service contract with
:out anti-spamming clauses.  Then when the ISP figures out they have
:a bulk spammer for a custmoer they can not shut down the spammer because
:the spammer gets a court order to enforce the service agreement.

Yes, but that does not give the end recipient any direct recourse, 
and also defines spam as a contract violation between an ISP and its
client, and has no regard for the messages themselves. 

:Put those two together and no technical solution will fix the problem.

Actually it will. The model that TMDA uses (whitelists and confirmed
corespondant registration with the recipient) is partial  example of a 
solution that will make all spam an explicit case of unauthorized 
access, which can then be a legal issue. 

One of the most basic principles of computer security is:  
No Policy = No Crime.  Until users have adequate tools and 
protocol support to control of what comes into their mailboxes, 
there will be spam. 

Cheers, 

--
batz

RE: IETF SMTP Working Group Proposal at smtpng.org



 Really good idea (no sarcasm, I actually like it).. But what 
 stops spammers
 from registering their mail server?..Ie..
   1) Get a dsl account
   2) Ips get swipped to you
   3) Register the server
   4) SPAM 
   5) Apologize, get a second chance
   6) get booted off
   7) Call the next ISP with a zero install
   8) Rinse and repeat.

Treat them sort of like SSL certs now.  Charge an annual registrar fee
per company, not per server. (Something like $100 a year)  The more they
have to go out of their way to get their spam server online, the more
they would be deterred to do so.  They're only going to want to change
so many ISP's, go through SWIP and then change their legal name for the
registrar so many times.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Life would be much easier if I had the source code.

RE: IETF SMTP Working Group Proposal at smtpng.org



 I really like this. A sort of IRR for mail servers. Maybe when
 registered it could even check if the server was an open 
 relay, and not
 allow those servers to be registered until properly configured. Any
 thoughts?

Righto, that would all be part of a registration process.  As well as
things like forward and reverse DNS matching for the mail server, etc.
But whos to say that once they pass the test they just open up things.

As well as the registrar, there would have to be a complaint and
investigation department.  But going that far legally tends to destroy
good ideas.  The most important things is the legal handling of
exceptions and complaints and the actual steps on getting someone shut
off.  We all know how people are sue happy...

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Jared Mauch



I'd seen back in the mid 1990s a user that got banned from
all the isps on his island (or fairly close to it) due to
abuse of services.

obviously when you have a set of only 3-4 isps to choose from
this makes it a lot easier to keep the guy from doing anything evil.

but these days everyone that can negotiate a bulk-dial
agreement with someone and run a radius server can sign up
users and make the abuse a bit harder to track ...

i do think some sort of smtp-callback would be nice/useful
for validation of e-mail addresses.  it'll make it so
the bounces go to someplace at least instead of Postmaster.

- jared


On Wed, Aug 21, 2002 at 03:29:46PM -0400, Robert Blayzor wrote:
 
  Really good idea (no sarcasm, I actually like it).. But what 
  stops spammers
  from registering their mail server?..Ie..
  1) Get a dsl account
  2) Ips get swipped to you
  3) Register the server
  4) SPAM 
  5) Apologize, get a second chance
  6) get booted off
  7) Call the next ISP with a zero install
  8) Rinse and repeat.
 
 Treat them sort of like SSL certs now.  Charge an annual registrar fee
 per company, not per server. (Something like $100 a year)  The more they
 have to go out of their way to get their spam server online, the more
 they would be deterred to do so.  They're only going to want to change
 so many ISP's, go through SWIP and then change their legal name for the
 registrar so many times.
 
 --
 Robert Blayzor, BOFH
 INOC, LLC
 [EMAIL PROTECTED]
 
 Life would be much easier if I had the source code.

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

RE: IETF SMTP Working Group Proposal at smtpng.org



 I'm not a company, I'm Joe Blow private citizen - do you expect me to
 pay $100 just to sign up with AOL? 

If you are Joe Blow private citizen, why would you need to run a mail
server?  Would you not use your ISP's, at least as a smart relay?  If
running a mail server is that important to you, just like registering a
domain, you'll pay it.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Profanity is the one language all programmers know best.

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Larry Rosenman



What about individuals that run their own mail servers?  (E.G. me).? 



On Wed, 2002-08-21 at 14:28, Derek Samford wrote:
 
 I really like this. A sort of IRR for mail servers. Maybe when
 registered it could even check if the server was an open relay, and not
 allow those servers to be registered until properly configured. Any
 thoughts?
 
 Derek
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
 Of
  Mark Segal
  Sent: Wednesday, August 21, 2002 3:12 PM
  To: 'Robert Blayzor'; [EMAIL PROTECTED]
  Subject: RE: IETF SMTP Working Group Proposal at smtpng.org
  
  
   It's almost to the point to where mail servers need their own
   registrar, sort of the way domains are tracked now, track
   mail servers.  Give mail server admins the option to accept
   mail from registered mail servers only or from any mail
   server.  Of course there would need to be a ramp up period,
   like six months to a year, to make sure all of your mail
   servers are registered.  And of course one should only be
   able to register mail servers if the IP space is actually
   SWIP to them.  If the IP space is NOT SWIP, it would need to
   be registered by the customer ISP or via owners rwhois
   server.  Just my $.02; for what it's worth
  
  Really good idea (no sarcasm, I actually like it).. But what stops
  spammers
  from registering their mail server?..Ie..
  1) Get a dsl account
  2) Ips get swipped to you
  3) Register the server
  4) SPAM
  5) Apologize, get a second chance
  6) get booted off
  7) Call the next ISP with a zero install
  8) Rinse and repeat.
  
  
  Regards,
  Mark
  
  --
  Mark Segal
  Director, Data Services
  Futureway Communications Inc.
  Tel: (905)326-1570
 
-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

RE: IETF SMTP Working Group Proposal at smtpng.org



 What about individuals that run their own mail servers?  (E.G. me).? 

Get your mail server registered just like everyone else I suppose.  If
your address space is not registered to you directly, your ISP would
have to do this for you.  You're ISP would then handle any complaints
(if any) from the registrar and coordinate it with you directly.  I
honestly like that idea because as a network operator, I like to know
what customers are running mail servers on our network, where they are,
and who owns them.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

YOUR PC's broken and I'VE got a problem? 
 -- The BOFH Slogan

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Larry Rosenman



On Wed, 2002-08-21 at 14:50, Robert Blayzor wrote:
  What about individuals that run their own mail servers?  (E.G. me).? 
 
 Get your mail server registered just like everyone else I suppose.  If
 your address space is not registered to you directly, your ISP would
 have to do this for you.  You're ISP would then handle any complaints
 (if any) from the registrar and coordinate it with you directly.  I
 honestly like that idea because as a network operator, I like to know
 what customers are running mail servers on our network, where they are,
 and who owns them.
Actually, it's swip'ed to me (I work for said ISP), but I also run a
SMTP server on my laptop which bounces usually between two addresses
(one at home, one at work), and I suppose that the work address (NOT
swip'ed) would have a problem under this proposal. 

I DO understand the reasoning, but it is a **BIG** culture change, and
would take a year or two or more to implement network wide. 

I think $100/year is STEEP, if it is PER SERVER, but per
COMPANY/INDIVIDUAL it **might** be acceptable. 

(I have 3 boxes + the laptop that do SMTP regularly). 

Ideas given this? 

-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Jared Mauch



If there were some sort of smtp callback pki, as long as
you controled your dns and server you could do something useful
on that front.

here's an example i gave last night in a private
e-mail:

-- snip --
There is an important need to perform callback but allow for
the ability to protect information from possible spammers for
harvesting/verificiation.

eg:

220 welcome, but no spam
ehlo spammer
250-callback-secure
250 help
mail from:[EMAIL PROTECTED] callback=spammer.example.com
250 ok
rcpt to:[EMAIL PROTECTED]
451 try again, pending callback

vs:

220 welcome, but no spam
ehlo spammer
250-callback-secure
250 help
mail from:[EMAIL PROTECTED] callback=spammer.example.com
250 ok
rcpt to:[EMAIL PROTECTED]
550 no such user here

there's also the need to do some sort of pki to allow
callback to be secure.  eg: the dns record for nether.net should have
some public-key in it and then some other stuff like possibly

mail from:[EMAIL PROTECTED] callback=validate.hotmail.com;key=alkjsdfj   
then pass the 'key' through the public-key availble via dns to
provide back an authentication system to allow for more secure
callback.

but this can still be abused depending...

just some thoughts,
-- snip --

- jared

On Wed, Aug 21, 2002 at 02:38:31PM -0500, Larry Rosenman wrote:
 
 What about individuals that run their own mail servers?  (E.G. me).? 
 
 
 
 On Wed, 2002-08-21 at 14:28, Derek Samford wrote:
  
  I really like this. A sort of IRR for mail servers. Maybe when
  registered it could even check if the server was an open relay, and not
  allow those servers to be registered until properly configured. Any
  thoughts?
  
  Derek
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
  Of
   Mark Segal
   Sent: Wednesday, August 21, 2002 3:12 PM
   To: 'Robert Blayzor'; [EMAIL PROTECTED]
   Subject: RE: IETF SMTP Working Group Proposal at smtpng.org
   
   
It's almost to the point to where mail servers need their own
registrar, sort of the way domains are tracked now, track
mail servers.  Give mail server admins the option to accept
mail from registered mail servers only or from any mail
server.  Of course there would need to be a ramp up period,
like six months to a year, to make sure all of your mail
servers are registered.  And of course one should only be
able to register mail servers if the IP space is actually
SWIP to them.  If the IP space is NOT SWIP, it would need to
be registered by the customer ISP or via owners rwhois
server.  Just my $.02; for what it's worth
   
   Really good idea (no sarcasm, I actually like it).. But what stops
   spammers
   from registering their mail server?..Ie..
 1) Get a dsl account
 2) Ips get swipped to you
 3) Register the server
 4) SPAM
 5) Apologize, get a second chance
 6) get booted off
 7) Call the next ISP with a zero install
 8) Rinse and repeat.
   
   
   Regards,
   Mark
   
   --
   Mark Segal
   Director, Data Services
   Futureway Communications Inc.
   Tel: (905)326-1570
  
 -- 
 Larry Rosenman http://www.lerctr.org/~ler
 Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
 US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Valdis . Kletnieks


On Wed, 21 Aug 2002 15:51:36 EDT, Jared Mauch said:
   i do think some sort of smtp-callback would be nice/useful
 for validation of e-mail addresses.  it'll make it so
 the bounces go to someplace at least instead of Postmaster.

The fact that you can call back in no way means that bounces won't
double-bounce into the postmaster mailbox. I'm sure that yahoo.com
would buy into a callback scheme, but it wouldn;t have done squat for
this double-bounce:

   - Transcript of session follows -
... while talking to mx1.mail.yahoo.com.:
 DATA
 554 delivery error: dd Sorry, your message to [EMAIL PROTECTED] cannot be 
delivered.  This account is over quota. - mta461.mail.yahoo.com
554 5.0.0 Service unavailable

(OK, so THIS double-bounce was a W32/Klez-H generated one, but I get enough
of the same thing for spam with a Yahoo return adress).
-- 
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech




msg04621/pgp0.pgp
Description: PGP signature

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread sjj



 IMHO I don't think it would be that horrible of an idea with the right amount
 of notification and education to state something such as register your mail
 servers by this date or risk service interruption.
] but I also run a SMTP server on my laptop which bounces usually between two
] addresses (one at home, one at work)

 Actually, I don't care too much about the rest of you, nothing would force
you to publish your outbound mail servers.  As long as a few big sites (spam
targets) honor the white list I publish for *my* own domain, great.  It's
voluntary, and to your advantage both as a sender and a receiver to adopt it
(assuming the mailing list thing is resolvable).
 Domains like pobox.com wouldn't be able to use this, so it shouldn't be a
requirement.



 Of course this period would be several months, if not a year+ .

 Planned obsolescence is another interesting idea, but a sure way to implement
it isn't coming to mind.  Basically I want my MTA to refuse deliveries from
MTAs 'X' years/days older than itself.  Years older vs absolute age is
important, so that an isolated enterprise network somewhere could continue to
inter-operate with itself no matter how old it grew.

 How about: use the skey style unrolling (or is that pre-rolled?) passwords
to generate cookies.  Someone we trust creates the 'generation 0' cookie,
one-way encrypts it one thousand times, and tells us all the 'generation 1000'
cookie, which we put into our MTA configs.  At the next tick of the clock (one
year later), the authority releases the cookie for 'generation 999', and some
of us update our configs (or Microsoft and Sendmail update their new
distributions - but NOT Windows Update?).  You can go 'X' years without
updating your configs if you want - for whatever 'X' you think most of the
Internet has chosen.

 Talking to MTAs newer than me: If my MTA is setup with cookie 'generation 950'
and an MTA connects to me offering cookie 'generation 948', then I should be
able to one-way encrypt the offered cookie twice and compare it to my cookie
and verify that they really are two generations ahead of me, and allow the
connection.  The skey trick means I don't need to know future cookies to accept
email from them.

 Talking to MTAs older than me: I don't talk to machines 'X' generations older
than me.  I have the last 'X' cookies hard coded in my configs, or I just (at
start time) one-way encrypt my current cookie a maximum of 'X' times to
generate all of the valid old cookies I'll accept.


 The idea isn't to take live humans (including spammers) out of the loop, just
the no-admin Windows/Solaris/Linux/whatever machines that haven't been patched
in 'X' years.  This year's cookie isn't a secret, just next year's and the year
after's, so an admin can't setup a box with 'generation 0' and leave it alone
for a thousand years to annoy the rest of us.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread don



I agree with getting personal mail servers registered, as far as paying 
$100 for a mail server registration (as mentioned in previous 
messages)...that's no good.  As a user with a personal mail server, it 
is bad enough to have pay for connectivity and a domain name.  Having to 
pay for the privilege of running a mail server is too much.

Robert Blayzor wrote:

What about individuals that run their own mail servers?  (E.G. me).? 



Get your mail server registered just like everyone else I suppose.  If
your address space is not registered to you directly, your ISP would
have to do this for you.  You're ISP would then handle any complaints
(if any) from the registrar and coordinate it with you directly.  I
honestly like that idea because as a network operator, I like to know
what customers are running mail servers on our network, where they are,
and who owns them.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

YOUR PC's broken and I'VE got a problem? 
 -- The BOFH Slogan

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Al Rowland



Then the question becomes, Is running your own mail server worth some
registration cost? Very similar to the I want my own special part of
the Internet (web server). Okay, pay your $70 for two years (or
whatever).

BTW, just curious, who announces your MX records?

Best regards,
_
Alan Rowland



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Larry Rosenman
Sent: Wednesday, August 21, 2002 12:39 PM
To: Derek Samford
Cc: 'Mark Segal'; 'Robert Blayzor'; [EMAIL PROTECTED]
Subject: RE: IETF SMTP Working Group Proposal at smtpng.org



What about individuals that run their own mail servers?  (E.G. me).? 



On Wed, 2002-08-21 at 14:28, Derek Samford wrote:
 
 I really like this. A sort of IRR for mail servers. Maybe when 
 registered it could even check if the server was an open relay, and 
 not allow those servers to be registered until properly configured. 
 Any thoughts?
 
 Derek
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
 Of
  Mark Segal
  Sent: Wednesday, August 21, 2002 3:12 PM
  To: 'Robert Blayzor'; [EMAIL PROTECTED]
  Subject: RE: IETF SMTP Working Group Proposal at smtpng.org
  
  
   It's almost to the point to where mail servers need their own 
   registrar, sort of the way domains are tracked now, track mail 
   servers.  Give mail server admins the option to accept mail from 
   registered mail servers only or from any mail server.  Of course 
   there would need to be a ramp up period, like six months to a 
   year, to make sure all of your mail servers are registered.  And 
   of course one should only be able to register mail servers if the 
   IP space is actually SWIP to them.  If the IP space is NOT SWIP, 
   it would need to be registered by the customer ISP or via owners 
   rwhois server.  Just my $.02; for what it's worth
  
  Really good idea (no sarcasm, I actually like it).. But what stops 
  spammers from registering their mail server?..Ie..
  1) Get a dsl account
  2) Ips get swipped to you
  3) Register the server
  4) SPAM
  5) Apologize, get a second chance
  6) get booted off
  7) Call the next ISP with a zero install
  8) Rinse and repeat.
  
  
  Regards,
  Mark
  
  --
  Mark Segal
  Director, Data Services
  Futureway Communications Inc.
  Tel: (905)326-1570
 
-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Jared Mauch

I'm not saying it's a solution for all problems
but that lets-say-for-example,

AOL probally gets a lot of mail with forged yahoo,hotmail,
btamail.net.cn or smiliar MAIL FROM:'s

Lets say AOL, hotmail, yahoo all today had a way they
could say we would like to cooperate in validating source addresses
as at least somewhat more valid than today and had a mechanisim to
do this with a patch to sendmail/qmail/postfix/zmailer.

This would allow for while a few extra commands and bytes
per smtp-transaction the ability to authenticate such data.

You could also then start keeping statistics and rate-limit
the callback mechanisim. AOL (and i'm sure others) have done so,
you want to bulk-mail aol users, sign here. Including this
ability to increase customer satisfaction is in all ISPS
interest today.

- jared

http://story.news.yahoo.com/news?tmpl=storyu=/ap/20020820/ap_wo_en_po/fea_us_spammed_war_of_attrition_1

On Wed, Aug 21, 2002 at 04:17:53PM -0400, [EMAIL PROTECTED] wrote:
On Wed, 21 Aug 2002 15:51:36 EDT, Jared Mauch said:
i do think some sort of smtp-callback would be nice/useful
for validation of e-mail addresses. it'll make it so
the bounces go to someplace at least instead of Postmaster.

The fact that you can call back in no way means that bounces won't
double-bounce into the postmaster mailbox. I'm sure that yahoo.com
would buy into a callback scheme, but it wouldn;t have done squat for
this double-bounce:

- Transcript of session follows -
... while talking to mx1.mail.yahoo.com.:
DATA
554 delivery error: dd Sorry, your message to [EMAIL PROTECTED] cannot be
delivered. This account is over quota. - mta461.mail.yahoo.com
554 5.0.0 Service unavailable

(OK, so THIS double-bounce was a W32/Klez-H generated one, but I get enough
of the same thing for spam with a Yahoo return adress).
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech

--
Jared Mauch | pgp key available via finger from [EMAIL PROTECTED]
clue++; | http://puck.nether.net/~jared/ My statements are only mine.

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread James Smith

Title: RE: IETF SMTP Working Group Proposal at smtpng.org

 -Original Message-
 From: Robert Blayzor [mailto:[EMAIL PROTECTED]]
 Subject: RE: IETF SMTP Working Group Proposal at smtpng.org

  I'm not a company, I'm Joe Blow private citizen - do you 
 expect me to
  pay $100 just to sign up with AOL? 

 If you are Joe Blow private citizen, why would you need to run a mail
 server? Would you not use your ISP's, at least as a smart relay? 

Because he doesn't want to. He already provides POP3/SMTP services to me under his own domain name, and why should he change his servers to permit me to send mail as if from another domain where I do have a real mail account?

I hate the free stuff (no POP3/SMTP unless you pay), I already have my own on another domain (for which I pay), and I don't want his (because I don't want to keep changing email addresses everytime they get bought out/sold).

In short, because if I have to depend on my ISP for my convenience, it won't get done, unless it's done their way. I use it for outbound only, I pop my mail from my other provider...

James H. Smith II
Speaking for myself...

[Fwd: Re: IETF SMTP Working Group Proposal at smtpng.org]

2002-08-21 Thread don





I agree with getting personal mail servers registered, as far as paying 
$100 for a mail server registration (as mentioned in previous 
messages)...that's no good.  As a user with a personal mail server, it 
is bad enough to have pay for connectivity and a domain name.  Having to 
pay for the privilege of running a mail server is too much.

Robert Blayzor wrote:

What about individuals that run their own mail servers?  (E.G. me).? 



Get your mail server registered just like everyone else I suppose.  If
your address space is not registered to you directly, your ISP would
have to do this for you.  You're ISP would then handle any complaints
(if any) from the registrar and coordinate it with you directly.  I
honestly like that idea because as a network operator, I like to know
what customers are running mail servers on our network, where they are,
and who owns them.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

YOUR PC's broken and I'VE got a problem? 
 -- The BOFH Slogan

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Robert A. Hayden



Yea.  Good luck getting a DSL provider to swip an IP to you or to be
willing to register an IP for you.

On Wed, 21 Aug 2002, Robert Blayzor wrote:


  What about individuals that run their own mail servers?  (E.G. me).?

 Get your mail server registered just like everyone else I suppose.  If
 your address space is not registered to you directly, your ISP would
 have to do this for you.  You're ISP would then handle any complaints
 (if any) from the registrar and coordinate it with you directly.  I
 honestly like that idea because as a network operator, I like to know
 what customers are running mail servers on our network, where they are,
 and who owns them.

 --
 Robert Blayzor, BOFH
 INOC, LLC
 [EMAIL PROTECTED]

 YOUR PC's broken and I'VE got a problem?
  -- The BOFH Slogan

RE: IETF SMTP Working Group Proposal at smtpng.org



Yo Robert!

How about moving this discussion to a more appropriate list?  Nanog
is not the place to discuss spam and we are re-inventing the wheel,
badly, on nanog.

Half the spam I get is from throw away AOL, netzero, earthlink, etc.
accounts.  Spend $10 for a new ISP account, sent 10,000 emails with
MY return address which is valid and on whitelists.  Do it on a long
weekend and get 30k out before you get stopped.

If the spammers can not run their own name servers then they will just
use someone elses.  Last I checked there where over 6,000 ISPs in the
country.  Cancel them one place and they just go to another.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Wed, 21 Aug 2002, Robert Blayzor wrote:

 Treat them sort of like SSL certs now.  Charge an annual registrar fee
 per company, not per server. (Something like $100 a year)  The more they
 have to go out of their way to get their spam server online, the more
 they would be deterred to do so.  They're only going to want to change
 so many ISP's, go through SWIP and then change their legal name for the
 registrar so many times.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Petri Helenius




 Treat them sort of like SSL certs now.  Charge an annual registrar fee
 per company, not per server. (Something like $100 a year)  The more they
 have to go out of their way to get their spam server online, the more
 they would be deterred to do so.  They're only going to want to change
 so many ISP's, go through SWIP and then change their legal name for the
 registrar so many times.

Why don´t you just start using SSL certs with SMTP ? The protocol is there,
ways to get certificates are there, no need to start smoothing a square
piece
to make a new wheel.

Pete

RE: IETF SMTP Working Group Proposal at smtpng.org



 I agree with getting personal mail servers registered, as far 
 as paying 
 $100 for a mail server registration (as mentioned in previous 
 messages)...that's no good.  As a user with a personal mail 
 server, it 
 is bad enough to have pay for connectivity and a domain name. 
  Having to 
 pay for the privilege of running a mail server is too much.

Well owners of the IP space that have accounts in the registrar pay the
$100 per year, per account, not server.  So if you have a personal mail
server, but the space is not SWIP'd to you, you'd get your ISP to
authorize it.  Whether they charge you extra for it would be up to them.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

I haven't lost my mind; it's backed up on tape somewhere.

RE: IETF SMTP Working Group Proposal at smtpng.org



   but these days everyone that can negotiate a bulk-dial
 agreement with someone and run a radius server can sign up
 users and make the abuse a bit harder to track ...

Well yes and no.  Using a regisrar, people on dialups who want to run
mail servers simply cannot do it.  The IP space would be owned by the
ISP, and the ISP would have to do the mail server registrations for the
customer, or SWIP a block (on a dialup, oh boy) and let the customer do
the registration themselves.  (which would be a legal check as well as
technical check).

I guess it makes it a lot harder for those customers that setup not
online all the time mail servers, and that rely on things like ETRN.
But mail servers need static IP's, and network operators must know about
those customers that need static addresses and if there is a mail server
on the end of it.  That's a major problem now, mail servers getting
online are not tracked.
 
   i do think some sort of smtp-callback would be nice/useful
 for validation of e-mail addresses.  it'll make it so
 the bounces go to someplace at least instead of Postmaster.

I'm not disputing this at all, but I believe it would take a lot more
work to get something set, agreed upon, standardized / RFC'd, the mail
server software, etc., than it would to make a registrar type system.
Most mail servers pretty much support this already with RBL functions,
which would probably be moderately changed.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Never trust a program unless you have the source.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread batz



On Wed, 21 Aug 2002, Gary E. Miller wrote:

:Then how do you account for all the lawsuits?  MAPS would love to hear
:you say they have no legal problems.  The CA and WA legislatures that
:passed laws defineing and banning spam would love to hear you as well.

The lawsuits were against the solution providers, not against the spammers.
In the few cases where there were lawsuits against spammers, it was 
a civil suit, as there isn't an existing legislative solution that 
spans more than a few jurisdictions. 

California and Washington may seem like important jurisdictions, 
but not compared to .kr, .cn, .ru, .br, .mx, or even .ca.   

:I set up a lot of help desks, online shopping carts, etc.  White lists
:do not work in those roles.  The mail is just too all over the place
:and telling a boss that he is only losing a few orders or losing a
:few customers due to a white list is not an option.

I do IT secuirity incident response for about 60k 
people, 45k hosts, their AV gateways, IDS's and firewalls and
I can assure you, spam is a security problem. Security as
a discipline is uniquely positioned to articulate solutions  
to spam. 

Read the tmda.net site. Read the FAQ and the README files. Mail 
isn't lost, it is queued. See myprivacy.ca for an example of
how it operates. 

The system works as follows:

Sender sends message to recipient.
Recipients MTA/MUA checks to see if they are a registered recipient.
If yes, mail is delivered.
If no, mail is queued, and a confirmation asking if they they are a 
legitimate corespondant is sent to the sender. 
The sender responds with the confirmation ticket, and is whitelisted. 
Queued mail is delivered. 

Now, the confirmation message will also include a policy stating
that UCE, solicitations and all the other crap that people associate
with spam are not to be sent to this address and by returning
this message you accept this policy.

It doesn't matter if even if someone comes up with a way to 
autorespond to this message, as if they violate the recipients
policy, they are commiting unauthorized access, theft of 
services etc.. 

What TMDA-like systems do is escalate a problem that engineering
and regular expressions do not have the adequate breadth 
to comprehensively express, and into a question of policy, where 
the conceptual and legal tools already exist. 

What this doesn't cover is everything that AV gateway filters do, 
but that's another story. 

:Policies do not define crimes, Common Law and Written Law do.

There is a reason why there have to be notices that unauthorized 
access to systems is prohibited in /etc/motd in any government 
system you access. It is so that there is no legal ambiguity 
when someone gets caught hacking and the case shows up in court. 

Ask any CISA, CISSP, computer forensics specialist, or 
anyone else who deals professionaly in information security, 
and they will tell you, that if you don't have a policy, you 
will have trouble convincing anyone a crime has been committed. 





--
batz

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Randy Bush



 If you are Joe Blow private citizen, why would you need to run a mail
 server?

the internet is a peer network.  this is not pay to be screwed.

randy

RE: IETF SMTP Working Group Proposal at smtpng.org



 Actually, it's swip'ed to me (I work for said ISP), but I also run a
 SMTP server on my laptop which bounces usually between two addresses
 (one at home, one at work), and I suppose that the work address (NOT
 swip'ed) would have a problem under this proposal. 

No, it's not a problem.  Your ISP is registered with the registrar.
They can simply list your IP you've been assigned as a valid mail
server.  They then accept responsibility for your mail server
registration.

 I DO understand the reasoning, but it is a **BIG** culture change, and
 would take a year or two or more to implement network wide. 

That I would agree.  No disputing that.  But at the same time, everyone
agrees that SOMETHING needs to be done.  Regardless of what is done, it
will be a big change.

 I think $100/year is STEEP, if it is PER SERVER, but per
 COMPANY/INDIVIDUAL it **might** be acceptable. 

No, per company.  Not per server.  Per server would be a bit extreme.
Especially for those that have dozens of legit mail servers.  As a
service provider you pay $100 a year for your account, in which you can
manage adding and removing mail server IP addresses from the list.  But
only IP's that are in your SWIP'd space.

 Ideas given this? 

Above.  Thanks for your input.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Your mouse has moved. Windows NT must be restarted for the change to
take effect. Reboot now? [ OK ]

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Robert A. Hayden



I know the DSL provider doesn't for the /29 serving my mail server.  It's
under the general announcement for the ISP.  I can't even get them to
personalize reverse DNS without knowing someone that runs the DNS servers.

On 21 Aug 2002, Larry Rosenman wrote:

 On Wed, 2002-08-21 at 15:25, Robert A. Hayden wrote:
  Yea.  Good luck getting a DSL provider to swip an IP to you or to be
  willing to register an IP for you.
 If you have a /29 or shorter they **HAVE** to swip it.  Else they can't
 get numbers from ARIN.

 So, that point is moot.

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread william



Your quite wrong. With email we do in fact know phone for the calling 
party - its their FROM address and for callback we can specify if we trust 
or do not trust the other party to provide some different domain, so they 
may not be given a change to specify where to callback to. As example If 
they are trying to send email from [EMAIL PROTECTED] the callback would
have to go to somedomain.com mail server and the callback must use the 
authorization code given during initial mail call. The callback can also be
authenticated with TLS giving even more security that somedomain.com is a 
real operation. This will prevent 99% of spammers just there.

And as pointed an NANOG and other places other ways to verify that server 
is ok can also be used such as having whitelist for mailservers, using 
AUTH, etc. What is missing is glue in the protocol to allow servers to 
decide on level of trust as well as actual definitions for all these 
verification mechanisms.

 On Wed, 21 Aug 2002 15:55:41 EDT, Jared Mauch said:
 
  There is an important need to perform callback but allow for
  the ability to protect information from possible spammers for
  harvesting/verificiation.
  
  eg:
  
  220 welcome, but no spam
  ehlo spammer
  250-callback-secure
  250 help
  mail from:[EMAIL PROTECTED] callback=spammer.example.com
  250 ok
  rcpt to:[EMAIL PROTECTED]
  451 try again, pending callback
 
 OK.. So now *you* have to callback and pick up the spammer's mail.
 
 What did that gain you?
 
  there's also the need to do some sort of pki to allow
  callback to be secure.  eg: the dns record for nether.net should have
  some public-key in it and then some other stuff like possibly
 
 Much easier would be to use the existing STARTLS stuff and use the cert
 presented to decide if you want to accept the mail.  
 
  mail from:[EMAIL PROTECTED] callback=validate.hotmail.com;key=alkjsdfj   
  then pass the 'key' through the public-key availble via dns to
  provide back an authentication system to allow for more secure
  callback.
 
 Note that the concept of a callback doesn't mean the same things on an
 IP network as it did on a POTS network.  Not that callback on the POTS
 network was ever as secure as people thought, anyhow...
 
  but this can still be abused depending...
 



 
 The only callback systems that ever came anywhere near working on the POTS
 network were ones that you told the callback this is Fred. Call me back at
 the home number you've been configured with, and it called you at Fred's
 previously-configured phone number.  Having it say 'This is Fred, call me
 back at 127.0.4.5' doesnt do anything for security if you're just going to
 call 127.0.4.5.

RE: IETF SMTP Working Group Proposal at smtpng.org



Yo Robert!

On Wed, 21 Aug 2002, Robert Blayzor wrote:

 But mail servers need static IP's, and network operators must know about
 those customers that need static addresses and if there is a mail server
 on the end of it.

Uh, no.  I have seen spammers use dynamic DNS to use throw away
dial-ups accounts for incoming main service.

How about moving this to an approriate forum where people really know
spam and mail?  Nanog is for moving packets.  Nanog does not usually
care what is in the packet unless it is a routing protocol.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Peter E. Fry



Larry Rosenman wrote:
[...]
 I think $100/year is STEEP, if it is PER SERVER, but per
 COMPANY/INDIVIDUAL it **might** be acceptable.
 
 (I have 3 boxes + the laptop that do SMTP regularly).
 
 Ideas given this?

  Relay through your upstream (hierarchical approach)?  i.e. Register
your server(s) with your provider, who is presumably trusted (registered
with the global system).
  A bit of an aside: I recall ATT Canada blocked all SMTP from exiting
their network (excepting their own servers, of course) a few years back
in response to a large spam.  I don't know the details -- this is from a
response to a complaint I filed.  Interesting idea, though -- you then
catch 'em when they attempt to relay through your server.  And as far as
that goes, I've seen a system that worked quite well...  Larry might be
familiar with it, as it was his.

Peter E. Fry

RE: IETF SMTP Working Group Proposal at smtpng.org



At 11:50 AM -0400 2002/08/21, Robert Blayzor wrote:

  Well yes, it could be done with certificates, but it can also be done
  via some type of root server system like DNS uses.  A database
  distributed among many root servers from the registrars is proven.

Look.  The DNS is seriously screwed-up enough as it is.  Let's 
not take a bad model and replicate it elsewhere.

  Tracking valid servers seems much easier to track rather than
  blacklisting IP's that are not mail servers at all or are abusive
  servers.

Sure.  Only accept e-mail from white-listed servers.  You don't 
need a complex system to manage that.

IMHO I don't think it would be that horrible of an idea with
  the right amount of notification and education to state something such
  as register your mail servers by this date or risk service
  interruption.

Sure.  Are you willing to be the first?

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

RE: IETF SMTP Working Group Proposal at smtpng.org



At 3:50 PM -0400 2002/08/21, Robert Blayzor wrote:

  Get your mail server registered just like everyone else I suppose.  If
  your address space is not registered to you directly, your ISP would
  have to do this for you.

When you're willing to do this for your own personal private mail 
server, and you're willing to lose e-mail until you get your mail 
server on all known whitelists in existence, I might reconsider.

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

Re: IETF SMTP Working Group Proposal at smtpng.org



At 4:25 PM -0400 2002/08/21, Jared Mauch wrote:

   Lets say AOL, hotmail, yahoo all today had a way they
  could say we would like to cooperate in validating source addresses
  as at least somewhat more valid than today and had a mechanisim to
  do this with a patch to sendmail/qmail/postfix/zmailer.

Doesn't help.  AOL uses a proprietary MTA that they have 
developed in-house, which would need to be modified.  Of course, 
you'd also need to modify all the other standard MTAs, too.  And 
don't forget about all those Microsoft and Lotus Notes gateways out 
there.

   You could also then start keeping statistics and rate-limit
  the callback mechanisim.  AOL (and i'm sure others) have done so,
  you want to bulk-mail aol users, sign here.  Including this
  ability to increase customer satisfaction is in all ISPS
  interest today.

AOL uses all sorts of mechanisms to try to detect and eliminate 
spam, but I wouldn't want to go into too much detail here.

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

RE: IETF SMTP Working Group Proposal at smtpng.org



 Uh, no.  I have seen spammers use dynamic DNS to use throw 
 away dial-ups accounts for incoming main service.

Right, but to run a real mail server you need a static address.  Which
can be registered as a valid mail server.  Dynamic IP's cannot.

 How about moving this to an approriate forum where people 
 really know spam and mail?  Nanog is for moving packets.  
 Nanog does not usually care what is in the packet unless it 
 is a routing protocol.

The NANOG mailing list is established to provide a forum for the
exchange of technical information and the discussion of specific
implementation issues that require cooperation among network service
providers. In order to continue to provide a useful forum for discussion
of relevant technical issues, the list is governed by the following
guidelines:  

...

Doesn't mention anything about Nanog is for moving packets.  An
anti-spam/security discussion seems perfectly acceptable to me.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

RE: IETF SMTP Working Group Proposal at smtpng.org

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
 Behalf Of Gary E. Miller
 Sent: August 21, 2002 5:57 PM
 To: Robert Blayzor
 Cc: [EMAIL PROTECTED]
 Subject: RE: IETF SMTP Working Group Proposal at smtpng.org

 Uh, no.  I have seen spammers use dynamic DNS to use throw 
 away dial-ups accounts for incoming main service.

Well, that's nice... until their dynamic DNS gets promptly killed (if
they got it from us or someone responsible - I can't speak for everyone
in this industry), at which point they're back at square one with all
their email gone.

A lot of people seem to think that dynamic DNS services are a way to
cover up abuse (eg: spam, warez, etc); they're not, as a decent amount
of spammers have found out the hard way. 

Vivien
-- 
Vivien M.
[EMAIL PROTECTED]
Assistant System Administrator
Dynamic DNS Network Services
http://www.dyndns.org/

RE: IETF SMTP Working Group Proposal at smtpng.org



 Half the spam I get is from throw away AOL, netzero, 
 earthlink, etc. accounts.  Spend $10 for a new ISP account, 
 sent 10,000 emails with MY return address which is valid and 
 on whitelists.  Do it on a long weekend and get 30k out 
 before you get stopped.

Of course my typical answer here is those ISP's need to be
responsible.  Quite honestly the simple fix is to firewall all outbound
port 25 connections from non-static IP assignments, and force them to
use specific SMTP servers.  It's possible then to have mail servers
detect incoming spam from customers through their mail server farms by
counting a number of messages in a given period of time, then take
action.  These throw away accounts you claim are usually simple
residential products in which 99% of all customers don't send over 1000
messages within ten minutes. (example)

I'm just throwing out ideas on trying to deal with the problem.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

RE: IETF SMTP Working Group Proposal at smtpng.org



Yo Robert!

On Wed, 21 Aug 2002, Robert Blayzor wrote:

  Uh, no.  I have seen spammers use dynamic DNS to use throw
  away dial-ups accounts for incoming main service.

 Right, but to run a real mail server you need a static address.  Which
 can be registered as a valid mail server.  Dynamic IP's cannot.

Read what I wrote again.  Do not say it is not possible, I see it
every day.

These people, and others will be happy to help you set it up:
http://www.no-ip.com

 Do you own a domain name? Run your own web, mail, ftp, or any server
connected your cable, dsl, or dialup connection using your personal
domain name.

Do some googling before posting nonsense...

 Doesn't mention anything about Nanog is for moving packets.  An
 anti-spam/security discussion seems perfectly acceptable to me.

From the proposed nanog FAQ:


Off-Topic Questions
1. Spam
2. Local DNS
[...]

So take this topic to somewhere it belongs.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

RE: IETF SMTP Working Group Proposal at smtpng.org



   Look.  The DNS is seriously screwed-up enough as it is.  Let's 
 not take a bad model and replicate it elsewhere.

I'm not saying use DNS specifically, but using something DNS like.
Whether it be a database of public keys or certs really doesn't make a
difference at this level.

   Sure.  Are you willing to be the first?

If it came down to the wire and something like this were implemented,
and enforced, then yes, I'd be the first in line.  If the software, the
system and the means are available, I'd make sure we were registered
before the system went live.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

Re: IETF SMTP Working Group Proposal at smtpng.org



At 5:42 PM -0500 2002/08/21, Peter E. Fry wrote:

(Checking... OK, whew -- it doesn't appear to be me...)  Get a real
  provider.

That's easier said than done, especially for DSL and cablemodem 
customers, who most likely have no other choice.

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

Re: IETF SMTP Working Group Proposal at smtpng.org



At 5:35 PM -0500 2002/08/21, Peter E. Fry wrote:

Relay through your upstream (hierarchical approach)?  i.e. Register
  your server(s) with your provider, who is presumably trusted (registered
  with the global system).

This is the approach I recommend, and have recommended for years.

A bit of an aside: I recall ATT Canada blocked all SMTP from exiting
  their network (excepting their own servers, of course) a few years back
  in response to a large spam.

AOL does the same.  They have a transparent SMTP proxy for all 
outgoing connections.  They've also explicitly asked to have this 
machine added to certain blacklists, so that people who don't want to 
receive what is almost certainly going to be spam can choose to do so.

If you want to send real e-mail using AOL, then use the mail 
client provided by AOL.  It's that simple.

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

Re: IETF SMTP Working Group Proposal at smtpng.org



At 2:15 PM -0700 2002/08/21, [EMAIL PROTECTED] wrote:

  Your quite wrong. With email we do in fact know phone for the calling
  party - its their FROM address and for callback we can specify if we trust
  or do not trust the other party to provide some different domain, so they
  may not be given a change to specify where to callback to. As example If
  they are trying to send email from [EMAIL PROTECTED] the callback would
  have to go to somedomain.com mail server and the callback must use the
  authorization code given during initial mail call. The callback can also be
  authenticated with TLS giving even more security that somedomain.com is a
  real operation. This will prevent 99% of spammers just there.

It's bad enough waiting for DNS responses so that you can 
determine whether or not the envelope sender domain even exists.  Now 
you want to slow down every single e-mail transaction by many, many, 
many orders of magnitude so that you can do a callback on each and 
every connection?!?

Man, wanna talk about ideas that would bring all e-mail to a 
complete stop across the entire Internet?  Imagine what it would be 
like if AOL did this, so that it could take five, ten, or even 
fifteen minutes just to get one callback on one message, if the 
remote server was slow enough.  Now, if you start up a sendmail queue 
runner every sixty minutes, you only need a very small number of 
messages in your queue before you start stacking up more and more and 
more sendmail processes, until such time as you run out of memory, 
your mail server crashes, and you might potentially lose all your 
queued e-mail.


Jeezus.  Do you have to be the one guy who got blamed for 
shutting down all e-mail across the entire Internet on Black 
Tuesday, just to see the flaws in this plan?!?

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

RE: IETF SMTP Working Group Proposal at smtpng.org



At 7:23 PM -0400 2002/08/21, Robert Blayzor wrote:

  Sure.  Are you willing to be the first?

  If it came down to the wire and something like this were implemented,
  and enforced, then yes, I'd be the first in line.  If the software, the
  system and the means are available, I'd make sure we were registered
  before the system went live.

Right.  How are you going to enforce *anything* on the Internet? 
Every single RFC in existence is optional, at best.  Every single 
black list is certainly optional.  And until you can control the 
entire Internet and operate the mail servers for everyone in the 
world, there's no way in hell that you're going to get everyone to 
subscribe to the same white list.

Sorry, guy.  Ain't gonna happen.

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

RE: IETF SMTP Working Group Proposal at smtpng.org



 Read what I wrote again.  Do not say it is not possible, I 
 see it every day.
 
 These people, and others will be happy to help you set it up:
   http://www.no-ip.com
 
  Do you own a domain name? Run your own web, mail, ftp, or 
 any server connected your cable, dsl, or dialup connection 
 using your personal domain name.
 
 Do some googling before posting nonsense...

I read what you wrote, but I'm trying to understand how dynamic DNS has
anything to do with sending spam.  Dynamic DNS only does forward DNS
for a host IP assignment.  If AOL issues an IP to a dialup customer,
it's still an AOL address with AOL access restrictions, AOL reverse DNS,
etc.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

RE: IETF SMTP Working Group Proposal at smtpng.org



   Sure they can.  For sending e-mail, all you need is an IP 
 address.  It would help if the reverse DNS is set up correctly, and 
 that you claim this same name in the SMTP dialog, but this isn't 
 required.

Yes, I know they can today.  My point is that with a registrar based
system, they cannot, because they cannot be registered as valid mail
servers.

   For receiving mail, all you need is a domain name, which has a 
 set of advertised MXes.  Those MXes could point to mail servers 
 operated by friends of yours who might use UUCP, or some private 
 routing method to send your mail to whatever your current IP address 
 is.  Those MXes could even point to your own host/domain names, and 
 the mail would be deferred until such time as you re-connect with 
 your dynamic DNS provider and update the IP addresses for these names.

Correct, but MX's (mail servers) have static assignments, unless you
change DNS every time.  Running MX's on dynamic IP's to receive mail
would be quite silly.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

RE: IETF SMTP Working Group Proposal at smtpng.org



At 7:13 PM -0400 2002/08/21, Robert Blayzor wrote:

  Right, but to run a real mail server you need a static address.  Which
  can be registered as a valid mail server.  Dynamic IP's cannot.

Sure they can.  For sending e-mail, all you need is an IP 
address.  It would help if the reverse DNS is set up correctly, and 
that you claim this same name in the SMTP dialog, but this isn't 
required.

For receiving mail, all you need is a domain name, which has a 
set of advertised MXes.  Those MXes could point to mail servers 
operated by friends of yours who might use UUCP, or some private 
routing method to send your mail to whatever your current IP address 
is.  Those MXes could even point to your own host/domain names, and 
the mail would be deferred until such time as you re-connect with 
your dynamic DNS provider and update the IP addresses for these names.

Works just fine.

-- 
Brad Knowles, [EMAIL PROTECTED]

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)

RE: IETF SMTP Working Group Proposal at smtpng.org

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
 Behalf Of Robert Blayzor
 Sent: August 21, 2002 7:14 PM
 To: 'Gary E. Miller'
 Cc: [EMAIL PROTECTED]
 Subject: RE: IETF SMTP Working Group Proposal at smtpng.org

  Uh, no.  I have seen spammers use dynamic DNS to use throw
  away dial-ups accounts for incoming main service.

 Right, but to run a real mail server you need a static 
 address.  Which can be registered as a valid mail server.  
 Dynamic IP's cannot.

Dynamic/static IPs, though, is a distinction that's much harder to make
these days (ahhh, how I miss the days of dialup... NOT). There are
plenty of people (myself included) who have cable/DSL connections at
home with IPs that change every 6 months or a year. Similarly, people
whose organizations can't justify the /20 from ARIN will have to
renumber their servers every time they change ISPs (how many
WorldCom/KPN Qwest/etc single-homed customers have switched or will
switch?) or outgrow the ridiculously puny allocation they were able to
justify from their upstream will have to change their static IPs. Oh,
and what about a DHCP setup that's set to allocate the same IP to a
certain MAC address? Is that static or dynamic? 

As for registration, well, let's try to avoid a mess like that created
by the mandatory glue record creation process involved in name server
registration, shall we? With the name server registration, you end up
having all kinds of unnecessary glue records floating around which
either a) drive someone crazy when they move their domain around, or b)
cause random people out there to end up having DNS queries showing up at
machines that aren't DNS servers (anyone care to guess how someone with
a personal firewall would react when they see the queies on port
53/udp?). Same thing with SWIP delegations and the like; sadly, there
are still all kinds of incorrect old information floating around in
these databases, and I'd rather not rely on some three year old
registration in deciding whether to trust some machine.

I admit that something non-IP-specific, like SSL certificates, to me
seem like a much more flexible long-term solution. Plus that way when
you renumber your mail server, you wouldn't need to reregister the new
IP, etc.

That said, I (and our several tens of thousands of users running their
own mail servers) would like to know how you define a real mail
server. Is a real mail server a server that you've arbitrarily
decided needs a static IP? Is a real mail server a closed relay (if
so, someone on this list may feel insulted that his deliberately open
relay isn't real by your standards)? Is your real mail server
something operated by an organization with more than 200 accounts (in
which case, you're telling me that my mail server with 25 or so accounts
sitting in an Exodus colo with a perfectly static IP is not real?)? Etc.

Vivien
-- 
Vivien M.
[EMAIL PROTECTED]
Assistant System Administrator
Dynamic DNS Network Services
http://www.dyndns.org/

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread william



1. I want to create specification that would allow server operators 
themselve to decide what kind of verification they want, if you do not 
like callback, do not implement it.
2. Most estimate that up to 50% of mail system resources are used for 
processing unwanted email, viruses, etc. The amount of processing time due 
to new specification will be smaller then what has been gained from not 
having to deal with unwanted emails as much.
3. The processing is server cpu resource, while sending email is bandwidth 
used. I'll give up some more cpu resources to decrease used bandwidth. 
4. For last years cpu speed  hardware have been increasing at 2x per 2 
years and are more and more powerfull. Even if the initiative goes 
through fairly fast (I projected2 years, that is already too optimistic), 
it'll be another 4 years at least before its used, by that time servers 
would be 8 times faster!

 At 2:15 PM -0700 2002/08/21, [EMAIL PROTECTED] wrote:  
   Your quite wrong. With email we do in fact know phone for the calling
   party - its their FROM address and for callback we can specify if we trust
   or do not trust the other party to provide some different domain, so they
   may not be given a change to specify where to callback to. As example If
   they are trying to send email from [EMAIL PROTECTED] the callback would
   have to go to somedomain.com mail server and the callback must use the
   authorization code given during initial mail call. The callback can also be
   authenticated with TLS giving even more security that somedomain.com is a
   real operation. This will prevent 99% of spammers just there.
 
   It's bad enough waiting for DNS responses so that you can 
 determine whether or not the envelope sender domain even exists.  Now 
 you want to slow down every single e-mail transaction by many, many, 
 many orders of magnitude so that you can do a callback on each and 
 every connection?!?
 
   Man, wanna talk about ideas that would bring all e-mail to a 
 complete stop across the entire Internet?  Imagine what it would be 
 like if AOL did this, so that it could take five, ten, or even 
 fifteen minutes just to get one callback on one message, if the 
 remote server was slow enough.  Now, if you start up a sendmail queue 
 runner every sixty minutes, you only need a very small number of 
 messages in your queue before you start stacking up more and more and 
 more sendmail processes, until such time as you run out of memory, 
 your mail server crashes, and you might potentially lose all your 
 queued e-mail.
 
 
   Jeezus.  Do you have to be the one guy who got blamed for 
 shutting down all e-mail across the entire Internet on Black 
 Tuesday, just to see the flaws in this plan?!?

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Dave Israel




Wow.  I turned my back on this thread to move to my new office,
and it got interesting.

The answer to your quesiton is, the cert itself can do this, if it
includes a unique/semi-unique identifier, such as an SSN, a name and
address, etc.  Many governments give their people some unique
identifier.  You sign up for my service and say you wanna send mail, I
say, Sure!  Lemmie just check your ID against the revocation list...

-Dave


On 8/21/2002 at 15:11:59 -0400, Mark Segal said:
 
  It's almost to the point to where mail servers need their own 
  registrar, sort of the way domains are tracked now, track 
  mail servers.  Give mail server admins the option to accept 
  mail from registered mail servers only or from any mail 
  server.  Of course there would need to be a ramp up period, 
  like six months to a year, to make sure all of your mail 
  servers are registered.  And of course one should only be 
  able to register mail servers if the IP space is actually 
  SWIP to them.  If the IP space is NOT SWIP, it would need to 
  be registered by the customer ISP or via owners rwhois 
  server.  Just my $.02; for what it's worth 
 
 Really good idea (no sarcasm, I actually like it).. But what stops spammers
 from registering their mail server?..Ie..
   1) Get a dsl account
   2) Ips get swipped to you
   3) Register the server
   4) SPAM 
   5) Apologize, get a second chance
   6) get booted off
   7) Call the next ISP with a zero install
   8) Rinse and repeat.
 
 
 Regards,
 Mark
 
 --
 Mark Segal
 Director, Data Services
 Futureway Communications Inc.
 Tel: (905)326-1570

-- 
Dave Israel
Senior Manager, DNE SE

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread J.A. Terranson





On Wed, 21 Aug 2002 [EMAIL PROTECTED] wrote:


 1. I want to create specification that would allow server operators
 themselve to decide what kind of verification they want, if you do not
 like callback, do not implement it.

Ultimately, only the system that is flexible in this regards will
succeed as a viable solution.


 3. The processing is server cpu resource, while sending email is bandwidth
 used. I'll give up some more cpu resources to decrease used bandwidth.

The trick (and I steal this openly and completely from a recent
thread on Cypherpunks) is make mail delivery computationally difficult
- for the sender.  This of course assumes that we are throwing out the
fools gold of Hashcash itself.

Presenting a computationally difficult problem to a connecting MTA
moves the requirement for the CPU power to the sender while keeping
the recipient site unfettered.  Let's face it, the spam problem is
merely one of cost shifting from sender to reciever, and this
proposal shifts the load back.  Any site that wishes to maintain
the current system of email subsidies to the sender domain need
only provide a computationally simple token.


 4. For last years cpu speed  hardware have been increasing at 2x per 2
 years and are more and more powerfull. Even if the initiative goes
 through fairly fast (I projected2 years, that is already too optimistic),
 it'll be another 4 years at least before its used, by that time servers
 would be 8 times faster!


Yet, all of this would not help the spam originating sites at all
because of the sheer volume of mail they must send in order to turn a
profit.


Yours,

J.A. Terranson

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Dave Israel




The problem with SSL is it doesn't include certificate chain to
arbitrary authorities.  However, there's a space for web of trust in
SSL, I believe, so yeah, a new verison of SSL might be just the ticket.

On 8/22/2002 at 00:02:24 +0300, Petri Helenius said:
 
 
  Treat them sort of like SSL certs now.  Charge an annual registrar fee
  per company, not per server. (Something like $100 a year)  The more they
  have to go out of their way to get their spam server online, the more
  they would be deterred to do so.  They're only going to want to change
  so many ISP's, go through SWIP and then change their legal name for the
  registrar so many times.
 
 Why don´t you just start using SSL certs with SMTP ? The protocol is there,
 ways to get certificates are there, no need to start smoothing a square
 piece
 to make a new wheel.
 
 Pete

RE: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread J.A. Terranson




 On 8/21/2002 at 15:11:59 -0400, Mark Segal said:
 
   It's almost to the point to where mail servers need their own
   registrar, sort of the way domains are tracked now, track
   mail servers.  Give mail server admins the option to accept
   mail from registered mail servers only or from any mail
   server.  Of course there would need to be a ramp up period,
   like six months to a year, to make sure all of your mail
   servers are registered.  And of course one should only be
   able to register mail servers if the IP space is actually
   SWIP to them.

And of course, Netsol should be the only registrar for the first 75
years, not counting their first extension...

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread William Rockwood




All very interesting discussion, but discussing it here on NANOG is
probably about the worst idea ever -- No offense intended, I'm sure
you had only good intentions.  I will now go on to continue the
discussion. grin

As a sysadmin at a large ISP which provides DSL and dial (and hosting,
colo, bla bla bla) I have to admit that I am very interested in seeing
something like this happen (registration of mail servers, trustdb, 
anything...) as I've had a few similar thoughts in the past, but figured
that something with such a global impact would be utterly unfeaseable
(and likely is, but still it is fun to dream.)

Spam definitely impacts services from time to time, even on the most
robust servers I have.  I catch customers spamming frequently (and of
course follow through with my abuse team and suspend their account and
kick them offline and clean their crap out of my queues, etc etc..) but
the absolute worst is all the open proxies being used (not 3rd party
mail relays, but hosts which are in fact not even mail servers at all,
merely running an insecure proxy (socks, squid, analogx, etc..))

Anyhow, I don't want to go too far off topic, or rant about spam, or
any of the other impolitic things folks do on this list, but I figured
I'd let you all know that there's a sysadmin at a DSL provider who 
cares enough to show interest in this concept. :-)  I'd have no issue
with working on a system to allow customers to run their own mail
servers.  Then again, I'm not an engineer, or in marketing, or any
of the other decision-making groups, so that'd be my opinion only I'm
talking about there.



(note: I rarely have time to read this list, it was pure accident that
I switched to this mailbox and saw this thread, so if you wish to reply
to me, please include me in the cc:--Thanks:)

/wjr


On Wed, Aug 21, 2002 at 03:25:50PM -0500, Robert A. Hayden wrote:
 
 Yea.  Good luck getting a DSL provider to swip an IP to you or to be
 willing to register an IP for you.
 
 On Wed, 21 Aug 2002, Robert Blayzor wrote:
 
 
   What about individuals that run their own mail servers?  (E.G. me).?
 
  Get your mail server registered just like everyone else I suppose.  If
  your address space is not registered to you directly, your ISP would
  have to do this for you.  You're ISP would then handle any complaints
  (if any) from the registrar and coordinate it with you directly.  I
  honestly like that idea because as a network operator, I like to know
  what customers are running mail servers on our network, where they are,
  and who owns them.
 
  --
  Robert Blayzor, BOFH
  INOC, LLC
  [EMAIL PROTECTED]
 
  YOUR PC's broken and I'VE got a problem?
   -- The BOFH Slogan
 
 
 
 

-- 
  +--+
  | William Rockwood | Sr. System Administrator
  | [EMAIL PROTECTED]| XO Communications,  Chicago DCO
  +--+

RE: IETF SMTP Working Group Proposal at smtpng.org



 The problem with SSL is it doesn't include certificate chain 
 to arbitrary authorities.  However, there's a space for web 
 of trust in SSL, I believe, so yeah, a new verison of SSL 
 might be just the ticket.

Lets not forget that you need an SSL cert for every server with a
different host name, and you need to go through companies like Verisign
to get them.  (yes, there are lesser evils I know).  But using SSL certs
could be more expensive then just registering your company, netblock or
whatever with a management account.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

Re: [Fwd: Re: IETF SMTP Working Group Proposal at smtpng.org]

2002-08-21 Thread Paul Vixie



 I agree with getting personal mail servers registered, as far as paying 
 $100 for a mail server registration (as mentioned in previous 
 messages)...that's no good.  As a user with a personal mail server, it 
 is bad enough to have pay for connectivity and a domain name.  Having to 
 pay for the privilege of running a mail server is too much.

e-mail isn't free.  in my own experience, i can pay a high price by just
hitting delete a couple hundred times a day, or a medium price by turning
on all kinds of anti-spam features in my MTA and sending complaints out
to network owners on whatever sneaks through the blockade, or a low price
by only accepting e-mail from people who have paid to register their
servers with some certifier whom i am willing to trust.

we'll be seeing this kind of require signed-by-trusted certificates before
permitting use logic in the personal certificate field soon.  why not do
it at the mail server level, where there are fewer certificates and more
total lifetime value per signature?

the secret is in correctly answering the question who gets the money.  i
would love to see a bona fide nonprofit use this as a fundraising method.
(any organized religion's church comes to mind here as an ideal candidate.)

server-level openpgp is also an option, and would more closely reflect the
social realities: (1) introducers i'm willing to trust may not be at the top
of any virtual certification hierarchy other than my own; and (2) there's
no compelling technical reason to keep the number of ultimately trusted keys
small.  (verisign/thawte may feel that there are compelling business reasons,
however.)
-- 
Paul Vixie

Re: IETF SMTP Working Group Proposal at smtpng.org

2002-08-21 Thread Paul Vixie



 Lets not forget that you need an SSL cert for every server with a
 different host name, and you need to go through companies like Verisign
 to get them.  (yes, there are lesser evils I know).  But using SSL certs
 could be more expensive then just registering your company, netblock or
 whatever with a management account.

i won't glock up this already busy list with a full copy of the proposal,
but before y'all go off and invent something, here's some prior art that's
been resoundingly pooh-pooh'd by the smtp community.

http://www.vix.com/~vixie/mailfrom.txt

   Abstract

  At the time of this writing, more than half of all e-mail received by
  the author has a forged return address, due to the total absence of
  address authentication in SMTP (see [RFC2821]).  We present a simple
  and backward compatible method whereby cooperating e-mail senders and
  receivers can detect forged source/return addresses in e-mail.

-- 
Paul Vixie

RE: IETF SMTP Working Group Proposal at smtpng.org

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
 Behalf Of Robert Blayzor
 Sent: August 21, 2002 7:39 PM
 To: 'Brad Knowles'
 Cc: [EMAIL PROTECTED]
 Subject: RE: IETF SMTP Working Group Proposal at smtpng.org

 Correct, but MX's (mail servers) have static assignments, 
 unless you change DNS every time.  Running MX's on dynamic 
 IP's to receive mail would be quite silly.

Then perhaps you'd like to tell me how we have tens of thousands of
users quite happily doing it?

True, I wouldn't run Hotmail/AOL/EarthLink/etc's MXes off dynamic IPs,
but for a home/small biz mail server...

Oh, and one last thing, when you specify an MX (statically, as you say),
you don't put in the IP but rather a name created with A record, so what
prevents that A record from being a low-TTL dynamic DNS A record?

Vivien
-- 
Vivien M.
[EMAIL PROTECTED]
Assistant System Administrator
Dynamic DNS Network Services
http://www.dyndns.org/

RE: IETF SMTP Working Group Proposal at smtpng.org



 Then perhaps you'd like to tell me how we have tens of 
 thousands of users quite happily doing it?
 
 True, I wouldn't run Hotmail/AOL/EarthLink/etc's MXes off 
 dynamic IPs, but for a home/small biz mail server...
 
 Oh, and one last thing, when you specify an MX (statically, 
 as you say), you don't put in the IP but rather a name 
 created with A record, so what prevents that A record from 
 being a low-TTL dynamic DNS A record?

Running a mail server off a dynamically assigned dialup *CAN* work, but
it really isn't the thing to do even if you put in a low TTL on the A
record.  Sure it works.  But what about all the messages that will
requeue on remote mail servers and depending on the remote queueing
strategy of the remote mail server, it can take hours before mail could
be re-attempted for delivery.  A dynamically assigned MX box isn't
really the best thing to do.  If you want to do that then you should at
least have a lower preference backup MX that is on 24/7 that will accept
mail on your behalf, and when your server dynamic SMTP server comes
online it can simply do an ETRN to requeue the mail on the backup MX.  

Having one MX on a dynamic DNS mail server is just rude to remote mail
servers that try to deliver mail.  Why should my servers consume more
resources to benefit your customers?

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.

RE: IETF SMTP Working Group Proposal at smtpng.org