On 11/2/09 4:45 AM, Eliot Lear wrote: > On 11/2/09 12:20 PM, Ian Eiloart wrote: >> --On 30 October 2009 19:52:54 +0100 Eliot Lear<[email protected]> wrote: >> >>> I can't say, but I do know that many of us toss a whole lot of mail at >>> EHLO, some at MAIL FROM:<> and some at DATA. The idea I was thinking >>> about was whether it provides any value whatsoever to at least know that >>> you are authentically dealing with a legitimate source sooner, without >>> having to send even a whole header. >> >> Yes it would help, but probably not more than an SPF pass would help. >> What do you get from that? Well, you can check the reputation of the >> MAIL FROM address. > > Well now we're quibbling about how to check the MAIL FROM address. I'm > still interested in an end-to-end approach. SPF doesn't give you > end-to-end. A legitimate intermediate could have been compromised, for > instance. MAIL FROM *does* change for mailing lists, of course, but > then they should re-sign anyway. Of course, I'm still not sure this is > worth the effort to fix because SPF could be Just Good Enough for the > 1st pass, and then DKIM can be used on the body. Same argument seems to > apply to STARTTLS, although I would imagine that the latter has more of > a hit on the CPU.
Agreed. SPF is not end-to-end. IMHO, hostname assessments should occur independently, where post processing of logs is used to create a history for every hostname received. A hostname IP address tuple should be tracked upon receipt of valid messages (such as DKIM) from trusted domains. When pruned to trusted domains, the data is kept rather small. It would be beneficial to have a simple scheme with low overhead that allowed the extension of a trusted domain list, where one domain signifies trust in another domain. Gaming of the system would need to be monitored and reported, of course. This approach would enable rejection of abusive email early within the exchange without any modification to SMTP or DKIM, which would also help those with smaller networks. By employing aggressive, and perhaps longish term rate limiting, this approach can be effective against bot-net generated traffic and against providers who setup junk outbound servers to avoiding being the entity rejecting traffic, and thereby avoid some of the related support calls. An extensive trust list together with SMTP hostname assessment can provide better information than that from IP address reputation alone, and provide a way forward for IPv6. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
