Douglas Otis wrote: > The benefits from grey-listing are fading,
I dispute that. Our statistics show that greylisting has remained very effective. For example, login demo/demo at the following URL: http://www.roaringpenguin.com/canit/statistics.php?pe=1&r=daily-greylisting&domain=&cur_stream_only=0&num_days=30 > while bulk emailers have become more aggressive in their retries. That's probably true, but not much of a bother. > I agree. The TBR Extension should satisfy the desires of bulk emailers, > while also providing an absolutely essential mechanism needed to protect > exhaustive content filtering, the Temp error. TBR is not needed. You can write an SMTP server that accepts the message and then just sits on it for any desired amount of time. It can then do whatever reputation-checking it wants to decide whether or not to deliver the mail. > The TBR extension can: > 1) without burdening the receiver No, the receiver has to add support for TBR. > a- provide a valid identity of origination No, how so? Anyone can register domains and set up DNS. That proves nothing. > b- eliminate back-scatter Maybe. > 2) conserve limited content assessment resources At some point, you've got to decide on all your mail. So just deferring processing doesn't help if you can't keep up with the flood. > 3) improve delivery integrity How so? > 4) eliminate bulk emailer's aggressive reties Bulk emailers won't adopt TBR so this is moot. > 5) protect valid email-address confidentiality There are many other ways to do this without SMTP extensions. > 6) defer and enhance assessments of questionable messages Greylisting does that now without SMTP extensions. > 7) avoid the DATA phase for abusive sources Can be done already anyway. > 8) avoid unintended DDoS effects Or magnify them. Look, suppose I decide I want to hurt "example.com". I register a domain "example.net" and make my example.net URL point at the IP address of example.com's Web server. I then merrily send out millions of e-mails and poor old example.com's Web server is DoS'd as TBR implementations attempt to fetch a URL on it. The fatal flaw is that there's no linkage between the owner of a domain name and the owner of the IP address its A record points to. -- David.
