>His basic idea was to have a registry system, similar to >domain name registrars, that people have to register their >ms/mail servers names/ip's. You could possibly attach a record >to the domain, detailing the mx record, and all associated >information, like IP, A records, PTR's, etc.
This "technology" is already available in DNS database with the TXT type record. a.mailprofile.domain.com TXT "normalized fields for validation" b.mailprofile.domain.com TXT "normalized fields for validation" >If people were required to register mail servers This is too heavy, too costly, to centralized in administration and infrastructure. >them to a domain, which has real contact information, and >everyone agreed aka the "convention" I mention above >to openly communicate to mail servers that >are registered, and ignore/filter the rest, it would be >easier to identify sources of spam at the beginning of a >session, without hitting multiple databases. yep, the receiving MTA queries the authoritative NS for a.... or b.... TXT and sees if the MTA sending to your MX matches what is in the mailprofile sub-domain TXT records. domain + ip validation, not far from what we have already, so more easily within reach. >He suggested having tables (zones): good choice of word! all domains have zone files :)) >One with the registered >mail servers, and one with un-registered, questionable >servers. I think this could be done with dns, maybe be adding >information into a zone that verifies that the mx record contacting >you matches the server(s) in the registrars db. not in the registrar, just use the domain's auth NS for the database it already is. >I think his biggest suggestion was an international standard >for registering mail servers, and attaching them to domain >names. somebody has to define the fields in TXT records > Maybe instead of just seeing dns addresses in the >whois database, you could see the mx records, etc. This would >then either have to be integrated into dns, or could be run as >a separate dns system altogether. I'd like to see it run by an >international organization. no, DNS is a distributed database system with delegated, distributed administration that works extremely well. Use it as is. And even there, the one, irreducible place where domain owners MUST deal with "centralized" domain administration is with domain registrars. And we all know how bad that has been in the USA with netsol and even with unscrupulous/insolvent non-netsol domain registrars. AND, most of you have no idea how much it costs to obtain/admin domains with ccTLD registrars. eg, in France, it costs more just to re-delegate a .fr domain than it does to obtain it originally. >Maybe I interpreted this guy wrong, or his English doesn't do >his idea justice. It sounded interesting to say the least. It is almost a good idea, but it is still-born because of the additional infrastructure. What this .pt guy probably doesn't know about is the DNS and SMTP validations/verificatiions already available in postfix, non-exhaustive: reject_unknown_client ( fails now because legit servers don't have simple DNS PTR records, and his system is MUCH heavier to implement. "buona chance, Signor" ) domain.com reject_unknown_client ( A + PTR must match ) reject_unknown_sender ( @sender.domain must have A or MX record ) reject_unverified_sender ( sender.domain's MX must verify the [EMAIL PROTECTED]) Without crawling through every MTA out there, I think we postfix users already have the best anti-spam MTA around, as is, that exploits the current infrastructure, as is, as much as possible. Where postfix is prevented from doing better is where legit DNS/mail admins don't have even their current basic DNS setup correctly. And he wants to complicate and centralize ?? no way it will work in practice. Remember last year, we also had a thread about some company that was selling copyrighted strings as "header signatures" to put your X- headers so compliant MTA's could refuse the mail for such a domain if the headers did not contain domain.com's "signature". If the headers DID contain the copyrighted string but it was forged by a spammer, then existing international copyright laws could be used as a basis for legal pursuit of copyright violation. This was a beautiful, lightweight piggybacking of UCE defense on current, existing international legal infrastructure. What happened to it? domain.com <copyright string> The above could also be done in DNS as is, but where is it?? off the radar. We can't even get US legislative to make it illegal to forge [EMAIL PROTECTED] for US spammers, never mind foreign spammers. I'm really sceptic of UCE approaches that depend on legislative changes, or centralized, international administration, to say nothing of the policing/enforcement/punishment funds being provided. However, defining TXT records for MTA verification seems to me to be an ideal solution. I would think that, wouldn't I? :)) Current DNS can be used as is, right now, with no change in law or no centralization of admin. The DNS sections of current MTA's like postfix could very easily be adapted to add TXT record queries, just as MTA's do "special" RBL DNS queries. All we need to do is agree on the TXT record formats and off we go, it could be running in 10 minutes. Len
