> >What I think would be a better solution is governmental support for > >"credentials." > > we don't need no gov support. We admins must set MX policy's that insist > on "best practices" SMTP/DNS settings, aka, credentials.
Unfortunately the government reacts to the masses and creates laws. That creates a problem with your idea, "we don't need no gov support." What we do not need is a law that says a certain type of spam is legal. If the government got on board with the idea that "credentials" are a realistic solution, will save them money, satisfy their constituents, not pose first amendment issues, and is better than tossing out a law, it would help prevent that sort of problem. > >The A/PTR part of credentials is east to understand and explain. > >(D.C.B.A..in-addr.arpa. PTR host.name. must resolve to host.name A > >A.B.C.D) > > no govt needed for each MTA to implement the following: True, but that is not what I am saying. I am putting forth the idea that if the government followed these standards, and promoted them, it would make it easier for us to do the same. As you have said many times, Len, the issue with implementing iron handed "credentials" support is the large volume of sloppy admins. But you also admit that if the major ISPs adopted this, it would help. The problem is getting them to adopt it. I am saying that if the government officially adopts "credentials" that it would be easier to implement it ourselves. I have a contract with our up stream providers that states I am to be in control of the reverse DNS. On one I have it, and on the other I don't. Why? They are dragging their feet. But if I was able to come to them and say, "You are hurting me, your customer. I can no longer e-mail the US Government because you have failed to do your job," then I could get the rDNS control I am supposed to have. > If you guys would just hold the line on these minimu settings as policies > for your MXs, ie, simply refuse to whitelist legit servers that don't me et > the above, then those legit servers would have to fix their settings or > live with their mail being rejected. The more of us that reject, the more > pressure there is on legit servers to setup correctly. > > Just like when AOL started insisting on PTRs, there was a mad scramble for > mail servers to get PTRs. Exactly. > >But I remember hearing there is more to it than that. I know Len has > >talked about SPF/DSP, but I never quite figured out what technology he was > >talking about. Sorry Len, but whenever you had that acronym explained, I > >missed it, and can't seem to see it in my archive. > > Try google for "SPF", it's the first hit, and Meng already provides SPF > patches for postfix and other MTAs. Aaah. Because your message had "SPF/DSP" I searched for both terms. That makes the web site in question go poof. > I think SPF/DMP is an excellent solution, free, immediate, but if we can't > even get past the SMTP/DNS credentials stage (also free, and immediate, > like all DNS-based solutions), then there's not much hope SPF/DMP. Aaaah. DMP, not DSP as this message says: http://www.mail-archive.com/[EMAIL PROTECTED]/msg03152.html > Supposedly serious antis-spam lists such as spatmools and spam-L sterilely > debated SPF into nothingness, picked it apart as having tinyimperfections, > etc, etc, until there was nothing left, and nobody does anything. > > >If forgeries were automatically rejected by everyone, then we would only > >have known sources to deal with, and that is a lot easier. > > exactly. but 30% of your accepted mail today doesn't even have a PTR, but > you accept it anyway. error!! > > >Does anyone here have links to layman's explanations of the tech involved? > > what's hard about the 4 lines above? > > >I want to make sure I state things properly before sending off any such > >letter. > > don't waste your time. When the government passes a law, they like to see an effect. The present law they are pushing will be useless for many reasons. They will then go pass another law, and another, so on and so forth until one of two things happens. They solve the problem, or they make spam legal so it is a non-issue. So I do not see encouraging enforcement of standards as a waste of time. > What would be more useful is a generic http://postmaster.mydomain.com page > that everybody could add to their organization's website stating what the > "credentials" policies above are. The URL could be added to reject messages. > > But the hard part, at least as I see it with some of my IMGate customers, > is that IMGate admins cave in to their users who complain about a mail from > a "legit" server being rejected for "illegit" SMTP/DNS settings. > > All users want spam to be blocked, but nobody wants to hold the line on > credentials. And if there was official support of proper "credentials" by major ISPs, it would be easier to hold the line. But they waffle just as much as anyone else. Getting governmental support of "credentials" creates a "reason" you can give your users. "Well I'm sorry Mr. Smith, but we are following the new 'anti-fraud' policies of the US Government, and that caused the email to fail. If the people on the other end would just follow this international standard, the mail would come in." I support your theory, Len, and believe it will work. I am just looking for ways to help make it work before some stupid politician makes it illegal. And guess what, they ARE trying to make spam legal, and blocking it a crime. The "credentials" policy addresses fraud, and the spam blocking is a side effect. But it is a very good and strong side effect. > And then there are the anti-spam "solutions" which actually contribute to > the problem, selling themselves as being able to ignore the credentials > completely, or require umpteen different "faults" to be added up before > rejecting and/or then scan the msg content (they have to receive all DATA > commands) to see if it is spam or not. These "solutions" actually give the > legit server with bad credentials a "pass" and they think that helps the > situation. Certainly. I agree that "credentials" is one of the tests that needs to be done early, and with an iron hand. It should not be part of any weighting process, and should supercede such mechanisms. I would just be fired if I implemented it, as would many mail admins. Businesses tend to do that when the changes you make piss off a large enough chunk of your customers. I have seen you say many times, including this reply of yours, that the problem with "credentials" is a lack of participation, and little else. I believe that the government can be pushed into participation, partially because some of their departments already follow this policy! If they all followed it, and the government very publicly stated this, then it would help move things towards the solution that you favor. It is also easier to change the mind of the government than it is AOL. Once something like this becomes accepted, then I can use it without risk to my job. --Eric
