on Tue, Sep 23, 2003 at 10:42:43AM +0100, kevin lyda ([EMAIL PROTECTED]) wrote: > On Tue, Sep 23, 2003 at 10:14:26AM +0100, kevin lyda wrote: > > On Tue, Sep 23, 2003 at 09:32:26AM +0100, Ruairi Newman wrote: > > > Just thought I'd forward the following diatribe against TMDA and > > > Challenge-Response (mail) systems in general. It's ... strongly worded > > > ... in places, but I believe it makes some very good points. > > > > > > What do you think? Kev? ;) > > i think karsten m. self is a crank.
I *know*, Kevin. Do I ever....
> btw, to further elaborate his complaint is that tmda trusts the From
> header and uses that for an automated reply. now if tmda was unique
> in that behaviour i'd understand. however, here's a list of a few
> mail software packages that trust the From header enough to send an
> automated reply:
>
> sendmail
> postfix
> exim
> qmail
> procmail
> deliver
> mailman
> majordomo
> listserv
>
> note that only the mailing list software limits the number of automated
> responses.
While this hasn't been addressed at length on list, I'm also interested
in revising behavior of autoresponders in these contexts. I've
mentioned this briefly in response to Jason. As TMDA isn't itself an
MTA or list manager, the discussion isn't highly relevant.
Two points however are:
1. The tools you list above don't have as their core functionality and
design intent response to unvalidated addresses. That they do so
is incidental to function, and can be mitigated with configuration
or minor design changes. Incidentally, there is an IETF working
group on the subject of auto email responses. Note that this is a
draft and the URL will expire:
http://www.ietf.org/internet-drafts/draft-moore-auto-email-response-03.txt
2. Porportional to their deployment, these systems generate fewer
misdirected messages than C-R systems. Current C-R adoption rates
are minuscule. Should they rise, there will be a rapidly evident
scaling problem.
> what karsten really dislikes is that challenge/response changes the
> way email works.
No. Don't impugn motives, Kevin. I really dislike it.
What I dislike about pure-play C-R is that it is spam. And for a whole
mess of reasons, it stops working the way y'all expect it to really,
really fast once its use spreads.
This can be fixed: C-R used *after* virus and spam filtering is no
longer spam. It's just annoying. I'll delete the bits I get and go on
with my life. I don't have to worry about being shoveled under by it.
> in my opinion c/r systems are an acceptable compromise between a central
> registry of authorised mail servers (with associated costs and worrying
> authoritarian issues) and the chaos that exists today.
If you want to see a slick concept, look at Brad Templeton's current
best plan for dealing with spam:
http://www.templetons.com/brad/spam/endspam.html
The plan is to divide the network into two camps, those who can be
held accountable for spam, and those whose status is unknown. Mail
would flow unimpeded for those on the accountable list, since by
definition, we would have other ways to deter or deal with spam from
such networks.
For the rest, mail would be redirected through special relay servers
whose job it is to "throttle" or rate-limit the amount of mail any
party can send. As such, single person to person mail would normally
be unimpeded, but mass mailing (regardless of content) from
untrusted addresses would be impossible. In effect, mass mailing
becomes a slightly privileged operation open to those who can be
held accountable if they abuse it by sending such mailings to people
who don't know the sender.
> an even better compromise would be if everyone pgp/gpg signed email
> coupled with a c/r system and a way to query mail servers for valid
> user pgp/gpg keys.
This is a feature I'd like to see added to TMDA. Hell, and
SpamAssassin, FWIW.
> but i live in the real world. and in the real world most people don't
> use pgp
You might want to look at PGP Universal:
http://www.pgp.com/universal/index.html
http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=444
> (and in fact several people complain about people who do use it)
We have a tool for this:
http://kmself.home.netcom.com/Rants/gpg-signed-mail.html
A (not so) Short Rant / FAQ on the Subject of Signed E-Mail and
Public Key Infrastructure
> so i use tmda.
Don't say.
> and i drop all mail from karsten m. self.
Ah, but we knew you would, Kev.
Peace.
--
Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
signature.asc
Description: Digital signature
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
