on Sat, Aug 30, 2003 at 10:42:17AM +1000, Brian May (bam@debian.org) wrote:
> On Fri, Aug 29, 2003 at 03:48:13PM +1000, Craig Sanders wrote:
> > the point that you keep on missing is that TMDA and similar programs send
> > "confirmation" emails to innocent third-parties who did *NOT* send an email.
> >
> > TMDA and all C-R systems are broken-by-design, just as many stupid end-user
> > "autoresponders" and AV-scanners that send notifications back to the forged
> > sender address are broken-by-design.
>
> You saying that any SMTP MTA that sends bounces to unauthenticated
> E-Mail addresses is also broken?
At the very least, this is a small subset of the incoming mail. There
are probably bad practices, which should be fixed.
The aim is also one which is presumably useful: if the sender is valid,
then advising them that a message was not delivered is arguably useful
(note that I regard most delivery failure messages as junk).
Most importantly: the MTA isn't sending mail out willy-nilly to offload
a cost (filtering, content assessment) to a third party. It's taking an
action on a (hopefully) limited number of mails which cannot be
delivered.
SMTP Envelope reply address should be given precedence, and an SMTP
error precedence over any bounce.
> That is the idea behind autorespoonders after all, to tell the sender
> that his mail didn't get through because it didn't meet some required
> criteria.
"The message can't be delivered because of addressing errors" is a
different class of error than "I can't be bothered to see if this mail
is worth reading, despite its being properly addressed to me".
> Even encryption does not help here, or at least I have not seen any
> proposals for any system that could scale to the Internet. GPG for
> instance only verifies the sender to the receiver, it could not be used
> to verify every sender to the MTAs involved.
A publicly available key, with an email address (or addresses),
validated against contents, is useable. It doesn't validate the sender,
but it provides a level of indication that someone went through the
trouble of getting a key, posting it publicly, and signing (and/or
encrypting) content with it.
That's more elbow grease than your garden-variety spammer.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Hollings: bought, paid for, but couldn't deliver the CBDTPA:
http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html
Attachment:
pgpXjvUtTfmMs.pgp
Description: PGP signature