[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: recent spam to this list

On Mon, Oct 13, 2003 at 08:06:33PM +0200, Julian Mehnle wrote:
> John Hasler wrote:
> > Julian Mehnle writes:
> > > No, but this again is one of these broken "e-mail vs. real world"
> > > analogies.  You can't receive mail through such a letter box, but a
> > > sender address is inherently meant to be a valid address through which
> > > you can be contacted (among other criteria).
> > 
> > I can no more be contacted via the machine in that library than I can via
> > the letterbox.  I go in there, spend five minutes sending an email and
> > leave, expecting any replies or bounces to go to my real address.  If my
> > message is bounced to that box or a reply sent there it will vanish
> > without a trace.
> Then it's up to the library to decide whether to offer this feature
> (envelope-from forgery, or call it envelope-from pretendery) or protect
> its domain from unauthorized use in envelope-froms. Of course the latter
> option implies restrictions for users like you, but the library is not at
> all required to implement these restrictions for its domain.
> I still don't understant why so many people object against the cited
> proposals... The implementation on the sending side (i.e. the DNS
> configuration) is entirely optional.

Probably because systems which expect it and don't see it will do something
such as give the message a positive SpamAssassin score. Of course, if
you're going to do something that happens to look like what a lot of
spammers do, you should probably expect that, just like it's not wise
(anymore) to put a lot of !s in your subject, or to use a known open relay,
even if you have absolute permission to use it for legitimate email...

Really, this just isn't that difficult a concept, even if it doesn't map
directly to real world mail. Your identity, as given in various places, is
multi-part; both a user part, *and* a domain part. The owners of the domain
part are free to set any policy they wish (including "we don't care"),
regarding the behavior of people who wish to claim association with them
(perhaps the cloest analogy would be fufilling any requirements for using,
say, the official Debian name).

In fact, the debian.org domain is a very good example. The policies say
that you shouldn't use it for a variety of purposes; they could (though
I don't think they *should*) also say "due to problems with forged email
claiming to be from Debian, all Debian-official email must relay through
the following servers: <list>".

For Debian, which has little interest in running relay servers, highly
technical users, and a relatively small problem with spam claiming to be
from the domain, in general, it isn't worth the annoyance to the users
(IMO). For a University, who are very liability-shy, who mostly have users
using a single system, and who already run significant outbound relays for
most of their users... it may be much more of a win.

It's just (another) tool for enforcing policy, like everything in layers
1-7; it can help make certain policies practical, but it cannot decide when
or where to make those policies the case. If you don't like the policy
someone implements with it, you can complain to them - maybe they'll
listen, maybe not. For a lot of us who've been dealing with the load on
mailservers for years, I'm sorry, but your individual desire to be able to
send mail from anywhere on the planet, claiming to be anyone on the planet,
does not (in my policy decisions) outweight my desire to get fewer spams
every day.

If adding .1 to your SA score for lacking a repudiation protocol, and 3
(or 5, or whatever) for claiming to be from a domain that denies that it
origionates mail to the rest of the world from your IP, is enough to help
me sort through my mailbox - so be it. If it isn't, I won't use it, and you
have nothing to worry about.

However, arguments about 'it will make my life harder' apply just as well
to things like open relays, and they are the heart of a large number of
anti-spam lists, since there is a very high correlation between having it
open, and origionating large amounts of spam. Nearly 100%, in fact. If
lacking a domain-authorized relay point comes to eventually have the same
statistics, you'd better bet that you'll have the same sorts of penalties
in spamfilters.
Joel Baker <fenton@debian.org>                                        ,''`.
Debian GNU NetBSD/i386 porter                                        : :' :
                                                                     `. `'

Attachment: pgpkqmA9v8AuA.pgp
Description: PGP signature

Reply to: