The MTA Authorization Records in DNS (MARID) working group in the
Applications Area has concluded.
: ( (more fully expressed by Greg Connor, with whom I fully concur, at
http://article.gmane.org/gmane.ietf.mxcomp/5240 .)The mailing list will remain active.: ) (Bryce: unsubcrlbe!) BTW, how many subscribers do we have (peak?)
I believe that a directorate being so tasked would be contrary to the goals of the IETF. It puts undue power in the hands of the directorate and its appointers. Spamfighting inherently presents a great challenge to achieving rough consensus. But the IETF consensus-building process is going to do a far better job achieving it than a directorate appointed by the area directors. This is evidenced by the ill-advised (and/or poorly made) decision push SenderID to last call. This decision was made by folks who were appointed by the the same folks who will appoint the directorate, yes? What a recipe for disaster! I'm opposed. Avoidance of deleterious effects is not something that creation of such a directorate would make any easier. (It also is the case that a good MARID will by design, have deleterious effects on certain traffic, e.g. email from most members of the DMA.)The Area Directors intend, therefore, to request that the experimental proposals be reviewed by a focused technology directorate. This review group has not yet been formed but, as with all directorates, its membership will be publicly listed at http://www.ietf.org/u/ietfchair/directorates.html once it has been constituted.
On Tue, 2004-09-21 at 19:45, Matthew Elvey wrote:I was hoping for validation of the example, not generalities. But thanks for the reply.
Doug, still hoping to hear back from you - on 9/14, I asked:
Doug, did you get my email - of a possible broad, strong example showing [SenderID] falling down.
In general....
Huh? The question is about the record given, which has none of these problems.
and
If foo.dom's SPF/SenderID record lists just MX, and doesn't send spam, how/why would a reputation service blacklist foo.dom?
e.g .
foo.dom. IN TXT "v=spf1 mx -all"
In a simple environment exchanging messages end-to-end, the risks would
be low. There are risks accepting these types of records when a process
walks through redirects, includes and arbitrary labels for several
record types.
Elvey:I asked for an example. I see no example here. I can't extrapolate from what you have said to come up with an example, either.
On 9/21/2004 11:57 AM, Douglas Otis sent forth electrons to convey:
On Mon, 2004-09-20 at 18:50, Matthew Elvey wrote:I claim this is impossible. Please provide an example of this (using a record of the kind that my proposal proposes using).
On 9/20/2004 5:21 PM, Douglas Otis sent forth electrons to convey:As I said, this will allow the use of other record types to spoof the
On Mon, 2004-09-20 at 16:33, Matthew Elvey wrote:No, I'm making a different suggestion. Please read the whole post!
Ney.Here's the idea in a nutshell: CSV makes use of extant SPF records which already list tens of thousands of domains that are authorized for use in HELO.
Who supports/opposes this change?
This is a repeat of an older debate.
I'm eliminating some or all of the records that you mention having a problem with below.
I should have stated one thing clearly: only +type components of
records would be relevant; ~type and ?type would be ignored.
EHLO name.
The label used to select the SPF record is normally based upon the
mailbox domain to select a full set of outbound MTAs. The EHLO name can
be made to match any such mailbox domain provided one of the machines is
permitted in this SPF record set. This would be bad.
1)Sort of. 2)Nonsense. We ignore records or record components that don't meet our rules.
The SPF type of record will normally be across an entireI don't see how this is possible using a record of the kind that my proposal proposes using. +include:comcast.net is not allowed, for example! +ptr isn't allowed either (we don't want to allow the likes of dialup-pool.234.234.comcast.net...)
array of providers and not for a single host.
One, you want to use existing SPF records that were not intended to
provide the narrow selection of machines administered by the MTA
operators. Two, there is no means to restrict this list after the fact.
I don't think so. It's not clear what you mean by that, so I'm not sure, but your sentence doesn't make sense to me; I don't know what you're trying to say.
One compromised system within this vast region can then utilize oneI don't believe my proposal does this. <snippage>
of these records to spoof the EHLO name then. If reputations are
based upon the MTA name and not the mailbox domain, then protecting
the MTA name would be much more important. It MUST not be possible
to mix these records out of this concern.
Your approach was to prune the record set used just for the EHLO
domain.
That pruning can not differentiate between machines within aI don't see where I'm saying something from which one could conclude that a record for aol.com would be non-differentiable from one for dhcp234.234.dialup.aol.com.
delegated domain or machines within the administered domain. This would
be bad.
That conclusion isn't warranted. It's incorrect. In fact, I said:
Let's nail down what exceptions are appropriate then! (Again, I'm NOT suggesting using the identities obtained using SPF/SenderID!)These records are for a different purpose, and expose a different set ofThe host name used within the EHLO domain will require a separateWe should, as my post makes clear. But there are reported to be what, ~300,000 SPF records? Why not use them to the extent that I suggest?
record anyway, so why not use a record that achieves an answer
within a single lookup?
machines. The EHLO record set must be kept narrow in order to serve the
purpose of establishing accountability. The broad and weak nature of
the identities obtained using SPF/Sender-ID are not useful for this
purpose. SPF/Sender-ID should be viewed as informative for but a few
exceptions.
The exceptions would be with respect to those domains that feel it is
okay to close their lists.
<snippage of rehashed arguments re parsers and DNS that are not applicable>
Some refinements to my proposal based on stuff hashed out in private email:
99% of the time, an MX query will return the A records for all the servers listed in the MX record as add'l records, all in one UDP packet.
Let's say that's a requirement for our purposes, where there's a +MX in the SPF record.
"+a +mx -all" would
need 2 more DNS queries to resolve (unless a ALL query was done, which
is likely a bad idea). I think it's reasonable to accomodate a bit more
than 1 add'l DNS query.
Certainly, if those things are all true, then the following is true as well. Todays events suggest otherwise.Let's not worry about the <<1% of records where the DNS servers are
known to return incomplete lists of Address records. Let's say that's
a requirement for our purposes that this not happen.
Once the IETF has expended their considerable efforts to endorse a
method that is well considered and robust, I doubt there will be any
trouble with the adoption of the standard. The problem of spam is that
great.
WTF???
I still insist the SPF record should never be allowed to validate the
EHLO domain. It is a different data set for a different purpose.
Again, the reason for my proposal is not to change or obsolete
CSV records, but to make CSV work in some reasonable cases where it
can work without them without being significantly detrimental.
Sorry, but I fail to see the point in using a TXT record and a parser to
obtain a list of addresses through a dangerous and expensive set of
lookups, when it can be done in one lookup safely. Also where it will
not accidentally allow other domains to spoof the EHLO identity. This
exclusion is needed to establish accountability.