Re: [Asrg] A Vouch By Feedback proposal

Alessandro Vesely <> Wed, 08 July 2009 07:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 440903A6E5F for <>; Wed, 8 Jul 2009 00:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.019
X-Spam-Status: No, score=-3.019 tagged_above=-999 required=5 tests=[AWL=1.700, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TquQmQC2iPnf for <>; Wed, 8 Jul 2009 00:54:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6E5FB3A6E16 for <>; Wed, 8 Jul 2009 00:53:53 -0700 (PDT)
Received: from ( []) (AUTH: CRAM-MD5, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by with esmtp; Wed, 08 Jul 2009 09:54:03 +0200 id 00000000005DC036.000000004A54509C.00006034
Message-ID: <>
Date: Wed, 08 Jul 2009 09:54:33 +0200
From: Alessandro Vesely <>
User-Agent: Thunderbird (Macintosh/20090605)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] A Vouch By Feedback proposal
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2009 07:54:14 -0000

J.D. Falk wrote:
>> Vouch By Feedback could be a useful modification of the Vouch By 
>> Reference standard, if it didn't break its installed base.
> What installed base?

For one,

  MDaemon mail server software uses the advanced email authentication
  techniques of Vouch By Reference (VBR) and validates and signs
  messages using DKIM, DK, Sender-ID, and SPF.

>> VBF adds a DNS record pointing from the vouched domain to the vouching 
>> server email address. It could be an RP RR type, where the address is 
>> meant to receive the message/feedback-report (AFR) complaints. Web 
>> is-spam buttons direct reports to the ESP, who should forward them to
>> any sender's vouching service. Clients who implement FBLs might send 
>> them to the relevant voucher directly.
> Variations of this theme have been discussed dozens of times, always 
> trying to piggyback on some other technology: SPF (which doesn't make 
> sense), DKIM (which almost makes sense), et cetera.

Basically, it should leverage SUBMIT. While DKIM may sign the From 
or Sender headers, it doesn't assure that the content of that field 
has been authenticated, IIRC. Actully, we need a weaker statement: 
that some of the signed headers has enough information for the 
originating server(s) to recover the authenticated identity of the 
submitter. That allows for anonymous sending.

> The problem, unfortunately, is that the use cases are unclear.  I'd 
> recommend starting by defining those cases -- not merely "I want to send 
> complaints about spam" or "I want to receive complaints so my mail 
> doesn't get blocked," but every possible permutation, end-to-end.

Improper use of TIS buttons was discussed some months ago. "I want 
to ban from sending whoever mailed me this" is the new case for them.

>> Vouchers, in turn, shall forward 
>> reports to the accountable originating ESP. The latter shall ban guilty 
>> users from sending for an amount of time proportional to the number of 
>> complaints. If the voucher sees complaints against users who should have 
>> been banned from sending, it shall suspend its vouching service for the 
>> relevant sender.
> Here you're getting out of the technology, and into dictating behavior. 
> I wouldn't be surprised if the agreements between message sender, 
> voucher, and message receiver end up looking something like what you 
> describe, but the technology should be agnostic and let those three 
> parties make any agreement they feel is appropriate for their individual 
> situations.

Agreed. In that respect, a voucher can mandate that behavior even 
using the existing VBR standard. Only the destination of complaints 
deserves further standardization. Standard AFR is on its way, isn't it?

Dictating behavior should be done by lawmakers, of course. However, 
they cannot write the standards, and may encounter difficulties even 
in identifying the items that populate cyberspace. It seems a 
somewhat tighter cooperation is required in order to sort out an 
effective anti-spam regulation.