Re: [Asrg] Is there anything good enough? - Spoofing stats

[Mike Rubel <asrg@mikerubel.org>]

[ this message in response to Vernon Schryver ]

> No, I don't approve of RMX.  I believe
>   - it is redundant and unnecessary because existing mechanisms achieve
>      can stop mail from free providers that does not come from each
>      provider's MTAs.

Vernon,

I reviewed the article at www.monkeys.com, and while I agree that their
approach is reasonable given that RMX records do not yet exist, I am
believe the existence of RMX would improve it.  The authors express
concern about the false positives their approach generates, so
presumably they would also be happier with RMX.  Also, theirs is a hack,
albeit in the best sense of the word.  A more general solution that
treats all domains--not just the big free ones--would seem to be
preferred.

>   - there are simpler, already largely deployed ways to do exactly
>      what RMX does without a new RR, including Paul Vixie's suggestions. 

Having read Paul Vixie's proposal just now, I am satisfied that it is
functionally equivalent to RMX and would be equally happy with it.  When I
speak positively of RMX, please take it to mean that I speak positively of
RMX, Fecyk's proposal, or Vixie's MAIL-FROM, unless otherwise noted.

>   - the new RMX RR will never be seriously considered in the DNS WG.
>   - if by some fluke that happens it will never pass Last Call in a DNS WRK.
>   - if everyone is asleep there, it won't pass IESG review or main list
>      Last Call.

I cannot speak for these bodies.  Assuming they place a very high utility
threshold for new RR's, as you imply and seems reasonable, we must generate
a strong case for them.  That's why I wrote an article called "The Case for
RMX Records".  But if new RR's are an absolute block, we can take Fecyk's or
Vixie's proposal.  These have other drawbacks, but not that one.

>   - if it does get standardized, it will not be widely implemented in MTAs.

I believe we have shown that strong incentives exist, both for senders
and receivers, to implement RMX, and that RMX is far simpler to
implement than many of the other proposals, which involve more
significant and fundamental changes to the mail protocol.

>   - it will not be installed by the organizations you need to install
>      it, including Hotmail, AOL, and Microsoft, because they will not
>      change their business models.

RMX would seem to allow them to strengthen their current business models
(webmail and/or email hosting service) by preventing abuse.  These
providers also have a strong incentive to implement RMX.

I surmise from Earthlink's new challenge-response program that major
providers are willing to try significant new steps to deal with their
spam problems.  RMX seems far less disruptive a change than
challenge-response.

> I'm beginning to get the impression that RMX proponents are egregiously
> unaware of how SMTP works and is commonly used.

Have I said something specific which gave you that impression?

> So why haven't you long since implemented the standard checks to
> prevent what you call "spoofed" free provider mail?

It would result in false positives in a way that RMX (by virtue of being
voluntary on the part of the sender) would not.

Mike

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg