Re: [Asrg] seeking comments on new RMX article

Vernon Schryver <vjs@calcite.rhyolite.com> Mon, 05 May 2003 21:10 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA16422 for <asrg-archive@odin.ietf.org>; Mon, 5 May 2003 17:10:18 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h45LISh03618 for asrg-archive@odin.ietf.org; Mon, 5 May 2003 17:18:28 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h45LIS803615 for <asrg-web-archive@optimus.ietf.org>; Mon, 5 May 2003 17:18:28 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA16400; Mon, 5 May 2003 17:09:48 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19CnFa-0000yd-00; Mon, 05 May 2003 17:11:54 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19CnFa-0000ya-00; Mon, 05 May 2003 17:11:54 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h45LEL803404; Mon, 5 May 2003 17:14:21 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h45Ka7832206 for <asrg@optimus.ietf.org>; Mon, 5 May 2003 16:36:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA15027 for <asrg@ietf.org>; Mon, 5 May 2003 16:27:28 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Cmab-0000gs-00 for asrg@ietf.org; Mon, 05 May 2003 16:29:33 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19CmaU-0000gA-00 for asrg@ietf.org; Mon, 05 May 2003 16:29:27 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h45KU5qt007634 for asrg@ietf.org env-from <vjs>; Mon, 5 May 2003 14:30:05 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305052030.h45KU5qt007634@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: [Asrg] seeking comments on new RMX article
References: <E19ClMq-0006j5-00@mail.nitros9.org>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 05 May 2003 14:30:05 -0600

> From: "Alan DeKok" <aland@freeradius.org>

> ...
>   At the minimum, RMX will alleviate the need for DUL blocks.  RMX can
> alleviate the "forged sender" problem, which many people on this list
> have run into.  If I publish RMX records for my domain, and it
> prevents others from forging mail from my domain, then that's a good
> thing.

I don't agree.  Since you've made the assertion, you bear the burden
of supporting it.  To help you, I'll point out some facts you'll
need to address:
  - For RMX bits to be useful dialup users, their mail provider must
     list their home IP addresses.  That would be a major burden for
     all but the smallest outfits that serve as home domains, except
     for something that seems to make the problem worse.  The IP
     addresses of dialup users are dyanimic (hence the 'D' in "DUL").
     Thus, the home domain must list all IP addresses of the dialup
     ISP as legitimate senders, because the user might next get any
     address owned by the dialup ISP.  For dialup ISPs with millions
     of current and prospective customers (e.g. RBOCs and cable modem
     providers), that would amount to authorizing a lot of spammers.
     In that case, what information would the RMX bits convey?

   - how big a problem is forgery of your domain name?  How many such
      messages do you see daily?  

   - until a signficant number of SMTP servers check RMX bits and reject
      messages with mismatching RMX bits, there will be just as many
      forgeries of your domain name.  How long until a significant
      number of SMTP servers check RMX bits?


> ...
>   Why can't the people shooting down the proposed changes come up with
> a list of requirements that the changes must satisfy?  ...

Have you read Dave Crocker's ID?

>                                                        That should
> alleviate much of the discussion.  But my belief is that the people
> shooting down proposals will spend 5 years doing just that, and then
> discover that their email is unusable.  In the mean time, others who
> are willing to accept ugly solutions, will have implemented some
> horrible hack which will allow them to keep using email.
>
>   Duct tape and binder twine aren't always bad.

> ...
>   Actions speak louder than words.

Indeed.  So why aren't you out applying tape and twine instead of
railing at people who you say are "preventing" your use of RMX?


> ...
> > We have had PGP and S/MIME for approximately 10 years.  They permit
> > identifying the originator.  Yet they have not achieved any significant
> > adoption or use in the Internet.  How will you achieve success now?
>
>   PGP and S/MIME solve different problems from RMX.  RMX, like
> STARTTLS, can be used to authenticate the conversing peers, not the
> content of the message.

You are ducking the question.  While PGP and S/MIME were created to
solve different problems, they certainly do permit identifying the
originator of email.  If identifying the originator of email is
effective against spam, what's wrong with PGP and S/MIME for serving
that purpose?

   ......


> From: "Alan DeKok" <aland@freeradius.org>
> Message-Id: <E19ClX2-0006jh-00@mail.nitros9.org>

> ...
> > That doesn't work for things like yahoo, mail.com, etc who offer
> > POP/IMAP accounts to arbitrary users without an outbound smarthost.
>
>   Then they have an opportunity to update their business model when
> (as may be expected) the world around them changes.

In your preceding message you said that Yahoo was going to leap on
the RMX bandwagon.  Are you now saying that Yahoo will leap on a
bandwagon that forces them to update their business model?  What
business model do you foresee Yahoo using?  Would Yahoo users be
required to use Yahoo SMTP clients to send mail?  If so, how will
Yahoo users get past port 25 blocking on other ISPs?


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg