Re: [Asrg] Some data on the validity of MAIL FROM addresses

[Vernon Schryver <vjs@calcite.rhyolite.com>]

> From: Michael Rubel <asrg@mikerubel.org>

> ...
> Here's a better example.  Should mail that contains the string "sex" in the
> subject line be Rejected during the smtp session?  Or does it make more
> sense to carry that little piece of information through to spamassassin or a
> Bayesian filter, where it can be combined with a lot of other information
> about the message and recipient to make an intelligent decision?

That suggests the underlying assumption behind saying that SMTP status
codes are obsolete.  In fact, SpamAssassin is like every other filter
at least in principle.  SpamAssassin is often run during the SMTP
session using a sendmail milter hook.  If SpamAssassin computes a
spamish score for the message, the message can be rejected.  See
http://www.google.com/search?q=spamassassin+milter

> Providing immediate Reject allows the spammer to keep trying until he's
> sure the message has gotten through, and it allows him to learn about the
> filtering behavior of your system or yourself.  

No, you hide no information by giving it with a DSN instead of an SMTP
status response.  If you don't want to tell the spammer that the
message was detected as spam, then delaying the detection is irrelevant.
You won't be sending either a bounce or a negative SMTP status response.


> ...
> If you send a blatently spam-like message to a mail host, do you expect to 
> receive a bounce if it is not delivered?

What is a blatently spam-like message and in whose eyes?  If you
send a message that you don't think is blatently spam-like, don't
you expect an indication that it was rejected?

If you send what I define a blatently spam-like message, you'll receive
250 OK SMTP status codes and no DSN.  That violates offical as well
as some common sense BCPs, but its necessary to protect spam traps.


> ...
> Because "best practice" dictates that all domains would be run by
> responsible admins, and that they would run ident. 

I think that's wrong.  I think no BCP says anything good about IDENT.
If I'm wrong, please point out the RFC (whether in the BCP index or
not, other than ) that strongly recommends IDENT.


>                                                     The reasons people
> aren't using ident are much the same: it leaks information about their
> systems, but doesn't really buy them anything on the Internet, because not
> everyone else is using it.

I think that's half wrong.  IDENT need not leak anything, but it is
of very little use.  (An IDENT answer has meaning only in the context
of the IDENT server's logs, user database, and so forth.  Thus, contrary
to RFC 1413, every IDENT answer could be purely synthetic and related
to the real answer only by a log entry on the server.)


> > If we really think that BCP30 is so hopelessly outdated, wouldn't this be a
> > good place to start rewriting it.
>
> I'm not familiar with BCP30...

I don't want to insult you, but that is definitely the wrong answer here.
An acceptable answer might be something like "give me a little while to
read and understand BCP 30."  The privilege of speaking here carries the
responsibility of an honest effort to read the relevant document.

See http://www.rfc-editor.org/rfc.html
and especially http://www.rfc-editor.org/bcp-index.html


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg