Re: [Asrg] seeking comments on new RMX article

[Vernon Schryver <vjs@calcite.rhyolite.com>]

> From: Mike Rubel <asrg@mikerubel.org>

> ...
> Do dialup or traveling users run their own MTA's over the dialup line?
>
> Nope--they have remote, permanent servers, which they access via POP or
> IMAP.  Somewhere, somehow, they rely on machines that are listening
> 24/7.  I have such a machine myself.  Call it "BBS-style" if you like,
> but it's a present-day fact.

That is a common mode, but not the only one.  Some travelers and
certainly some diaup users run MTAs over dialup lines.

> ...
> Nobody's outlawing anything.  If Hotmail wants people to stop forging
> their name on mail, then yes, they need to make sure that remote users
> send via their mail servers.

Perhaps my use of "outlaw" was a bad choice.  I meant "practically
prohibit" instead of anything about laws.  Isn't the intent of the
RMX proposal to practically prohibit using a domain name other that
of the reverse DNS name or a few other special cases?

Your use of "forge" is clearly a bad choice.  "Forgery" is about
fraud.  See http://www.m-w.com/cgi-bin/dictionary?va=forgery
While some uses of Hotmail sender addresses are "forged," a substantial
number, even in spam, are not.  It is not "forgery" to use one of your
Hotmail mailboxes as a sender value no matter from where you send the
message.

>                               They have a wide variety of commonly-used
> avenues for implementing this.  Their webmail users don't have to change
> anything.  If hotmail admins still want people to be able to send
> hotmail from other machines, they can provide smtp-auth service.  How
> does this become a problem?

In practice, I think it would be impossible for Hotmail to provide
SMTP-AUTH.  First is that the problems of managing the authenticating
shared secrets for millions of users with an incredibly high "churn"
rate would be killers.  Second, many Hotmail users could not use
SMTP-AUTH because SMTP-AUTH uses port 25 which is more commonly filtered
for users likely to pick a free provider than others.

Yes, when port 25 is filtered, running your own out-going MTA also
doesn't work,  There is also SUBMIT which uses port 587.



> VS> Another common case involves people traveling.  If you plug your laptop
> VS> into the network of a hotel or one of your consulting clients, you
> VS> might prefer to use an envelope and From header address at your home
> VS> systems instead of room1234@losangeles.merriot.com or guest@example.com.
>
> So they send the mail through their own office's mail servers.  Again,
> no problem.

That's a problem or not depending on how they normally send mail.


> ...
> Hotmail has a strong incentive to adopt RMX records--it would give them
> the ability to prevent spammers to send mail claiming to come from
> hotmail.com.  Which means potential recipients of hotmail.com mail would
> stop thinking they're the source of all the world's spam.

How do you know that incentive is strong for Hotmail?  How do you know
it is stronger than the prospect of driving away at least some users?

> I tend to disagree with the implication that having RMX would drive away 
> any significant number of hotmail users.  Most of them simply access the 
> webmail interface; since hotmail does not forward, they need to use it to 
> read their email anyway.

Most of the people I know who use Hotmail return addresses do not
use Hotmail's systems to send mail.


> >   - it assumes that you can't already decide to accept mail with Hotmail
> >       sender addresses only if it comes from a Hotmail SMTP client.  In
> >       fact it is common to check that the source of Hotmail mail is
> >       Hotmail.
>
> Sure, you can search on the web to find what hotmail.com's outgoing mail
> servers are, and set up special filters on your system to only accept mail
> from hotmail.com provided it arrives from one of those.  The system works
> for hotmail.com--and only hotmail.com--until they change the IP addresses
> of their mail servers, at which time they seem unlikely to inform you.

That is wrong.  The common procedure has nothing to do with web
searching but is comparing the reverse DNS name of the STMP client
with the envelope sender domain.  That works for many and probably
most major free providers as a sort of self-fullfilling prophecy.
Many people who might use the RMX have imposed this check on mail from
major free providers for many years.


> Why not just use RMX, which automates all of this?

Because the reverse DNS check already automates it?


> ...
> >   - if you want to mark systems that follow Paul's convention so that
> >       you know which don't, you could pick a large MX preference that
> >       its extremely unlikely to be used for anything today.  For
> >       example, I bet that among the millions of MX RRs today, none
> >       has the preference 65391.
>
> This is a reasonable alternative, but isn't it simpler to post RMX records
> instead?  Rather than introducing a new special case in an existing RR,
> you introduce an RR for that purpose.

That seems clear and unambiguous, but I can't believe I understand it.
Do you really mean to claim that creating a new RR type is not vastly
more difficult than special casing an unused MX preference but easier?


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg