Re: [Asrg] C/R Interworking Framework

Yakov Shafranovich <> Mon, 09 June 2003 22:07 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id SAA22931 for <>; Mon, 9 Jun 2003 18:07:11 -0400 (EDT)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id h59M6lv08312 for; Mon, 9 Jun 2003 18:06:47 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h59M6lB08309 for <>; Mon, 9 Jun 2003 18:06:47 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id SAA22881; Mon, 9 Jun 2003 18:06:40 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19PUkr-0007Nz-00; Mon, 09 Jun 2003 18:04:41 -0400
Received: from ([] by ietf-mx with esmtp (Exim 4.12) id 19PUkr-0007Nw-00; Mon, 09 Jun 2003 18:04:41 -0400
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id h59M5CB08285; Mon, 9 Jun 2003 18:05:12 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h59M4vB08243 for <>; Mon, 9 Jun 2003 18:04:57 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id SAA22677 for <>; Mon, 9 Jun 2003 18:04:50 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19PUj5-0007NX-00 for; Mon, 09 Jun 2003 18:02:51 -0400
Received: from ([] helo= by ietf-mx with smtp (Exim 4.12) id 19PUj1-0007NU-00 for; Mon, 09 Jun 2003 18:02:48 -0400
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
To: Rob Cameron <>,
From: Yakov Shafranovich <>
Subject: Re: [Asrg] C/R Interworking Framework
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
List-Archive: <>
Date: Mon, 09 Jun 2003 18:04:22 -0400

At 01:32 PM 6/9/2003 -0700, Rob Cameron wrote:
>Although there are good arguments in favour of issuing
>challenges to the MAIL FROM envelope header when
>it differs from the RFC 2822 From: field, I do not think
>that C/R systems should consider challenges to be delivery
>status notifications (DSNs).

What about defining CRI within the "Multipart/Report" MIME type defined by 
RFC 3462 (as follows)?

" The Multipart/Report MIME content-type is a general "family" or 
"container" type for electronic mail reports of any kind."

>(1)  A DSN is logically a communication from the MTA,
>acting like a postal worker.   Some C/R systems will view a
>challenge as a communication from the MUA, acting like a
>secretary. (In our research, we use the term e-secretary and
>envisage a protocol to define the future interoperation of
>e-secretaries to carry out a variety of low-level messaging
>tasks on behalf of mailbox owners).

That is a valid point, DSNs are used exclusively for MTAs. However in many 
cases in systems such as Earthlink or Titan Key, the MTA is the one that is 
responsible for the C/R interaction BEFORE the email reaches the MUA. In 
TitanKey's case specifically, the C/R process begins at the SMTP level, 
before email reaches the MUA.

>2) A DSN is designed as a terminal communication, in which
>the MAIL FROM address <> is used to indicate that a reply
>should not be made.   But the purpose of a challenge, to a
>legitimate sender, is to solicit a reply.
>(3)  A challenge sent as a DSN is likely to be confusing
>to a human who receives it, depending on MUA behaviour.

Why would a challenge be sent to a DSN? The challenge itself is being sent 
as a DSN with no return MAIL FROM path, thus it cannot be challenged unless 
the sender starts interpreting the headers.

>(4)  To automatically reply to challenges as DSNs, software
>that otherwise knows never to reply to a DSN will need to
>be modified to violate this principle.

Correct that's why DSNs might not be the best solution, however we can use 
it as a basis for the CRI protocol.

>For the purpose of the Internetworking Framework, I don't
>think that we should assume that challenges/responses will only
>be generated to the MAIL FROM field.   Rather, the framework
>should be robust enough to handle challenges/responses to
>either the envelope MAIL FROM or the From: message field.
>Indeed, I think that the framework should make a statement
>something like the following.
>"In formulating a challenge message, a C/R system should use
>the MAIL FROM envelope header and the from, reply-to
>and sender message headers for appropriate purposes.   However,
>a C/R system must ensure that it is capable of receiving and
>correctly processing a response sent to any address mentioned in
>any of these fields."

For systems such as Titan Key where negotiation is done on SMTP level, only 
the MAIL FROM field is used. If its empty, then the system fails. We should 
probably add guidelines that in case empty <> is specified, the C/R system 
should accept the message and use its "From" field.

>Beyond this, I also think that C/R systems should be required
>to provide full support for message-id, in-reply-to and references
>headers.  That is, the framework should state that challenges
>and responses must (not should) provide a unique message-id
>and must (not should) properly form in-reply-to and references
>headers from prior e-mails in the chain.    By implementing these
>RFC2822 recommendations, C/R systems will give each other
>valuable information to address both looping and spoofing


Asrg mailing list