Re: [Asrg] Re: Receiver Initiated Authentication

On 9/17/07, Frank Ellermann <nobody@xyzzy.claranet.de> wrote:
>
> Michael Kaplan wrote:
>
> > The core of this concept is that questionable unauthenticated email
> > will be bounced
>
> I hope you mean "rejected", unsolicited bounces are evil.

Yes, in section 9 I summarize the Ironport data on the bounce problem, and it is a real problem.
Sometimes legitimate email is unauthenticated; adopting a policy of absolutely never sending a bounce in response to an unauthenticated email will degrade the integrity of email. Banning all such bounces solves one problem and creates another.

Indiscriminate bounces are the real problem with bounces. In section 9 I demonstrate what would happen if 50% of the global email population used RIA and 4% of incoming spam was bounced. The conclusion is that the average user will receive a 0.2% increase in 'spam' volume. Some individuals/entities will suffer a DDoS attack as their domains are heavily spoofed by spammers. In this worse case scenario RIA will increase their email volume by only 5% despite having 50% global participation in RIA. Again the real problem with bounces is indiscriminate bouncing, highly selective bouncing is relatively inconsequential. 50% of the global population would have near perfect protection from spam in exchange for only a slight increase in erroneous bounces.

  If whatever
> you do is some kind of "receiver generated SPF database" I also hope
> that folks like me, where all legit mails get a PASS, and anything
> else (including traditional forwarder scenarios) gets an SPF FAIL,
> don't need to worry about your concept.

Any email that gets an SPF FAIL will never be bounced. You never send spammy email, and all of your email is already authenticated. You will never even be aware of the existence of RIA as your emails will never be bounced. You need never use a sub-address, or you can use a deactivated sub-address - it really doesn't matter since your emails are unambiguously ham so they will always directly reach the inbox. Almost all email sent by individuals is unambiguously ham; most individual senders will remain completely unaffected by RIA.

But I'm far from confident that that's the case, there are dubious
> statements on your page. Example:
>
> | A perfectly comprehensive SPF record would require every domain
> | administrator in the world to constantly update their domain's
> | SPF record; an impossible expectation.
>
> As long as the IPs and/or domain names describing the "border" of an
> alleged sender don't change the administrator has no reason to touch
> her SPF sender policy.

This is good; RIA will never block authenticated email from reputable senders. RIA will almost exclusively impact the less responsible senders who do not authenticate and also get a poor rating via a statistical filter.

> Existing SPF cannot authenticate forwarded email.
>
> To some degree it can, receivers are free to whitelist forwarders
> based on a HELO PASS for the outgoing MTAs of trusted forwarders,
> and forwarders are free to become redistributors, i.e rewrite the
> MAIL FROM.
This is also good; email sent via trusted forwarders will be considered authenticated and RIA will not obstruct it. Some forwarders employ SRS, but some don't. Email sent without a sub-address via an untrusted forwarder that does not employ SRS will get bounced... but only if a statistical filter classifies the email as 'unsure'.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related ietf.org Links asrg imrg Request more information about Pantek

> [RIA]
> > Innocent third parties will be relatively unaffected by erroneous
> > bounces.
>
> If innocent third parties with an SPF PASS/FAIL policy are affected
> your system is broken. Many SPF participants can't add BATV to their
> setup, or won't even if they could for various reasons.

Bounces will not be sent to an SPF FAIL. See section 9 as to the impact on innocent third parties.

If innocent third parties without BATV or without SPF PASS/FAIL
> policy are "relatively unaffected" they might have their own opinion
> about this issue. As an example I'd never allow Outlook Express to
> send "auto-responses". It's bad enough that I use this software at
> the moment.

If you (and 50% of the global email population) instituted RIA and subsequently became almost completely spam free, could you then live with the fact that non-participants in RIA and non-participants in BATV will suffer an average of a 0.2% increase in spam volume? Yes, a very small number of individuals will suffer a 5% increase in erroneous bounce traffic. 50% of the email population living spam free would be an extraordinary thing; I for one would be willing to live with the guilt.

Thank you for you input,
Michael