[Mimedefang] Checking for a valid sender

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Thu Nov 20 02:28:16 EST 2003 

On Tue, 18 Nov 2003, Alan Madill wrote:

Actually, all this talk makes me nervous and beliving that in the future
only a selected set of people are allowed to send email.

> > > Verify that the sender is real.  (there goes 90% of your spam).
> >
> > You'd never be able to verify senders from my environment.  Between the
>
> Not with the existing standards.  What is revealed is that there is
> user at yourdomain.org that is sending me mail.  I would assume that
> all of your servers trust each other.  If a protocol would allow your
> gateway machine to attest to the fact that user at yourdomain.org
> was legit when the message arrived at my server that would be
> verification enough.  All that would be required is that each server in
> the chain verify with the previous one that the sender exists and was
> allowed.

Well, please re-read your paragraphe:

"My server is to trust the sender's MTA that the deliverer is valid."

The situation now is: I have to trust the remote MTA that the deliverer is
valid - but this "trust" is abused.

How would a _protocol_ ensure "trust" (I do stress the word protocol)?

Within the HTTPS world, it is not the protocol by itself, not SSL, not the
certificates that make the communication secure and _trustworthy_, but the
fact that I only trust a communication certified name of the remote host
and the fact that their certificate is signed by another certificate I
trust by default. Well, it costs big money, too.

So, do we have a _protocol_ that achieves this technique for mail
transfer? Yes: PGP and S/MIME.
Just define that you only accept mail that is signed with a publically
retrievable signature that is signed (or certified) by a signature (or
ceritificate) you trust by default.

> > My appologies if this upsets you <snip>
>
> It doesn't upset me at all.  What does upset me is the massive
> amounts of spam that I have to deal with and the measures that I

The percentage of untagged SPAM in my mailbox is less than 5%; the
percentage of untagged virii in my mailbox is 0% (maybe it's also related
to the fact that I do not use MS Outlook or MS Office to open mails /
documents sent by untrusted people). The percentage of untagged SPAM in my
letter box (regardless of if private or on duty) or verbal SPAM I get
nerved by mostoften I pace through the floor or through a warehouse is
DRAMATICAL higher.

> 95% of the spam, discarding well over 50%.  But 5% of 500
> messages a day is still 25 adverts that I have to delete by hand.

I get more legit mail sent to the wrong recipient than untagged SPAM. I
have to delete them, too.

===

I also hope that RMX won't dwell for long. Thinking about taking up roles,
e.g. in SourceForge projects using the SF mail address, or project XYZ
using the XYZ address; well it makes me really nervous.

Bye,

-- 
Steffen Kaiser

More information about the MIMEDefang mailing list