On Wed, 29 Oct 1997, Richard Welty wrote:
there is provision for sender verification in the exim MTA (a drop in sendmail replacement that a lot of people are starting to switch to.) i used it for a while, but it's overly sensitive to sluggish and/or malconfigured DNS in its current form, so i had to turn it off to avoid complaints about legitmate business related email getting canned by administrative prohibition.
the verification only assured that the domain in the helo was legit, and the domain in the mail from: was legit; it didn't do anything useful for spammers with addresses like 12345678@aol.com, unfortunately.
Even if AOL allowed VRFY so you could connect back to them and verify that the given address was valid, you still have the problem of what if the message being sent isn't sent by the owner of that address. I could easily send mail that had postmaster@aol.com as the from address, and that is certainly a valid from address, but it isn't the correct one. The problem is that fundamentally you can verify that the supplied from address is "correct" based soley on what is supplied in the message. The only way I know to do this is to also require something that is not sent in the message, but is reflected in the message, such as a digital signature. If every MTA signed outgoing messages, the receiving MTA could then decide whether to accept that message based on the certifying autority chain. You can then rely on CA's policies to base your acceptance of incoming mail. If you get spammed, you know who did it by the signature, you report it to their CA (assuming the CA's policy says you can't send out unsolicited email), they investigate it and revoke their certificate if they broke the rules. If say, an ISP has a dialup customer send spam, they should be able to demonstrate the user that sent it has been terminated and avoid being decertified. Of course, some CA's could require proactive policies (require correct from address at that ISP, limit the number of outgoing messages, block connections to third-party MTAs, etc) in the ISP, and someone that wanted to make sure they didn't get any spam would only accept messages signed by those CA's with that policy. I'm not naive enough to think this (or any similarly effective implementation) will actually be done any time soon. There are simply too many MTAs out there, many of which are never upgraded. I do think that something along these lines which allow the technology to enforce policy automatically is the only way to truly eliminate spam. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801