Re: [Exim] yahoo.com makes callout senderverify unusable!?

Top Page
Delete this message
Reply to this message
Author: Ollie Cook
Date:  
To: Matthew Byng-Maddick
CC: exim-users
Subject: Re: [Exim] yahoo.com makes callout senderverify unusable!?
On Thu, Dec 04, 2003 at 06:11:39PM +0000, Matthew Byng-Maddick wrote:
> Why do you believe that what you're doing is not "spoofing" ? Why is it
> "bogus" to suggest you are?
>
> From: fine, MAIL FROM: not fine.


My opinion on this subject is that it's not appropriate to enforce a direct
relationship between mail emitters and sender domains, given the current use
cases and technology at our disposal.

There are so many 'legitimate' uses of email in the wild at the moment where
mail is emitted from hosts which have little to do with the sender domain (from
an audit trail point of view), that you are cutting off your nose to spite your
face if, as has been suggested in this thread, mail from particular sender
domains is only accepted from nominated hosts.

By 'legitimate' in this sense I mean that the admin of the emitter has
authorised the sender to relay through his mail host, and that this is an
acceptable use of the relevant protocols as specified in our standards
documents.

This thread has seen a number of scenarios mentioned in which this behaviour
occurs, so there's no need for me to elaborate on them.

It's a logical problem: that much unsolicited mail originates from
'non-nominated' hosts does not infer that all mail from 'non-nominated' hosts
is unsolicited. That both scenarios occur in the wild on such a scale will make
it extraordinarily difficult to separate one from the other.

I'm not convinced 'registration' and 'nomination' of hosts to sender domains is
the way forward though; although I don't have any alternative suggestions
myself.

Two large parts of this problem are the social and business aspects. Users
don't like having functionality removed, and telling them they can't relay
through a particular host because they used their vanity domain as the sender
address, even though they have done for years previously, wouldn't go down
well, for example. The business would be lost.

However, some ISPs have already gone down that route. BT Connect, for example,
refuse to accept outbound messages where the sender domain isn't one of theirs
(IIRC).

I think it very much depends on the users, the products and the market and as
is so often the case I don't think there is 'a solution' to this problem; it's
not going to be a one-size-fits-all remedy.

To summarise, I'm of a mind that it's a shame that we've got to a stage where
the distinctions between different uses of email have become so blurred, that
our use of the medium has grown in the ways it has, mostly unchecked, and that
as a result we're left with an almighty mess and no real way of sorting it with
the tools at our disposal at the moment. There are a lot of innovative people
out there, some are on this list, and I'm sure we'll get there eventually. I
must admit that I am disheartened by the situation we find ourselves in,
though.

At least it's keeping us on our toes... :)

Ol.
--
Oliver Cook    Systems Administrator, Claranet UK
ollie@???                  020 7903 3065