nanog mailing list archives
Re: IETF SMTP Working Group Proposal at smtpng.org
From: Valdis.Kletnieks () vt edu
Date: Wed, 21 Aug 2002 16:36:26 -0400
On Wed, 21 Aug 2002 15:55:41 EDT, Jared Mauch said:
There is an important need to perform callback but allow for
the ability to protect information from possible spammers for
harvesting/verificiation.
eg:
220 welcome, but no spam
ehlo spammer
250-callback-secure
250 help
mail from:<spammer () hotmail com> callback=spammer.example.com
250 ok
rcpt to:<jared () nether net>
451 try again, pending callback
OK.. So now *you* have to callback and pick up the spammer's mail. What did that gain you?
there's also the need to do some sort of pki to allow callback to be secure. eg: the dns record for nether.net should have some public-key in it and then some other stuff like possibly
Much easier would be to use the existing STARTLS stuff and use the cert presented to decide if you want to accept the mail.
mail from:<realuser () hotmail com> callback=validate.hotmail.com;key=<alkjsdfj> then pass the 'key' through the public-key availble via dns to provide back an authentication system to allow for more secure callback.
Note that the concept of a "callback" doesn't mean the same things on an IP network as it did on a POTS network. Not that callback on the POTS network was ever as secure as people thought, anyhow...
but this can still be abused depending...
Well, given that the spammer is given the opportunity to specify where to
call back *TO*, you're not buying yourself anything- of COURSE the spammer is going to
point you at a system where they control the horizontal and vertical.
The only callback systems that ever came anywhere near working on the POTS
network were ones that you told the callback "this is Fred. Call me back at
the home number you've been configured with", and it called you at Fred's
previously-configured phone number. Having it say 'This is Fred, call me
back at 127.0.4.5' doesnt do anything for security if you're just going to
call 127.0.4.5.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
Attachment:
_bin
Description:
Current thread:
- RE: IETF SMTP Working Group Proposal at smtpng.org, (continued)
- RE: IETF SMTP Working Group Proposal at smtpng.org Robert A. Hayden (Aug 21)
- RE: IETF SMTP Working Group Proposal at smtpng.org Larry Rosenman (Aug 21)
- RE: IETF SMTP Working Group Proposal at smtpng.org Robert A. Hayden (Aug 21)
- RE: IETF SMTP Working Group Proposal at smtpng.org Robert Blayzor (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org Peter E. Fry (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org Brad Knowles (Aug 21)
- RE: IETF SMTP Working Group Proposal at smtpng.org Robert Blayzor (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org William Rockwood (Aug 21)
- RE: IETF SMTP Working Group Proposal at smtpng.org Brad Knowles (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org Jared Mauch (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org Valdis . Kletnieks (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org william (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org Brad Knowles (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org william (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org J.A. Terranson (Aug 21)
- Re: IETF SMTP Working Group Proposal at smtpng.org Brad Knowles (Aug 22)
- Re: IETF SMTP Working Group Proposal at smtpng.org Barry Shein (Aug 22)
- Re: IETF SMTP Working Group Proposal at smtpng.org Brad Knowles (Aug 22)
- Re: IETF SMTP Working Group Proposal at smtpng.org J.A. Terranson (Aug 22)
- Re: IETF SMTP Working Group Proposal at smtpng.org Brad Knowles (Aug 22)
- Re: IETF SMTP Working Group Proposal at smtpng.org william (Aug 22)