Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Devel
Does SRS need a full return path?
spf at anarres
Feb 8, 2004, 4:01 PM
Post #1 of 1 (838 views)
Permalink
The questions of
* "Do we want shortcutting in SRS?"
* "Do we need a database?"
* "How long will the local-part get?"
centre around the question of whether or not a returning or bounced mail
needs to traverse the full outgoing path.


=== Some points in favour:

* This keeps a full accountability trail.
- Discarding any host from the accounting trail (i.e. shortcutting)
introduces a "weakness" (the scale of which is discussed below).

* If a spammer is in that path, then he will need to process every bounce.


=== Some points against:

* The data about the full return path needs to be stored either in the
local part or in a database; neither of these solutions is ideal.

* Every system on the return path is a point of failure.

* This does not necessarily incur any costs on the spammer.
- A spammer may register a domain X, set up SPF to allow posting @X from
machine A, but set the MX for X to B. B can be any machine on the
internet and is not necessarily owned by the spammer. The return path
becomes invalid anyway.

* For spam-trap purposes, we must assume that the information about the
spammer in the path is visible to the target system, i.e. not hidden in
a database somewhere.


=== The solution:

I think that REQUIRING the maintenance of the full path is unnecessary and
unenforceable. It can be made unnecessary if the utility to a spammer of
being a shortcutted link in an SRS chain can be minimised. It's
unenforcable because once you publish a standard format, any forwarder who
doesn't want to deal with the cost of bounces going back to them will just
implement shortcutting anyway.

Minimising the utility to the spammer is the tricky bit. Meng Weng Wong
and I opened a brief discussion on this the other day and I will try to
bring the points to light here.


=== The weaknesses:

* Let a mail from A go via B and C to D.
* C shortcuts, and so D sees a return address to A just via C.
* B is the spammer. Therefore A probably doesn't exist. Who cares.

The possible scenarios so far are the following:

1) The mail is a spam and D receives it.
- The spammer has to discover an SRS compliant relay which forwards
mails to a given target address. This is not easy, and one will not
generally exist. Therefore, the likelihood of this as a spam delivery
technique is low.

2) D is also the spammer. Now D can use reverse SRS on C as a relay to A.
- D has to set up an SRS reverse for every A he wants to spam.
- This can only be implemented if C allows spammers to set up SRS-aware
forwarding at little cost. There are not many such systems.


There are also several invalid scenarios, including the possibilities of
partial shortcutting, none of which introduce any new elements.


=== The questions to the community:

* Can the spammer gain utility if shortcutting is implemented?
* How much net utility is gained?
* How is this utility gained?

S.

--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@Ë`Ì{5¤¨wâÇSÓ°)h

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal