on Sat, Aug 30, 2003 at 10:42:17AM +1000, Brian May ([EMAIL PROTECTED]) wrote: > On Fri, Aug 29, 2003 at 03:48:13PM +1000, Craig Sanders wrote: > > the point that you keep on missing is that TMDA and similar programs send > > "confirmation" emails to innocent third-parties who did *NOT* send an email. > > > > TMDA and all C-R systems are broken-by-design, just as many stupid end-user > > "autoresponders" and AV-scanners that send notifications back to the forged > > sender address are broken-by-design. > > You saying that any SMTP MTA that sends bounces to unauthenticated > E-Mail addresses is also broken?
At the very least, this is a small subset of the incoming mail. There are probably bad practices, which should be fixed. The aim is also one which is presumably useful: if the sender is valid, then advising them that a message was not delivered is arguably useful (note that I regard most delivery failure messages as junk). Most importantly: the MTA isn't sending mail out willy-nilly to offload a cost (filtering, content assessment) to a third party. It's taking an action on a (hopefully) limited number of mails which cannot be delivered. SMTP Envelope reply address should be given precedence, and an SMTP error precedence over any bounce. > That is the idea behind autorespoonders after all, to tell the sender > that his mail didn't get through because it didn't meet some required > criteria. "The message can't be delivered because of addressing errors" is a different class of error than "I can't be bothered to see if this mail is worth reading, despite its being properly addressed to me". > Even encryption does not help here, or at least I have not seen any > proposals for any system that could scale to the Internet. GPG for > instance only verifies the sender to the receiver, it could not be used > to verify every sender to the MTAs involved. A publicly available key, with an email address (or addresses), validated against contents, is useable. It doesn't validate the sender, but it provides a level of indication that someone went through the trouble of getting a key, posting it publicly, and signing (and/or encrypting) content with it. That's more elbow grease than your garden-variety spammer. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Hollings: bought, paid for, but couldn't deliver the CBDTPA: http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html
pgpea857fP6eC.pgp
Description: PGP signature
