On Mon, 2005-01-31 at 16:50 -0500, Hector Santos wrote:
> Please Doug.
>
> You can't guarantee that an immediate router will be CSV compliant. So you
> have the same heterogeneous/mixed policy issues as SPF and all the rest of
> the proposals.

If the sending SMTP client publishes a CSV-CSA record, then this client
is both authenticated and authorized by the HELO domain. This permits
assessment of reputation which may supersede evaluation of the IP
address. It also permits direct and meaningful feedback to the
accountable administrator, as a means to rapidly respond to abuse.

Authorizations offered by SPF path registration is insufficient for
reputation assessments, as there is no assurance which administrator is
directly accountable for abusive messages. SPF does not authenticate
the sending domain, it only confirms authorization. Where many domains
have authorized an MTA with SPF, resolving abuse may become an expensive
process.

CSV allows such assessments to be made safely on an opportunistic basis
while not requiring heterogeneous adoption. CSV is also incorporating a
means to assert domain wide use of CSV as a means to discourage HELO
spoofing. Unlike SPF, CSV does not disrupt the normal use of mail nor
depend upon any tests or changes in MTA behavior.

> In addition, you have a MUCH higher overhead than most as you based on
> state point #1 - HELO/EHLO.

Authenticating the HELO is done within a single lookup with CSV. How
can this be a higher overhead?

SPF provides authorization for the MTA referenced by a sending mailbox
domain (without consensus as to which mailbox domain). While SPF could
also be extended to examine the HELO domain, those that have previously
published SPF records may not have ensured HELO domains resolve to an
SPF record. SPF evaluation of HELO was previously applied during the
sending of bounce messages, where the outcome would have been "unknown"
rather than "fail" without specific records in place. It is also likely
that SPF HELO records may require resolving the same large address space
as that needed for mailbox domains and is a DoS concern. : (

Changing SPF to apply a record at the zone cut against the HELO, in
addition to further increasing overhead, may now put some domains in
jeopardy due to a lack of proper record revisioning. Using the same
check_host routine and records, as used to examine mailbox domains, may
also permit unexpected exploits. Although the number of SPF records
could be few on average, the need to register potentially complex paths
always requires an excessive limit for the number of lookups.

> Now why would I want to do a HELO CSV check without determining:
>
> - Check to see if the sender is valid,
> - Final vs Route

MASS is addressing the need to safely authenticate the administrator of
originating sender domain. CSV addresses the need to protect the
network from abuse, and therefore only considers authenticating the
administrator of the immediate sending domain. CSV does not require
customers of various mail providers to have their various provider's
domains entered into their DNS records.

CSV will not inappropriately assess the customers of various providers
for a lapse in access control of some provider's server. The
administrators of the servers are accountable for security, not
customers.

> You will say;
>
> "Our new MAPS CSV/DNA service will take of this. We will vouch
> for the transaction."

Accurately authenticating the accountable domain's administrator (who is
permitting mail access), allows assessing reputation. There is value
from this information alone, as it also means the sending MTA has been
specifically authorized to send mail. This helps with detection of
zombies without the use of a vouching service. Securing the networks
will always require a reputation service, whether IP address based or
extended to using names. There are advantages using names with respect
to ensuring legitimate domains eliminate abusive accounts with the least
expenditure.

> But what if the SMTP operator does not want to use your new MAPS CSV/DNA
> service? What if you go out of business? What if you get enough support
> headaches from thousands of smaller systems that you decide to raise the
> price to filter out these bothersome clientele?

This seems to be putting the cart before the horse.

> Please, again.
>
> Give me something technically SOUND before even have to bother with the
> baloney that will come about with DNA like concepts.

The CLEAR design team is working diligently at ensuring CSV is sound.
There are models where reputation is provided as a service to the SMTP
servers. While CSV has made accommodations for a vouching model, it is
unknown which model will prevail. While bulk mail providers may favor
the vouching approach, a more significant number may rely upon a direct
reputation service model.

I should also note that BATV does not require any outside service to
address abusive bounce messages. Although SES is similar, it introduces
some security concerns by way of its syntax.

-Doug

----- Original Message -----
From: "Frank Ellermann" <***@xyzzy.claranet.de>
To: <ietf-***@imc.org>
Sent: Wednesday, February 02, 2005 8:07 AM
Subject: Re: So here it is one year later...


>
> BTW, I found that link on the page:
> <http://podcast.resource.org/rf-rfc/index.html#item0003>

Ha! How about this new "Think" protocol?

When you think connection-oriented transport services, think TCP!
When you think legacy protocols, think BOOTP!
When bandwidth is cheaper than memory, think MIME!
When you think impedence mismatch, think LDAP!

Hilarious!

Anyway, to the PlayPod radio host. GREAT IDEA!!!

How about getting some developer viewpoints in your shows?

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office

On Wed, 2005-02-02 at 14:07 +0100, Frank Ellermann wrote:
> Douglas Otis wrote:
>
> > SPF may say, "Here is a comprehensive address list", when in
> > reality it can never be comprehensive.
>
> Of course it is. There are at most 512 IPs sending mail from
> ***@xyzzy to ***@elsewhere. The other 254*256*256*256
> IPs don't do this, unless they are forwarding mail from me, and
> then it's something arranged by ***@elsewhere. He's free
> to do whatever he likes, but of course he shouldn't check one
> of his relay IPs against "my" 512 IPs.

Today, mail is not checked for a path registration against some
mailbox-domain, and forwarding works as expected. Now SPF allows any
mailbox-domain to be checked against path registration, according to
Schlitt's SPF draft. As a result, there is no assurance that a specific
mailbox-domain was checked. Recipients would be guessing which
mailbox-domain was used to authorize the message, assuming such
authorization was required. The benefits of this process remains highly
dubious.

On the promise of a benefit, this scheme requires administrators to
institute a program of white-listing servers that forward mail on behalf
of their customers. Such white-listing practices permit undetected
abuse, when these servers are excluded from the SPF rule-set (see
draft). This system goes from some mailbox-domain may have been
checked, to perhaps none, even when there is an SPF policy in place for
the sending mailbox-domains. Of course, there is the vast number that
still do not use SPF.

Forwarding of mail involves three parties, the sender-domain, the
recipient-domain, and the forwarding-domain.

A) You want the sender-domain to register all servers used, which is
not in keeping with the normal scale for a DNS response.

B) The recipient domain then must white-list all forwarding-domains
based upon information derived from their users.

Once the recipient-domain also employs the SPF rule-set for accepting
messages, these forwarded messages may become lost or rejected. Don't
forget about the change made with respect to HELO, where now even the
bounce may be refused. The needed feedback to know there is a problem
may have been lost due to the zone-cut change.

Do you still insist you can list all servers? You seem to be admitting
that you are leaving some of this listing work to the recipient-domain,
in that they must white-list forwarded accounts, some mailing-lists,
perhaps some hotel and network kiosks, etc. etc. Why not admit that it
is _impossible_ to include the entire list?

> And there at most 512 IPs who could say HELO xyzzy.claranet.de.
> In reality no MTA should do this, but for this minor detail SPF
> isn't good enough, maybe CSV could catch the remaining 512 IPs.
> BTW, can it ?

CSV does not attempt to include all the IP addresses for an entire
mailbox-domain, but instead limits a response to that of a single
server. There is no difficulty created when more servers are used for a
very large domain, even spanning millions of addresses. Each individual
response is limited to that for a specific server. Even the DNS entry
does not deal with addresses, as this process is automated within the
SRV RR type.

As a mail provider, the HELO could reflect which domain is generating
the traffic (with the cooperation of the sending domain). If the desire
is to isolate accountability, then the HELO technique could satisfy this
need, while not breaking mail to the same extent as attempting to
constrain mail to some mailbox-domain/IP address binding.

Although this is a function provided by the sending domain policy, a bit
within the CSV record could indicate the HELO will "always" be within
the domain of the MAILFROM. The reason not to make this assertion is
the same as why SPF should not make their assertions. It would always
be a lie. The difference is that CSV scales and could achieve the same
silly goal without abusing DNS. : )

> > This is a problem created by the sender
>
> "v=spf1 ip4:212.82.225.0/24 ip4:195.170.96.0/24 -all"
> isn't "a problem created by the sender", it's simply the truth.

I would say it is only half of the truth. The other half is the need
for random white-listing to keep from disrupting current widespread and
legitimate practices.

> > SPF does not prevent spoofing of the domain, as many share
> > common providers
>
> If somebody authorized to use one of these 512 IPs spoofs "my"
> vanity domain, then I'm sure that the abuse desk of my ISP can
> solve this problem very quickly, otherwise they'd risk to lose
> a happy customer.

You may have authorized several providers to send mail on behalf of your
domain, and discovered a problem by way of a poor reputation assessment
or, even worse, your mail being filtered. You will likely find it
difficult to learn where the problem originated and receive little
cooperation from reputation or filtering services, as they protect
sources. The several providers may not care whether you remain a happy
customer when you ask them to do additional work. Perhaps they only
consider Sender-ID a valid choice and you insist that logs be sorted for
SPF specifics. After all, SPF/Sender-ID ensures the problem is yours
and not theirs. Very likely, your recourse will be expensive and
perhaps futile.

> And SPF offers solutions for this situation where necessary,
> e.g. some existing policies use ? instead of + for shared IPs.

Providing a PTR list of CSV authenticated domains compared against a
mailbox-domain would achieve these filtering goals without hundreds of
DNS lookups, as potentially required by SPF. There is much less effort
maintaining names than huge address lists, and this response would fit
within the constraints of DNS.

> > there is no consensus which identities are checked against
> > such records (when these records are even examined)
>
> 2821-From and -HELO are checked. Anything else won't work as
> expected. Of course I can't force you to do "the right thing",
> you could check something else somewhere else, but why bother
> with DNS and SPF if you want some random rejects ? Try BLARS,
> its cheaper than SPF for this purpose.

Schlitt's SPF draft:
There are several possible ways that [an] authorization failure can
be ameliorated. ... Tests against some other identity may also be
used to override the test against the "MAIL FROM" identity.

If MAILFROM doesn't work, then try an assortment of mailbox-domains.
You can not say with any certainty, even for those following Schlitt's
draft, that a specific mailbox-domain was checked. Some chain of trust!

> > CSV is intended to protect the network using the same name
> > basis.
>
> So far I haven't seen any spoofed HELO xyzzy.claranet.de in
> bogus "bounces to" me, so probably CSV would have done nothing
> at all for my problem.

With a field not often checked, there is little reason to lie. Checking
the HELO is not disruptive, as it does not affect the content of the
envelope or the message. Using HELO to establish accountability
protects the owners of the mailbox-domains from being falsely accused
for having sent unauthenticated messages. Unlike other entities within
the message, without a signature, only the HELO can be authenticated.
SPF assertions assume a fallacious "chain of trust." Schlitt's draft
makes a mockery of that concept.

> > This domain assertion is not constrained to zone cuts. After
> > lengthy consideration, it was determined this too would be
> > inappropriate.
>
> Can it identify HELO xyzzy.claranet.de as rubbish ? I've read
> the discussions about SPF's "zone cut" in CLEAR, and the Jan 4
> plus Jan 6 entries in <http://www.livejournal.com/users/fanf/>
> - but that doesn't explain the details. And I haven't found a
> case where `nslookup -q=ns sub.dom.ain.example` fails to find
> the "zone cut".

There were several reasons for not using the zone-cut. There is some
blood on the floor regarding this topic. Complying with the way domains
and zones are used, how software is structured, and what is reasonable
to expect of the server in some odd cases, were the major reasons in my
view. For the most part, this draft is in its final stages. The design
team wishes to present their finished version rather than a series of
interim drafts. CSV is very much a team effort.

> > A well understood problem is not FUD
>
> Claiming that SPF causes mails to be lost is definitely FUD,

Odd, I would think that the mention of lost mail in Schlitt's SPF draft
would have removed the uncertainty and doubt. I still think fear is
well advised. : )

> Like the collection of monstrous lies in the PDF:
> <https://antiphishing.kavi.com/events/Conference_Notes/sender_auth_myths_and_domainkeys.pdf>

I would be interested to know what you find in error, besides too many
slides. : )

> BTW, I found that link on the page:
> <http://podcast.resource.org/rf-rfc/index.html#item0003>

Marshall and Andy fail to consider anything other than path registration
in this bit of nostalgia. They are consistent.

> > A script based language is inherently complex
>
> Yes, the macro language has its drawbacks, and the TINW in "we"
> had some problems to get it right for some obscure cases like a
> slash in a FQDN used as HELO. Actually that was in one of two
> relevant articles in MARID (with thanks to Julia and Margaret)
>
> OTOH Wayne now defined exactly 10 macro letters, 8 are used in
> sender policies, anything else is an error. That's not too
> complex. Don't try to convince me that the SPF "explanations"
> are ridiculous, I wouldn't disagree (one of the minor issues I
> hoped to get rid of in the former MARID WG, but here we are).
>
> [overall timeout]
> >> From the Schlitt's draft:
>
> ACK, error on my side, this "implementation detail" is still a
> part of the draft, and maybe I'll discuss it with Wayne on the
> SPF list, it's unnecessary. Of course there must be a way to
> report and log "local error conditions".

Let me remind you. A lookup may entail several queries to resolve the
resource. The timeout for each query typically involves a timeout of 5
seconds with perhaps 2 or 3 retries which double the timeout after each.
Waiting for a timeout to expire is how UDP is prevented from flooding a
network during congestion. With the 101 lookup limit (higher for
reverse DNS resolution), should an implementation attempt to resolve SPF
in parallel, there may be many outstanding DNS queries not completed
when everything starts anew for the next message. A slow DNS server
could entail an average of 3 queries per lookup which totals 303 queries
or about 25 minutes per message, without invoking a single timeout or
lookup limit! This time could be more than doubled by using reverse DNS
resolution. : (

> In the lentczner-drafts the optional overall timeout was a very
> important part of "processing limits" and indirectly "security
> considerations", now it's on the same level as say a "sigterm".

This view overlooks the need for UDP exponential fallback! Think of the
network and not just the program.

> > The draft requires these 101 to 201 lookup limits depending
> > upon the mechanisms.
>
> If you have some local reasons to ignore a sender policy, then
> just do it. And if you want a documented reason to state that
> a sender policy is erroneous follow the spec. The latter is a
> reason to reject the mail with a PermError, the sender policy
> has to be fixed.

Why write a spec and then imply that it should not be followed? Don't
you see a problem?

> > By checking per HELO, the rate CSV does a lookup is some
> > multiple less than SPF, and constrained to a single lookup
> > and not hundreds of lookups. This aspect is critical.
>
> For me it's critical that a forged "mail from me" is rejected,
> and CSV won't do this trick. If you think that the two lookups
> to check any "mail from me" are too much just don't do it.

SPF does NOT prevent mail from being mistaken as being from you. SPF
normally checks the MAILFROM. MAILFROM is rarely seen by the user. CSV
can authenticate the HELO domain, SPF can only determine that the
message has been authorized by a domain.

When one considers the need to stop spam, reputation is an important
aspect of that effort. No reputation service should hold a domain
culpable just because a message had been authorized. With the HELO
authenticated, any abuse will be attributed to the correct entity. With
SPF, you are using a weapon that does not always shoot straight. Unlike
SPF, CSV is as accurate as the underlying infrastructure.

> SPF worked for me as soon as some "important players" (defined
> from the POV of "my" spammer) implemented it, it's not critical
> if you don't use it.

Take the longer view and considering what is needed to improve security
and to better protect networks. There will be less mess than what may
be created by the many potential exploits enabled by SPF. Although SPF
may temporarily achieve some reductions in bounce traffic, BATV is a
better immediate solution. MASS and CLEAR still represent viable and
well considered solutions. SPF still should be discouraged.

-Doug