[snipped, return-path checking on steroids]
Quote:> If it was possible to check this, it truly would be a dream come true;
> this would solve much of the spam issue or at least make the sender
> responsible for their actions because they couldn't forge the From field.
> There were several huge discussions on slashdot about this, which I read
> in for ideas. The problem is getting everyone to ADOPT any proposed new
> scheme, so the best idea is to stick close to what we already have.
> One suggestion that has been well formulated is the RMX resource record
> in DNS. A domain owner would list all mail servers authorized to send
> mail on behalf of the domain name. Mail servers that support RMX checking
> would do a type=RMX lookup on the domain name in the From field, and get
> back a list of authorized relay IPs for the domain. Then it's a simple
> check; is the connecting mail relay one of these authorized IPs?
Does this thing contain netblocks instead of just IP#s, so an ISP's
allocated blocks could be trusted? I mean, I wouldn't want to adopt such a
system if I couldn't say that stirfried.vegetable.org.uk was OK to come
from blueyonder's netblocks in entirity.
(I have absolute control over that domain; I don't know what IP# BY are
going to allocate me over DHCP from their /16 pools tomorrow, but I do want
to be able to send mail direct from the Pigsty if I want, without fear of
it being rejected too often - heck, dialup-RBLs are evil enough.)
Speaking of which: it's entirely possible to abuse this system, isn't it?
You just send your spam in the name of a domain you own, or an equally-evil
friend owns, and they set their permitted netblock to 0/0 in the RMX
Quote:> It's a nice method because it's purely an extension of what already
> exists, using familiar DNS. And it allows hotmail.com and little domains
> alike the ability to protect _themselves_ from being used as forged
If you include netblocks, it's going to be open to abuse. If you don't, and
only permit spot IP#s to send mails in the name of a given domain, the
zone-files are going to get *large*, arguably to the extent that it become
inefficient to transfer even 256 IP#s for the size of a small (1-liner)
15:34:43 up 83 days, 6:10, 1 user, load average: 0.58, 0.39, 0.26
http://piglet.is.dreaming.org |and settled down to sleep.