Re: A request to all mail admins
From: Jem Berkes (jb_at_users.pc9.org)
Date: 08/28/03
- Next message: Joe Shmoe: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
- Previous message: Nils Petter Vaskinn: "Re: A request to all mail admins"
- In reply to: Tim Haynes: "Re: A request to all mail admins"
- Next in thread: Nils Petter Vaskinn: "Re: A request to all mail admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Aug 2003 15:41:51 GMT
>> One suggestion that has been well formulated is the RMX resource
>> record in DNS. A domain owner would list all mail servers authorized
>> to send mail on behalf of the domain name. Mail servers that support
>> RMX checking would do a type=RMX lookup on the domain name in the
>> From field, and get back a list of authorized relay IPs for the
>> domain. Then it's a simple check; is the connecting mail relay one of
>> these authorized IPs?
>
> Does this thing contain netblocks instead of just IP#s, so an ISP's
> allocated blocks could be trusted? I mean, I wouldn't want to adopt
> such a system if I couldn't say that stirfried.vegetable.org.uk was OK
> to come from blueyonder's netblocks in entirity.
That's interesting. Come to think of it, I would have a similar situation
where pc9.org is somewhat dynamic. I don't know exactly how RMX will be
implemented, but maybe it could support CNAMEs ?
> Speaking of which: it's entirely possible to abuse this system, isn't
> it? You just send your spam in the name of a domain you own, or an
> equally-evil friend owns, and they set their permitted netblock to 0/0
> in the RMX records.
It won't stop people from sending spam from their own domains, but it
will offer domain owners a way to protect their domain names from being
abused. In the context of this thread, domains supporting RMX would not
be the victims of these bounces because a mail server would know that
this email did not actually come from there.
> If you include netblocks, it's going to be open to abuse. If you
> don't, and only permit spot IP#s to send mails in the name of a given
> domain, the zone-files are going to get *large*, arguably to the
> extent that it become inefficient to transfer even 256 IP#s for the
> size of a small (1-liner) spam.
Well there's no reason you can't update your RMX records just as you do
your domain's A. I don't think this is a huge problem...
- Next message: Joe Shmoe: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
- Previous message: Nils Petter Vaskinn: "Re: A request to all mail admins"
- In reply to: Tim Haynes: "Re: A request to all mail admins"
- Next in thread: Nils Petter Vaskinn: "Re: A request to all mail admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
