Directories

comments on directory services
 Tuesday, February 04, 2003

AUTHenticated Sending

Jeremy Zawodny and some other yahooligans were discussing a bit of a change to the guy shuffling your mail about the network:
One of the ideas tossed about was to implement a system that would make it easy for any MTA (Mail Transfer Agent--the programs that deliver e-mail on the Internet) to verify that a message that claims to be from somebody@yahoo.com really is from a yahoo.com user.

Any MTA? Or the MTA at Yahoo?

This basically entails linking the MTA to the directory so that the contents of the RFC 821 MAIL FROM: envelope header are confirmed to be valid, deliverable addresses. This is distinctly different from confirming that the MAIL FROM: belongs to the sender, which is one of the things the SMTP Authentication extension attempts to do — assuming that the entity with the ability to authenticate to the MTA is also the entity whose address is in the MAIL FROM: header. However, confirming that the sender's address is valid, even for one's own domains, exposes another problem — automated scanning of the directory — while not effectively eliminating the problem of fraudelent senders.

Say someone would like to deliver mail to someone@yahoo.com, but wishes to not use their own address. They would merely need to use an address, not the same as the recipient address, @yahoo.com as the sender. Authentication would work to ensure that the sending entity has at least some passing relation to whom the mail says it is from, but with a free mail service there's no barrier to establishing disposible accounts for spamming purposes.

Now, the directory scanning would be made possible by collecting responses to addresses given as possible MAIL FROM:s. This is slightly more efficient than collecting non-delivery notifications resulting from a spam.

On the other hand, we do want valid addresses, rather than fraudulent, invalid ones.

11:51:26 AM # Google It!
categories: Directories, Messaging