Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IETF SMTP Working Group Proposal at

  • From: Valdis.Kletnieks
  • Date: Wed Aug 21 17:16:02 2002

On Wed, 21 Aug 2002 15:55:41 EDT, Jared Mauch said:

>         There is an important need to perform callback but allow for
> the ability to protect information from possible spammers for
> harvesting/verificiation.
>         eg:
>         220 welcome, but no spam
>         ehlo spammer
>         250-callback-secure
>         250 help
>         mail from:<>
>         250 ok
>         rcpt to:<>
>         451 try again, pending callback

OK.. So now *you* have to callback and pick up the spammer's mail.

What did that gain you?

>         there's also the need to do some sort of pki to allow
> callback to be secure.  eg: the dns record for should have
> some public-key in it and then some other stuff like possibly

Much easier would be to use the existing STARTLS stuff and use the cert
presented to decide if you want to accept the mail.  

> mail from:<>;key=<alkjsdfj>   
> then pass the 'key' through the public-key availble via dns to
> provide back an authentication system to allow for more secure
> callback.

Note that the concept of a "callback" doesn't mean the same things on an
IP network as it did on a POTS network.  Not that callback on the POTS
network was ever as secure as people thought, anyhow...

>         but this can still be abused depending...

Well, given that the spammer is given the opportunity to specify where to
call back *TO*, you're not buying yourself anything- of COURSE the spammer is going to
point you at a system where they control the horizontal and vertical.

The only callback systems that ever came anywhere near working on the POTS
network were ones that you told the callback "this is Fred. Call me back at
the home number you've been configured with", and it called you at Fred's
previously-configured phone number.  Having it say 'This is Fred, call me
back at' doesnt do anything for security if you're just going to
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Attachment: pgp00019.pgp
Description: PGP signature

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.