New draft on internationalizing email addresses

Greetings. This message is Bcc'd to many IETF-related lists that are 
discussing internationalization, Internet mail and Usenet. With the 
imminent release of the RFCs for IDNA, Adam Costello and I have a 
proposal for allowing internationalized characters in email addresses 
(on both sides of the  <at> ). Instead of having it discussed on a bunch 
of different lists, there is a new list for discussing the draft and 
other ideas related to internationalizing email address.

If you are interested, please see <http://www.imc.org/ietf-imaa/> for 
information on the Internet Draft and the mailing list.

--Paul Hoffman, Director
--Internet Mail Consortium

Introduction and query

Re: Introduction and query

On Sun, 09 Feb 2003 20:21:42 PST, Adonis El Fakih <adonis <at> aynacorp.com>  said:

> I have submitted an Internet draft
> http://www.ietf.org/internet-drafts/draft-fakih-amdp-00.txt to ietf
> discussing the protocol along with its pros and cons. I also outlined an
> implementation guideline to enable developers to implement the protocol
> ASAP . I was also able to develop a demo implementation and tested it
> and the basic delivery system seems to work as described in the
> document. 

I've read through the draft, and find nothing that can't either already be done
in the current context of ESMTP and already-existing error codes and SMTP
extensions, or isn't a generally bad idea engineering or security wise.

A whole class of things addressed here (authentication and confidentiality)
were addressed in RFC1847:

1847 Security Multiparts for MIME: Multipart/Signed and
     Multipart/Encrypted. J. Galvin, S. Murphy, S. Crocker, N. Freed.
     October 1995. (Format: TXT=23679 bytes) (Status: PROPOSED STANDARD)

Feel free to use either S/MIME (RFC2623-2634) or OpenPGP (RFC3156) on top
of 1847, depending on your personal preference in PKI trust schemes.

There is a general failure throughout the draft to distinguish between
the concepts of "authentication" (proving who the sender of an e-mail is)
and "authorization" (whether I want to accept mail from this source).

In addition, it seems to make a general assumption that the same spammers
who currently lie through their teeth about such basic things as a From:
address will magically tell the truth in this scheme.  The draft would
benefit greatly from a careful re-reading, and at *each* point where the
sending system has to provide information, ask 2 questions:

1) Is this information that a spammer would feel motivated to lie about?
2) Does the protocol accept a source-provided value for the information?

A *very* basic precept in security is to not trust user-supplied data, and
this draft fails to do so in a huge number of ways.

I've not bothered thinking about scaling issues, as there are lots of basic
problems with the draft - the fact that it won't work on my laptop that only
handles 400-500 pieces of mail a day means that it's not worth asking how it
will fare on our central mail server that's seeing 200K POP3 connections an
hour, or how it will scale to the billions that Hotmail/MSN is seeing...

Now on to specifics... on page 15/16 we have:

           Use a trusted connection between [10] and [20].  This can be 
           achieved by enforcing the use of assigned internal IPÆs, 
           firewall, encryption, etc.  It is also recommended that the 
           connection does not use a clear text mechanism when possible.

This is already done by using SMTP AUTH and/or STARTTLS on port 587.

Page 20:

    4. The AMDP recipient server [70] will accept envelopes that meet 
        its business requirements, do not violate the public mail 
        policy [60], and can authenticate themselves.

The first two points are a purely internal matter (business requirements
and mail policy), and RFC2821, section 4.2.3 already lists this error code:

     550 Requested action not taken: mailbox unavailable
         (e.g., mailbox not found, no access, or command rejected 
         for policy reasons)

so an SMTP server is totally within its rights to return '550 Policy rejection'
for mail that it doesn't like.

"Can authenticate themselves" is also already doable already - simply reject
connections that don't do STARTTLS with a verified certificate.

The devil is in the details - the problem here isn't authentication, it's
authorization.  On the one hand, it is *certainly* doable to just say "I refuse
e-mail that I haven't previously authorized the sender". To see how broken this
is, consider that this policy would prevent your receipt of this e-mail, since
I'm fairly sure that I haven't sent you mail before.

On the other hand, simply saying "make them have a valid X.509 cert" isn't
workable either, for all the usual "whack-a-mole" reasons - unless you have
some way to make sure that spammers cannot get a cert, you can't use the
cert as a "I am not a spammer" test.

            serve the mail messages. However in both instances these 
            servers are authenticated as MHFs in the DNS entries of 
            Yahoo.com. 

And *OF COURSE*, the MHF for spammers-r-us.com is authenticated as such in
it's DNS.  And the whole idea of a callback is broken as well - you're
introducing a whole new TCP 3-way handshake, which doesn't prove anything.
If I want to prove that a business is legitimate, I don't call the phone
number they gave me - whoever answers the phone there will say of course they
are legit.  You need to call the Better Business Bureau or some similar
trusted third party and see what they say.  Similarly, if I get spam from
some site, I'm certainly *not* seriously expecting that I'll contact the
server that *THEY* tell me to contact, and have that server say "Don't
accept the mail, it's spam".  Again, an authentication/authorization issue.

        The MHF also keeps track of the email topics also known by 
        threads, by maintaining an active list of threads.  The 
        originating MHF will maintain the master copy of the thread 
        index.  When negotiating message ids, the servers can send the 
        updated thread keys to the receiving server if it requires 
        having the thread tree which is used to reference back the 
        thread.  This is useful to reduce the size of a message if it 
        is a thread so you do not need to send the original message 
        back and forth. A thread is also related to the to the 
        classification scheme, where the originator or sender can 
        classify the message.    

This makes the very broken assumption that there exists one server that
sees all of the thread *and is authoritative* for that thread.  If your
mail had also been posted to ietf-822 and that list was on a different server,
and then different subthreads which were sometimes cross-posted and sometimes
not, would horribly confuse the concept of "thread".

   Rejected Classifications 

      This defines the classifications that are not accepted by the 
      network administrator i.e. a government agency, or an elementary 
      school do not want to accept any mail from marketing firms. And 
      any MHF contacting them with such messages will be reported back 
      to the external incident reporting service [120]. 

Hello?  www.mail-abuse.org?  I'd like to report a spammer....

There's already a *LOT* of organizations that provide blacklists of
sites - if you can't name at least 6, you haven't been in the anti-spam
business long.  You probably want to think very long and hard about the
reasons for the existence of *so many* blacklists, and why there is still
spam increasing even with the existence of said lists....

      Government - This means that the emails generated are mainly 
      official in nature, and mass mailing is not expected from these. 

      Educational - This means that the emails generated are mainly 
      educational, and not to be confused with messages from .edu 
      domains.  A university may be classified as a business if its 
      emails are to prospective students, while domains or MHFÆs used to 
      server students email, can set this key to "Personal" or "Bulk" 
      depending on the volume of messages generated.  

Hmm... that puts vt.edu in quite the pickle.  We're a university, but we're
also an agency of the Commonwealth of Virginia.  For some things, we can also
be considered a $740M/year company...

And I would like to point out that such things as "government official mass
mailings" *do* exist (want to guess how the Governor gets information to as
many people as possible about things like changes to the pension plan? ;)

If "educational" isn't "mail from .edus", you're opening yourself up to a *BIG*
abuse hole - a spammer can just claim "he was just educating the public about
a new offer".

And there isn't much here to prevent a spammer from lying about the nature of
their "personal, not used for spam" domain, is there?

      This is the sub category of mail types and it is defined by the 
      user.  It lets the final recipient know what type of message it 
      is, and it used for informational purposes only, since there is no 
      way to guarantee that the field is used correctly.  However it is 

"No way to guarantee".  Exactly - that's the problem here.
--

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Re: Introduction and query

Re: Introduction and query

On Sun, 09 Feb 2003 23:08:10 PST, Adonis El Fakih said:

(OK, so it's insomnia time again..;)

> In SMTP you actually have to receive the message in its entirety before
> you can apply any of spam filters, unless you have a filter on email.

Quite correct.. However...

> In AMDP you do not have to do that at all, becuase the sender MUST keep
> the mail message on their OWN server, and send you an envelope
> describing its contents.

Notice that you still have to download the entire message to tell if the
other end is telling the truth regarding its contents.  And I've seen
enough Murkowski-compliant "Under S.1618, this message isn't spam if it
includes a remove link" spam to not believe that spammers will tell the
truth in the envelope.  As you yourself note - a big problem is that they
lie in the MAIL FROM - why would APMD-MAIL-CLASS contain truth?

If anything, this is actually doing the spammer a favor - it means that he
can save bandwidth.  Sites that have blacklisted them won't call back to
pick up the spam.

On the other hand, sites that have blacklisted the spammer already are free
to issue a 550 on the MAIL FROM or RCPT TO and thus skip the DATA phase, so
you're not actually providing any benefit here.

>                          Then they have to autheticate themselves so you
> know that a mail message is actually residing where the spammer/or non
> spammer says. Most of the spam today uses fake FROM, so this will stop
> this kind of abuse.

Actually, if you think really hard about it, you'll realize that this doesn't
*really* stop fake FROM - all it does is make the spammer use a throw-away
FROM address that happens to point to a server he controls.

>> There is a general failure throughout the draft to distinguish between 
>> the concepts of "authentication" (proving who the sender of an e-mail is) 
>> and "authorization" (whether I want to accept mail from this source). 
> Ok I should take than into consideraion when wording changes to document. 

It's more than just wording - it's a way of thinking.  It's even possible
to conceive and design authorization systems that don't involve any actual
authentication at all.  In this class fall proposals such as the "I don't
care who you are, but if you send me e-mail you first have to perform
such-and-such complex computation that will chew several seconds of CPU - this
won't matter to any legitimate one-off mail, but will matter to a spammer".

Another example of anonymous authorization would be a rate-limiting system,
where a mail server would say "I don't care WHO you are, you're only allowed X
msgs/hour per /24 of source address space without prior arrangement" - this is
already implemented in some systems, and deals nicely with the "one-off
anonymous personal mail" problem while drastically limiting what a spammer can
do.

> AMDP will enforce that mail received has to be from an explicitly assigned host
> by the domain admin. This is not available in SMTP anyone can do it, and if they
> do lie it will not accept the mail.

No - they merely can't use an existing domain.  All this forces is that the
spammer also has to get a DNS entry updated at the same time he buys his
network connectivity.

And if an ISP will sell bandwidth, they will likely sell DNS on the same
whack-a-mole contract.

>                                      They can make domains for that purpose, which
> becuase at this point the source of spam is known, which can not be traced at 
> all in smtp.

Umm.. It's traceable.

Received: from npsmtp02la.mail2world.com (mw27.mail2world.com [66.28.189.27])
  by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR)  with ESMTP id
  BAS07392; Mon, 10 Feb 2003 02:07:59 -0500 (EST)

Interesting that your mailserver said 'npsmtp02la' but the PTR says 'mw27'.
Reverse DNS for the 66.28.189/24 is provided by cogentco.com, and the IP address
block is owned by:

route:      66.28.189.0/24
descr:      Mail2World Network
origin:     AS26254
remarks:    this is non-portable space, no exceptions
notify:     wkim <at> mail2world.net
mnt-by:     MAINT-MAIL2WORLD
changed:    wkim <at> mail2world.net 20030110
source:     VERIO

I'm too lazy to go poke a BGP looking-glass to see who AS26254 is getting
transit from, but I'd start by asking Verio. ;)

A bigger problem here is that although open SMTP relays are fast becoming
rarer (I've seen one reliable statistic that open SMTP relays have fallen from
60% down to about 1% of the problem), there are signs that spammers are
starting to abuse open proxy servers (many older HTTP proxies would quite
happily accept 'CONNECT destination.com 25').

> Sure why not. there is not need to reinvent the wheel. the difference here
> is that 20 is not used to email the outside world but to enforce outgoing mail 
> rules. you can not do this in SMTP today. You can not enforce outgoing mail
> size, language, etc.. that is what [20] is there for..

Given the number of ISPs that currently block outbound port 25, this seems
to be an "already done".  All you need is a firewall that blocks outbound
SYN packets on port 25 from everything from the mail server, and filtering
software on the mail server.  Given the number of e-mail a day I receive with
silly "This e-mail is proprietary" banners, I have to assume that most sites
who wish to do this already know how to do so.

> Once you know that an email is coming from domain A and no one else, then we 
> can go to a third party (that is paid by domain A to be their certificate manager) and 
> check if they are within the category they claim to be. So if domain A claims to be 
> XY category and ends up being ZZ using some smart filters, then we can report 
> the abuse to the manager of the certificate and they update the category based on 
> feedback not only from me, but based on reports received from other AMDP sources. 
> Domain A can not deny that mail is not from his domain, since the design gaurantees 
> that the host must be explicitly authroized to mail. All mail from A to other AMDP 
> servers will autmoatically be converted to the new classification since the third party
> job is to provide the realtime classification of the domain.

Nothing here that ORBS and MAPS haven't been doing for years already.

> yes I agree see above, the three way handshake is just one of many conditions
> that play together to close the wholes available in SMTP.

You missed the point - if you don't trust the spammer to tell the truth
about "this is not spam" when he contacts you, why do you expect a truthful
answer when you spend the extra effort to contact a server *the spammer runs*?

> I agree again, this may be difficuly to implement (at the least the thread synching)
> but the idea here is to create an automatic schema that allows certain email classification
> to be autmoatically saved to tape in antipicpation to some ruling by SEC where companies
> must backup all communication relating to certain business practices. 

This is so totally outside of the scope of SMTP that I'm not going to delve
further into it, other than to comment that every current MTA that I'm aware
of already has the ability to either archive a copy of everything, or can be
modified to do so.  Also, most of the most incriminating documents will be
intra-office memos - remember that Oliver North was convicted in the Iran/Contra
scandal largely on the contents of backed-up memos of the PROFS message system
that was in use at the time.  These likely never hit SMTP *at all*.

> The idea is to automate the system so reports are sent and received in real-time, so if you have
> a virus in your network it will automatically alert the external network, and other AMDP servers
> will know of this before the mail admin does!!

Security-wise, this is a Very Risky Idea.  Consider what happens to your
network e-mail connectivity if a number of sites submit "we're getting virus
spam from Mail2World".  All it takes is one script kiddy with 10K zombie
hosts (and there's lots of them out there), and you're suddenly off the air.

> :) I do know a few. Working on ayna.com we had unforunatly been on few lists
> and I had to go and explain what happen to be taken off the list. Spammers
> put a return address of ayna.com, and how can I explain to few thousand angry 
> people it is not us!!!

Your proposal may deal with preventing a "joe-job" (at the price of vastly
complicating things) while doing absolutely nothing new to stop spam from
mail.only-valid-for-12-hours.com whack-a-moles or entrenched spamhauses
that have been using the same domains and IP addresses for years, and who
thus have been in blacklists for years....

/Valdis

Re: Introduction and query

Re: Introduction and query

Re: Introduction and query

On Mon, 10 Feb 2003 10:41:05 PST, Adonis El Fakih said:

> Max email size 30k which means message >= 30 will pass to be delivered
> (including
> content, if as we receive it the counting algorithm hits 35k, the
> message is dropped)
> this is the difference. We asked the mailer to be honest, if they do
> not, we drop the 
> message. So if they want a message to pass they have to be bound by the
> terms
> of the public policy.

This is already provided by the ESMTP SIZE extension.

> You keep saying that spammer wil lit in their classification, and of
> course
> they will do that. The certificate will tell us what the have been doing
> on other sites,

There's privacy issues and traffic-analysis threats here.

> > Actually, if you think really hard about it, you'll realize that this
> doesn't 
> > *really* stop fake FROM - all it does is make the spammer use a
> throw-away 
> > FROM address that happens to point to a server he controls. 
> > 
> Actually it does, since that host has to be explicitly on the outgoing
> mail list
> for the domain. Let us assume we have 100 servers within out network, as
> a system admin i can assign 4 of them to be used for outgoing mail
> handleing
> i.e. MHFs. The chances of somone hacking onto other non-attended hosts
> is much higher that the ones the admin controls. Also in the case of
> abuse
> it can be pin pointed to the specific host within the domain.

And in your model, it doesn't matter, because the other 96 hosts will be
configured to forward all their mail to the 4 that are MHFs.  So all a spammer
needs to do is find an open formail or proxy, and use that to inject
mail with a forged MAIL FROM:<whatever <at> victim.dom>, and let its MHFs do the
work for it.

> We use this technique today in one of the products we use, where it
> slows down the
> spammer incrementaly, but still does not work. Many proffesional
> spammers will have
> a whole C bock and use them randomly to overcome settings made based on
> host

Which is why the next paragraph said "from a given /24".. ;)

> Which is fine, but his category listing and "honesty" ratings are also
> low, so they will
> have to pay higher rates for mail delivery.

Be careful here that you don't make e-mail too expensive for small sites.

> - One time IP, used to post the millions of messages and then goes
> offline. In AMDP the domai has to be within the outgoing mail scheme of
> the domain, and must stay online so we retrieve the message. Spweing out
> a million message gonly sends out a million envelopes, not the messages.
> if they want to make some cash they will need to stay online to server
> those messages.

And the majority of recipients will try to fetch it right away or fairly soon,
so all they need is another (or even the same IP) address online to catch the
inbound connections, and a DNS entry to point them there.

> - If it is a hijacked MHF once notifed the admin can drop the message
> from queue, and the damage is controled at his end.

Oh, so you're expecting the MHF admin to fix the problem, when these are
probably going to be the same servers that have been open SMTP relays for
years?

> I disagree about these figures, Most of the mail I receive today uses
> fake host
> name, fake mail froms, open relays, fresh relays setup by the spammers
> all 
> over the world. They use cheap ISP accounts in brazil, russia, south
> africa,
> middle east, canada, japan, korea, etc.. 

OK... open relays?  See above comment about MHF servers not being closed.

Fresh relays set up by spammers?  Hmm.. if they can set up a relay,
they can set up a DNS pointer.

Cheap ISP accounts? The ISP will provide a MHF for you.

You're not really addressing the real problems here.

> You are relying on a third party to do the blocking here. Why should it
> not be part 
> of the design?? not everyone has a firwall, and if someone want to go
> around than 
> they can.

Umm.. No.  You're talking about *OUTBOUND* mail here - and if *YOUR* firewall
isn't able to stop outbound SMTP that you don't filter, why do you expect it
to stop outbound AMDP?

> > Once you know that an email is coming from domain A and no one else,
> then we 
> > can go to a third party (that is paid by domain A to be their
> certificate manager) and 
> > check if they are within the category they claim to be. So if domain A
> claims to be 
> > XY category and ends up being ZZ using some smart filters, then we can
> report 
> > the abuse to the manager of the certificate and they update the
> category based on 
> > feedback not only from me, but based on reports received from other
> AMDP sources. 

*BZZT* Wrong, but thank you for playing.  This is called a "paid endorsement"
and is usually about as valid as a sports figure endorsing a brand of life
insurance.   There's no reason to assume that a registrar hired by the
spammer will tell you the truth....

And remember that even Verisign has been caught spamming.  Think about that. ;)

You want to be asking a third party that *YOU* pay to give you good advice,
or at least some third party you can reasonably trust to be neutral...

> I asked this to myself. In SMTP the message goes one way, regardless if
> the
> message is good or bad, however in most cases spam over shadows the good
> mail. By doing the extra handshake i achieve the following.
> 1. I am forcing the sender to be online to tell me that indeed they sent
> me a message

If the spammer can be online to send the message, they can have a second
server online as well.

> 2. I am asking the sender to have that message ready for later pickup

Be careful what you ask for, you may receive it. ;)

Do you think many users will actually *ASK* for "don't bother picking it
up for at least 2 hours"?

Also, note that if the spammer is making a very large run, they'll be online
for a few days doing it, so the chances of them being gone when you call back
aren't that high.

> Also now they can truley know which message was read, and by whom, and
> concetrate
> on creating a business geared on the users, and not random mailings to
> no end..

Read section 6.2 and 6.3 of RFC2298 (Message Disposition Notifications), which
discusses the security implications of this sort of service.

You may also want to ponder the statistics produced by the guys over at
http://cluelessmailers.org - they believe that 90% of the spam in the US is
the result of a small group of 100 to 150 individuals.

That's all the commentary for now, it's been a long and ugly day (nothing
like a print server misbehaving to make your day ;)

/Valdis

MS Exchange 2000 broke RFC 3030 badly...

I write at this forum, as apparently MS people read this, and
me being a non-customer to them, I have no direct access routes
to send bug reports.

I have implemented ESMTP  CHUNKING / BDAT since 1997,  and now
finally some major implementations do appear -- but sadly first
of them is broken.   The end result is that even if Microsoft
fixes things this week, bug containing versions will be running
for years...     (Shall RFC 3030 be thus considered failure due
to widely installed buggy implementation ?)

In RFC 3030 two ESMTP extensions are defined:
 - CHUNKING
 - BINARYMIME

The buggy implementation is of CHUNKING's BDAT verb processing.

Said verb runs like this:

  BDAT nnnn [LAST] CRLF
  < nnnn bytes of message header+content data with CRLF line ends >

The server shall always consume the message content associated
with BDAT verb.  (Ok, RFC 3030 text isn't explicitely clear at this,
which has lead to a number of implementation bugs, including
the one presently being discussed.)

With simultaneous PIPELINING facility/compability declared by the
remote MTA server, a smtp-client sending in optimized pipeline mode
sends MAIL FROM, one or more of RCPT TO, and also BDAT+message content
all in one TCP data push.

How   MS Exchange 2000   as deployed at Hotmail.COM now does work is:

 - If   MAIL FROM   and   RCPT TO (one or more) are received
   successfully,  BDAT will be accepted successfully.

 - If for some reason all RCPT TOs are rejected, treatment of BDAT
   is broken.  Associated data is not consumed (discarded), and
   the result is unpredictable number of "500 Unrecognized command"
   messages, as the message content ended up in SMTP command processing.

   Following UNIX bash-script shows what happens.

(echo "EHLO foo";sleep 1;
echo -e "MAIL FROM:<>\nRCPT TO:<lklkzzh <at> hotmail.com>\nBDAT 9 LAST\n1\n2\n3\n";
sleep 2;
echo -e "MAIL FROM:<>\nRCPT TO:<lklkzzh <at> hotmail.com>\nBDAT 9 LAST\n1\n2\n3\n";
sleep 3) | telnet mx1.hotmail.com smtp

   Doing network protocol dump, one can see that from MAIL FROM to
   BDAT content data all are sent with single TCP data push, as is
   the nature of smtp-client in fully developed PIPELINING mode.

   Here are the received responses:

220 mc1-f8.law16.hotmail.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5600 ready at  Mon, 17 Feb
2003 16:23:42 -0800 
   <<-  EHLO foo
250-mc1-f8.law16.hotmail.com (02.01.00.0007) Hello [62.240.94.4]
250-SIZE 4278190
250-PIPELINING
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-AUTH LOGIN
250-AUTH=LOGIN
250-X-HMAUTH
250 OK
   <<- MAIL FROM:<>
250 <>....Sender OK
   <<- RCPT TO:<lklkzzh <at> hotmail.com>
550 Requested action not taken: mailbox unavailable
   <<- BDAT 9 LAST (+ data)
503 Need Rcpt command.
500 Unrecognized command
500 Unrecognized command
500 Unrecognized command
   <<- MAIL FROM:<>
503 Sender already specified
   <<- RCPT TO:<lklkzzh <at> hotmail.com>
550 Requested action not taken: mailbox unavailable
   <<- BDAT 9 LAST (+ data)
503 Need Rcpt command.
500 Unrecognized command
500 Unrecognized command
500 Unrecognized command

   Fully pipelined smtp client code does not expect
   any of those "500 Unrecognized command" lines, and
   goes out of protocol sync.

--

-- 
/Matti Aarnio	<mea <at> nic.funet.fi>