From: Anthony Howe
Date: 2006-07-10 04:12:31 -0400
Subject: Re: Milter-Null and / or SRS filtering...
More information..: http://www.milter.info/#Support
Grant Taylor wrote:
> I would like to take a moment to engage peoples thoughts and opinions on
> the pros and cons of Milter-Null verses Sender Rewriting Scheme, a.k.a.
> SRS As I understand it, both Milter-Null and SRS filtering provide /
milter-null is more akin to a BATV private scheme:
My method is implemented differently and grew out of my observations
over Xmas 2005 when I was getting lots of back scatter during that time
SRS was developed by Meng Weng Wong to help address the SPF (also by
Wong) forwarding problem. SRS is similar to VERP and is intended for
re-mailers and forwarders. It was not designed for null address
verification, but has since been used in BATV like roles.
milter-null approaches the problem more from a DKIM perspective, ie. it
uses a simple encryption hash on a select set of information to insert a
header. Multiple headers can be inserted and supported.
BATV / SRS modify the envelope instead. Some sites require that the MAIL
envelope equal the From: or Sender: header. I think Sendmail X has an
option to enforce this, particularly for mailing lists. Its unclear to
me how effective the SRS variant would be when the MAIL envelope is
changed by two or more forwarders.
I have some issues with envelope rewriting. SRS in its basic form, as
with VERP, can blowup RFC 2821 maximum local-part length which is
suppose to be restricted to 64 bytes. RFC 2821 also states that an email
address has an overall max. length of 255 bytes. So if I create a
specially long email address and subdomains (for harvest detection lets
say), then its possible that some MTAs will barf on an SRS/VERP
rewritten address that tries to put 256+ characters into the local-part
before the at-sign.
Matter of fact all my milters have had options to enable strict RFC
length enforcement as means to filter out rubbish. These options are now
exposed with the latest option scheme used by all 20 Snert milters:
They're off by default, because early attempts to enforce it broke those
sites that use VERP capable MLM on their servers. I pointed this out to
Wong concerning SRS about two years ago at the height of the SPF frenzy.
The correct way to do SRS or any sender rewriting is to use a hash that
doesn't blow up the local-part length limit, but then this requires a
database to track hashs and method to expire them.
milter-null requires no such database, since all the information hashed
is found in the message headers, which to my knowledge so far always
returned as part of the DSN & MDN. BTW I did test with Thunderbird MDN
support and Outlook Repress too.
Replay attacks are possible, which is why the date-ttl option exists in
milter-null. However, this is not a unique problem to milter-null. BATV
or SRS using hashing are also vulnerable to replay attacks during your
> included. Will someone please correct me if I'm wrong. However, MOST
> MTAs out there will include it, but not all.
Most MTAs include the headers, but not the body. I've looked at mail DSN
mail from Sendmail 8, Postfix, Qmail, and Exim, which all at least
include headers. I've tested with Gmail, Hotmail, and Yahoo. Yahoo is of
particular interest here since they have an accept-then-bounce policy,
making a bounce test far more interesting; it works too.
So far I've not found an MTA that does not include the headers by
default in a DSN/MDN message. I sure its possible to disable returned
headers with the options of most MTAs, but its not a default.
However, IMHO that such sites that don't return message headers are rare
and that bounce mail from such sites will probably be backscatter.
Dropping legit bounce mail from such sites doesn't bother me any more,
since so many sites have opted to reject mail from the null sender, a
milter-null enabled site would just appear as another blip by these rare
few that don't return message headers with their DSN.
For the moment, I see the odds in my favour. Correct me if I'm wrong or
have overlooked something.
Anthony C Howe Skype: SirWumpus SnertSoft
+33 6 11 89 73 78 AIM: SirWumpus Sendmail Milter Solutions
http://www.snert.com/ ICQ: 7116561
Copyright 2009, 2012 by SnertSoft. All rights reserved.