[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01
Internet Draft A. DeKok
Expiration: October 22, 2004 IDT, Inc.
Working Group: ASRG April 22, 2004
Lightweight MTA Authentication Protocol (LMAP) Discussion
and Applicability Statement
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights
Reserved.
Abstract
Lightweight MTA Authentication Protocol (LMAP) is the general term
for a family of proposed protocols to help address the spam problem
by permitting domains to publish the set of SMTP clients which may
use their name in the EHLO/HELO and MAIL FROM fields. SMTP servers
can use this information to determine if a client is consensually
using a domains name. This document discusses the applicability, and
the costs and benefits of wide-spread deployment of the protocol
family.
Table of Contents
Abstract ......................................................... 1
Internet Draft A Discussion of LMAP [Page 1]
Internet draft November 2003
1. Introduction .................................................. 3
1.1. Statement from the ASRG chairs ............................ 3
1.2. Summary of the Protocol ................................... 4
1.2.1. Authorization, Authentication, and Intent ............. 5
1.2.2. Semantics of MAIL FROM ................................ 5
1.3. Interpretation of LMAP Data ............................... 6
2. Problem Statement and Scope ................................... 6
2.1. Unauthorized use of a domain name as "forgery" ............ 7
2.1.1. Why prevent domain forgery instead of end-user forgery? 7
2.2 Scope of the proposal ...................................... 8
2.2.1. Domain name in EHLO/HELO .............................. 8
2.2.2. Domain name in MAIL FROM .............................. 8
2.2.3. Source IP address ..................................... 9
2.3 Scope of the Problem ....................................... 9
2.3.1. Junk Email ........................................... 10
2.3.2. Viruses, Trojans, and Worms .......................... 11
2.3.3. Account Fraud, or "phishing" ......................... 11
2.3.4. "Joe-Jobbers" ........................................ 11
2.4. Limitations of the Proposal .............................. 12
2.4.1. Junk Email with Correct Envelope Information ......... 12
2.4.2. "Joe-Jobbing" Within the Same Domain ................. 12
2.4.3. Viruses and Worms using on infected SMTP Server ...... 12
2.5. Accountability for SMTP originators ...................... 12
2.6. Few SMTP originators are SMTP recipients ................. 13
2.7. DNS-based attacks ........................................ 14
3. Common Concerns with LMAP .................................... 14
3.1. LMAP and the end-to-end nature of the Internet ........... 14
3.2. Roaming Users and LMAP ................................... 15
3.2.1. SUBMIT (port 587) .................................... 16
3.2.2. SMTP relaying to their home provider ................. 16
3.2.3. Publish LMAP information ............................. 16
3.2.4. Virtual Private Networks (VPNs) ...................... 16
3.2.5. Other message delivery systems ....................... 16
3.3. Other methods addressing the spam problem ................ 17
3.4. Message relaying and forwarding are affected by LMAP ..... 17
3.5. Inertia to change is not a basis for opposition .......... 18
3.6. Kiosk, greeting card, and mail-a-link systems ............ 18
4. Privacy Considerations ....................................... 19
4.1. End Users ................................................ 19
4.2. Network Infrastructure ................................... 20
4.3. Traffic analysis ......................................... 20
5. Security Considerations ...................................... 20
6. Acknowledgments .............................................. 21
Internet Draft A Discussion of LMAP [Page 2]
Internet draft November 2003
7. Informative References ....................................... 21
8. Contact Information .......................................... 21
9. Contributors ................................................. 21
1. Introduction
The Anti-Spam Research Group (ASRG) was chartered to address the spam
problem. Lightweight MTA Authentication Protocol (LMAP) is the
general term for a family of proposed protocols to help address the
spam problem by permitting domains to publish the set of SMTP clients
which may use their name in the EHLO/HELO and MAIL FROM fields. SMTP
servers can use this information to determine if a client is
consensually using a domains name. This document discusses the
applicability, and the costs and benefits of wide-spread deployment
of the protocol family. The LMAP protocol falls with the scope of
"changes to existing applications" as described in the charter.
The intended audience for this document includes administrators and
developers of DNS and SMTP systems. The audience is assumed to be
familiar with the workings of SMTP [RFC 2821] and DNS [RFC 1034].
The document is organized as follows. Section 2 describes the
problem statement and scope of the proposal. Section 3 deals with
the most commonly raised concerns associated with LMAP, and prior
variants thereof.
We wish to remind readers that implementation and use of LMAP is
entirely optional and not required to operate SMTP services. This
document is not intended to obsolete anything in RFC 821 or RFC 2821.
Readers are further reminded that recipients have the right to refuse
any communication from anyone, for any reason.
1.1. Statement from the ASRG Chairs
This document is intended to summarize the work of the Anti-Spam
Research Group (ASRG) of the IRTF regarding the LMAP family of
proposals. This work begun in early 2003 and concluded in early 2004
with the move to the newly chartered MARID WG at the IETF. This
document is intended to summarize the work of the ASRG as input to
the IETF standards making process and to provide a historical record
of the discussions in the ASRG. Readers are encouraged to check
current IETF documents for the status of these proposals.
As per RFC 2014, section 3, IRTF documents do not require group
Internet Draft A Discussion of LMAP [Page 3]
Internet draft November 2003
consensus to be published. This document does not have consensus of
the ASRG and is being published under this provision.
This document does NOT reflect consensus of the ASRG and is being
published in accordance with section 3 of RFC 2014.
ASRG chairs at the time of writing are John R. Levine and Yakov
Shafranovich.
1.2. Summary of the Protocol
LMAP is based on two concepts: publication of policy by a domain, and
application of that policy by a recipient MTA. The policy published
by a domain includes statements as to which IP addresses are intended
to claim association with the domain in the SMTP EHLO/HELO and MAIL
FROM fields.
SMTP recipients can look up this policy when a domain name is used in
EHLO/HELO and/or MAIL FROM. The recipient can then choose to apply
the requested policy to the message. The result is that messages are
delivered only when all parties consent to their delivery. The SMTP
client must have the consent of the domain to claim association with
that domain, and the SMTP server can verify that that the consent
exists. After all, if the domain does not consent to someone
claiming association with it, there are few reasons why a recipient
would choose to accept that non-consensual message.
The method of applying the consent of a domain to messages is similar
to that used in Dialup User Lists (DUL). With those methods, a
network provider publishes a list of IP addresses which have been
assigned to dial-up users. SMTP recipients may query such lists, and
assume that the existence of an IP address on the list means that the
network provider did not intend SMTP traffic to originate from that
IP address.
Similarly, methods such as sender callback attempt to discover the
implied intentions of a domain, by performing certain queries to that
domain. Such methods are flawed, as the implications they discover
are not necessarily the same as the intentions of the owner of a
domain.
This proposal makes all such intentions explicit, through the use of
published data by a domain. Publication makes the Internet more
open. Less information is hidden, and fewer erroneous implications
are arrived at.
Note that recipients should also publish that they use and enforce
LMAP. Receiving mail transport agents using protocols with the
Internet Draft A Discussion of LMAP [Page 4]
Internet draft November 2003
ability to advertise capabilities should advertise a capability to
the sender that informs the that the sender that the receiver will
check the incoming IP address with LMAP. It is to the advantage of
all parties for a sender that will not be able to pass LMAP
authentication to be able to discover the fact as early as possible
and abort the transmission.
This verification scheme is weaker than cryptographic systems but
stronger than the current SMTP model.
1.2.1. Authorization, Authentication, and Intent
There has been significant discussion within ASRG about the proper
terms to use when describing the data published and used by this
system. The terms authorization and authentication have been
proposed. Both terms have their benefits and drawbacks.
In this document, we will use both terms when referring to LMAP. An
alternate way of describing the proposal is that the data published
by a domain expresses the intent that an IP address will, or will
not, originate SMTP traffic using that domains name. An SMTP
recipient can use that data to learn the intent of the domain owner,
and then decide to accept or reject a message based on its
conformance with that intent.
Whether the publication and application of this intent is best
described as authorization or authentication is a decision left to
the reader.
1.2.2. Semantics of MAIL FROM
There has been significant discussion within ASRG about whether not
not this proposal changes the semantics of MAIL FROM. At a minimum,
this proposal permits cooperating parties to extend the semantics of
MAIL FROM by publishing and using LMAP data.
In normal situations, the sender identification used in the MAIL FROM
is intended to be used for bounces. The email address used here can
therefore legitimately differ from the addresses which are used in
the body "From" line. The use of the MAIL FROM field in this
proposal can therefore be considered as an additional verification on
the bounce path for the message, rather than as an attempt to
authenticate the sender identity.
As this proposal is intended to be backwards compatible with systems
not using LMAP, the semantics of MAIL FROM may remain unchanged when
one or more of the parties in the SMTP conversation does not publish
or use LMAP data.
Internet Draft A Discussion of LMAP [Page 5]
Internet draft November 2003
Note that this proposal does not violate the following prohibition
from Section 4.1.4 of RCC 2821:
An SMTP server MAY verify that the domain name parameter in the
EHLO command actually corresponds to the IP address of the
client. However, the server MUST NOT refuse to accept a message
for this reason if the verification fails
The LMAP family of protocols are intended to look up the source IP
address of the SMTP connection, within the LMAP data of a domain
given in EHLO and/or MAIL FROM. LMAP does not perform a reverse DNS
lookup of the source IP address, and therefore does not violate the
above prohibition.
1.3. Interpretation of LMAP Data
Recipient MTAs are free to interpret LMAP data as they wish.
Possibilities range from rejecting email with a 550 error code to
using LMAP data as one input to a multi-criterion filter. Domains
may also optionally use LMAP data to whitelist or give higher passing
values for email in their filters.
E-mail from LMAP domains that do not publish LMAP data should NOT be
rejected since there is no requirement that domains do so, and many
will not, either for policy reasons or from lack of resources. E-
mail from non-LMAP domains should be treated as e-mail is treated
currently.
All local policy decisions remain with the recipient's MTA. Readers
are reminded that recipients have the right to refuse any
communication from anyone, for any reason.
2. Problem Statement and Scope
When an SMTP client connects to an SMTP server, the data in the
EHLO/HELO and MAIL FROM fields is supplied by the client to the
server. The server must then accept the data within these fields at
face value, as there is no provision within SMTP to validate, or
authenticate, this data. As a result, SMTP clients who wish to
falsely claim association with a domain may use that domains name in
those fields within SMTP, and the SMTP server has little choice but
to accept that claim.
Efforts have been made since the publication of the SMTP
specifications to block such messages by requiring the domain part of
the sender address to be resolvable. That method provides protection
from messages with non-existent sender domains, and indeed, for some
time it blocked many spam messages. However, once spammers began to
Internet Draft A Discussion of LMAP [Page 6]
Internet draft November 2003
abuse existing domain names, that method was rendered ineffective.
Other methods such as sender callback have been used to discover the
implicit intent of a domain administrator, by verifying that the SMTP
client is a valid MTA for the domain it is claiming association with.
Such schemes have limited applicability, as the domain may use
different MTAs for incoming and outgoing messages. In addition, the
implications about a domain that the sender callback implementer
comes up with may not be the same as the intentions of the domain
administrator.
LMAP extends current implementations so that all such intentions may
be made explicit by domains, and easily discoverable by SMTP servers.
A domain may choose to publish a list of SMTP clients that originate
traffic for that domain, and that list does not have to be the same
as the list of MXs for the domain. Note that we extend only
implementations of SMTP; the protocol itself remains unchanged, and
nothing in this document should be construed as modifying or updating
any part of the SMTP protocol as defined in RFC 821 or RFC 2821.
2.1. Unauthorized use of a domain name as "forgery"
In the context of LMAP, SMTP "forgery" is defined as:
SMTP Forgery: Use of a domain name in the argument fields of
SMTP EHLO/HELO and/or SMTP MAIL FROM, by an SMTP client, when
the owner of the domain name did not consent to that use of
their name.
Any consensual use of a domain name is therefore defined to not be
forgery.
As incidents on the Internet over the past few years have shown, mass
mails, viruses, and worms with forged sender addresses can cause
severe damage for the real owner of the abused sender addresses.
While this proposal does not, and will not, stop spam, it will help
prevent one of the most damaging forms of spam: forgery.
2.1.1. Why prevent domain forgery instead of end-user forgery?
LMAP permits the discovery and prevention of forgery of domain names,
rather than of end-user identities for a number of reasons. One is
that there are fewer active domains than users. While domain-name
registries claim to have registered hundreds of millions of domains,
most of those domains are inactive. Statistics from anti-spam
organizations indicate that there are only a few hundred thousand
MTAs which persist from year to year. These MTAs are the entities
which are best suited to participate in a method for addressing the
Internet Draft A Discussion of LMAP [Page 7]
Internet draft November 2003
spam problem.
If LMAP, or another proposal, were to authenticate end-user
identities, then those identities would have to be published by a
domain, for validation by any SMTP server. That publication would
have serious security and privacy implications. We therefore avoid
those issues in this proposal by not performing authentication of
end-user identities.
The use of domain names, rather than end-user identities has another
advantage. By discovering forgery of domain names, the recipient MTA
can ensure that a valid return path exists for messages which do not
contain forged names. This return path verification means that the
recipient knows that a responsible party is available to accept
either a bounce, or a complaint that the message was spam.
2.2. Scope of the proposal
This proposal uses domain names in the EHLO/HELO and MAIL FROM fields
of the SMTP protocol, along with the source IP address of the SMTP
connection, in order to ask the domain(s) if that IP address was
intended to have an SMTP client use its name in the EHLO/HELO or MAIL
FROM field.
2.2.1. Domain name in EHLO/HELO
In reference to EHLO/HELO, [RFC 2821] says:
4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)
These commands are used to identify the SMTP client to the SMTP
server. The argument field contains the fully qualified domain
name of the SMTP client if one is available. In situations in
which the SMTP client system does not have a meaningful domain
name (e.g., when its address is dynamically allocated and no
reverse mapping record is available), the client SHOULD send an
address literal (see section 4.1.3), optionally followed by
information that will help to identify the client system.
LMAP can only be applied when the argument to the EHLO/HELO command
is a domain name, and when that domain publishes LMAP information.
In all other situations, LMAP cannot be applied to the EHLO/HELO
command, and this proposal therefore makes no statement about how
such an SMTP conversation should be treated.
2.2.2. Domain name in MAIL FROM
This proposal also deals with the MAIL FROM field of the SMTP
Internet Draft A Discussion of LMAP [Page 8]
Internet draft November 2003
protocol. In reference to MAIL FROM, [RFC 2821] says:
4.1.1.2 MAIL (MAIL)
This command is used to initiate a mail transaction in which the
mail data is delivered to an SMTP server which may, in turn,
deliver it to one or more mailboxes or pass it on to another
system (possibly using SMTP). The argument field contains a
reverse-path and may contain optional parameters. In general,
the MAIL command may be sent only when no mail transaction is in
progress, see section 4.1.4.
The reverse-path consists of the sender mailbox. Historically,
that mailbox might optionally have been preceded by a list of
hosts, but that behavior is now deprecated (see appendix C). In
some types of reporting messages for which a reply is likely to
cause a mail loop (for example, mail delivery and nondelivery
notifications), the reverse-path may be null.
LMAP can only be applied when the argument to MAIL FROM is a sender
mailbox from which a domain name can be determined, and when that
domain publishes LMAP information. In all other situations, LMAP
cannot be applied to MAIL FROM, and this proposal therefore makes no
statement about how such an SMTP conversation should be treated.
LMAP is therefore not applicable to bounce messages, or to messages
pretending to be bounce messages, where no reverse path exists.
2.2.3. Source IP address
An LMAP capable SMTP recipient queries the domain(s) using the
EHLO/HELO and MAIL FROM fields. The query is the source IP address
of the SMTP client. The expected response is, at a minimum, an
answer from the set (yes, no, unknown). The recipient can therefore
determine if the domain intended SMTP clients at that IP address to
send messages in its name.
The query syntax, response syntax, and detailed design of this
proposal are not documented here, as they are currently in
development.
2.3. Scope of the Problem
A domain owner may wish to restrict the set of hosts permitted to
send email that identifies itself as associated with that domain.
LMAP provides a consensual mechanism for domain owners to publish
that set of hosts, and for SMTP receivers to discover and to apply
that policy to incoming messages.
Internet Draft A Discussion of LMAP [Page 9]
Internet draft November 2003
In response to RFC 2821 Section 7.1, forged email currently
represents a significant burden on the Internet infrastructure. This
proposal suggests that the very usability of Internet email is
threatened by unwanted and forged messages. In addition, business
practices that depend on email are threatened not just by the flood
of spam, but also by spam forging a fraudulent association with
legitimate businesses. This fraud causes honest businesses to lose
significant amounts of income, and increases their expenses.
LMAP, though it necessarily implies some increase in the
implementation complexity of mail senders and receivers, meets the
architectural criteria of RFC 1958. It preserves the end-to-end
property of the network; it supplies a mechanism which can be used to
implement and experiment with spam-blocking policies. It does not
duplicate existing capabilities, and it does not try to do too much.
With these considerations in mind, therefore, we believe that
adoption of LMAP would currently do more good than harm. See RFC
1958 Section 1.
Domains whose email practices would be inconvenienced by LMAP are not
required to implement it. Some domains may wish to publish LMAP
information, but not to use it themselves. We recommend that domains
which use LMAP information also publish it.
Domains which choose to implement LMAP will do so because they want
to identify outgoing SMTP hosts, in order to authorize email sent
using the name of the domain. While it is still possible to send
authorized email and be abusive, it becomes far easier to account for
that abuse and to identify the sender when an authorization or an
audit trail exists.
2.3.1. Junk Email
"Spammers," not wishing to be identified or to have their abused
resources identified, routinely falsify their emails sender
information, including the Sender Envelope (MAIL FROM: envelope), the
From: header and the Reply-To: header. Spammers often impersonate
large, popular domains when they do this. If such domains
implemented LMAP, other participating domains could receive
significantly less junk email from spammers falsifying their sender
information. In addition, the same verification process could
trivially reject spam which is intended to appear to be internal to
the domain.
Recipients using LMAP could reject any email sent in this manner,
regardless of how a resource is exploited. This includes open relay,
insecure proxy, dynamic IP, insecure and unrelated resources such as
older Formmail versions, and as-yet undiscovered exploits.
Internet Draft A Discussion of LMAP [Page 10]
Internet draft November 2003
Since this proposal does not examine or verify the body From: field,
there is still the possibility for spammers to use that field to
fraudulently claim association with a well-known domain. We leave
that problem to be addressed by a method other than LMAP. We will
recommend, however, that recipients take additional care when
accepting messages where the domain in the envelope MAIL FROM does
not match the domain in the body "From:". Such messages have greater
potential to be forgeries than messages where the domains are
identical, and where an accountability system exists.
2.3.2. Viruses, Trojans, and Worms
While many malicious programs sometimes use the infected machine's
sender address, they rarely use the sender domain's resources to send
copies of themselves, instead running their own SMTP engines.
Domains implementing LMAP may reject copies of viruses and other
malicious software sent in this manner. This method does have
limitations, however, see also Section 2.4.3.
2.3.3. Account Fraud, or "phishing"
Clients of financial institutions routinely receive communication
from confidence artists and scammers claiming association with that
institution. The claim is made in order to entice the recipients
into divulging critical account information to the scam artist. That
information is then used to defraud the client. Similar frauds are
perpetrated on clients of non-financial institutions. E.g. Obtaining
account information for an ISP, and then abusing that account to send
spam.
This type of spam is arguable the most damaging of all. It defrauds
not only the recipient who naively believes the forged association,
but it also defrauds the institution, which is an innocent bystander.
Preventing this type of spam alone will save both parties significant
time and expense.
Account maintainers participating in LMAP can discourage would-be
scam artists from falsifying their domain, as participating
recipients may reject email from them.
2.3.4. "Joe-Jobbers"
A malicious sender may send falsified messages from the email address
of an unrelated party, in order to have the recipient blame that
third party, rather than the true sender. The first well-known
instance of this abuse was against the domain joes.com, hence the
phrase "Being Joe'd" or "Joe Jobbing."
Internet Draft A Discussion of LMAP [Page 11]
Internet draft November 2003
Domains implementing LMAP could greatly diminish their chances of
being "Joe'd," as participating recipients could reject such email.
2.4. Limitations of the Proposal
As this proposal examines a sub-set of the fields of SMTP, it has
certain limitations. It does not prevent "authorized" abuse, such as
spammers registering a domain, and publishing LMAP information for
that domain. It does, however, make such abuse accountable, and thus
easier to track.
This proposal does not seek to stop spam, but rather it is another
weapon in the arsenal that can reduce the spam problem in combination
with other solutions.
2.4.1. Junk Email with Correct Envelope Information
LMAP can not stop spammers from using envelope information that they
are authorized to use. However, maintainers of spammer's domains
could audit their activity more effectively, as the spammers would be
forced to use their correct information.
If spammers maintain their own domains, domain-based blocking becomes
more effective. In extreme cases, where a spammer hosts multiple
domains, blocking the authoritative DNS servers for the spammer's
domains becomes very effective, as the recipient could reject all
LMAP lookups on the spammer's DNS servers. They would effectively
reject all email from domains hosted there.
2.4.2. "Joe-Jobbing" Within the Same Domain
If a user on example.com falsifies email coming from someone else
within example.com, LMAP would permit such forgery, as the sender
domain envelope information would be correct. However, the
maintainers of that domain could audit this email to identify the
sending machine.
2.4.3. Viruses and Worms using an infected SMTP Server
If a user's computer executes a virus that, instead of using its own
SMTP engine, uses their outgoing mail server, then LMAP would not be
able to prevent such abuse. However, domain maintainers could audit
this email and identify the infected computer.
2.5. Accountability for SMTP originators
The behavior of spammers over the years has made it clear that they
do not wish to be held accountable for their actions. They use fraud
Internet Draft A Discussion of LMAP [Page 12]
Internet draft November 2003
to obtain accounts at legitimate ISPs in order to send spam. They
use viruses, trojans, and worms to infect computers owned by other
people to send spam. They use trojans to cause innocent bystanders
to host Web sites where spam messages send the potential victims of
spam-supported fraud. They use accounts in countries or
jurisdictions where the spam problem is not recognized, not
addressed, or where the legal system permits the sending of spam.
While LMAP does not address all of the abusive behavior by spammers,
it does address part of the problem. It is therefore only one part
of the solution. Other methods must be developed and deployed before
spam can be eliminated.
This proposal does not address the problem of spammers being hosted
by otherwise allegedly reputable network service providers. We
recognize that the provider's apparent income from hosting spammers
is caused by a failure of accounting practices: the victims of spam
have no method to bill the spammer or the originating network service
provider for the recipients true costs due to spam. If those costs
were billed to the network providers, then spammers would quickly be
rejected. We believe that holding network service providers
accountable for such behavior will also help to significantly reduce
the spam problem.
In addition, political, legal, financial, and social solutions to the
spam problem are outside of the scope of this proposal. People who
are concerned that this proposal will fail because it does not
address those issues are encouraged to devote effort to addressing
those issues, rather than to attacking this proposal.
2.6. Few SMTP originators are SMTP recipients
A large part of the reason for the proposal of this protocol is that
few SMTP originators are also SMTP recipients. In addition, the
number of SMTP originators is significantly larger than the number of
SMTP recipients. This proposal helps to fight spam by redressing
that imbalance.
For example, the problem of delivering messages to machines with
dynamic addresses was solved through the Post Office Protocol (POP)
[RFC 1939]. The problem of submitting messages from such machines to
an MTA was solved through the Submit protocol [RFC 2476]. SMTP,
therefore, may be devoted solely to delivering messages between MTAs.
It should not be used for delivering messages to end users from an
originator, or for delivering messages from an originator to the
final recipients.
However, SUBMIT is not currently in wide use. One effect of the
Internet Draft A Discussion of LMAP [Page 13]
Internet draft November 2003
deployment of LMAP will be to encourage its use.
We believe that hosts which do not receive messages by SMTP, should
not deliver messages by SMTP. Mail delivery should go out the same
way that incoming mail came in. This is not a limitation for those
people on the road who plug their portable computer in any hotel
room's phone plug and use any provider. If there is a POP server
granting download access from anywhere, then the same server should
be ready to accept uploading of outgoing messages. It is simply
unreasonable to expect that recipient MTAs perform all of the work of
authenticating end-users originating messages, and making those users
accountable. See Section 3.2 for further explanation of this
problem.
2.7. DNS-based attacks
DNS poisoning
A significant drawback of authentication approaches that involve
checking properties of the sender domain is that they allow for a
class of denial-of-service attacks. In particular, very large
volumes of spam using non-existent sender domains could be used to
induce DNS timeouts on the targeted system. However, this problem
can be addressed relatively easily by dedicating a DNS server
instance to processing sender-domain checks, so that only the
processing of incoming mail could be affected, and the cost of the
DNS stalls can be expected to be negligible compared to the cost of
the spam flood itself.
Increased incentive for DNS cracks
LMAP will also have the effect of increasing the incentives for
spammers to crack and subvert DNS servers (in order to spoof
receivers doing LMAP checks against the DNS database). Fortunately,
this is a self-correcting problem. If a DNS server is subverted,
complaints should make the problem clear very quickly, and corrective
action is relatively easy to take.
3. Common Concerns with LMAP
This section describes the most common concerns raised about LMAP,
and responds in detail to those concerns.
3.1. LMAP does not change the end-to-end nature of the Internet
Concerns have been raised that this proposal negatively affects the
"end-to-end" nature of the Internet. This section describes why such
fears are unfounded.
Internet Draft A Discussion of LMAP [Page 14]
Internet draft November 2003
The primary reason such fears are unfounded is that this proposal
does not change SMTP, except by cooperatively extending the semantics
of the MAIL FROM command. The end-to-end nature of SMTP is therefore
unchanged. What this proposal does offer is a way to hold the
originating end of an SMTP session accountable for any association it
alleges it has with a domain. Claims that this accountability is an
unwarranted restriction on the "end to end" nature of the Internet
should consider that:
1) SMTP originators who wish to be unaccountable for their
behavior are called "spammers". The intention of this proposal
is to address the problem of spam, not to condone it.
2) SMTP originators who wish to force their messages onto
recipients, despite the recipients stated non-consent, are
called "spammers". SMTP message delivery has always, and will
always, depend on the mutual consent of the parties involved.
If a recipient chooses to request that a sender be publicly
accountable for his behavior and the sender refuses, then the
recipient is free to reject or discard any messages from the
sender.
The lack of accountability is a major technical reason why spam is
such a problem.
In fact, this proposal extends the end-to-end principles on which the
Internet was built, because it allows each end to publish their
policy, and to discover the other end's policy. Sharing of
information enhances trust, and permits the discovery of problems
related to Man in the Middle (MITM) issues.
3.2. Roaming Users and LMAP
Another concern raised about LMAP is that it will negatively affect
roaming users. That is, users not connected to their home network.
The main concern of roaming users is that the deployment of LMAP will
break the "end-to-end" nature of the Internet.
The response to those concerns can best be summarized as follows:
Stopping mail forgery requires everyone to give up forging.
The current practices of roaming users require that the SMTP
recipients do significant amounts of work to authenticate or filter
their messages. The response, therefore, of recipients, is to
request that the roaming user (and the alleged originating domain)
share some of that work. This response serves as the foundation for
the design of LMAP.
Internet Draft A Discussion of LMAP [Page 15]
Internet draft November 2003
If the roaming user is unwilling to share the work of demonstrating
accountability, then the recipient is free to reject any
communication with that roaming user.
The simplest way to address the other concerns of roaming users in
detail is to list the ways by which they may send email messages in
circumstances where LMAP is widely deployed.
3.2.1. SUBMIT (port 587)
That is, SMTP on another port [RFC 2476]. Roaming users would use
SUBMIT to send messages to their home provider, which would then send
those messages to the final recipients via SMTP. This method has all
of the benefits of SMTP, with none of the drawbacks of recipients
being responsible for authenticating roaming end-users.
The primary cost or delay associated with this method is deployment
in SMTP client software.
3.2.2. SMTP relaying to a home provider
Since many network providers block outgoing SMTP traffic (on port
25), this option is not universally available. The roaming users are
then in the awkward circumstance of having their attempt to behave
like spammers blocked, by a countermeasure used to prevent spam.
3.2.3. Publish LMAP information
Roaming users may update LMAP information for their domain through
Dynamic DNS (DDNS). Any messages they send will then pass LMAP
criteria, subject to DNS propagation delays.
Roaming users can also publish a policy though LMAP that any IP
address on the Internet is permitted to claim association with their
domain. Administrators who publish such information for their domain
should be aware that this practice will open them up to spammers
claiming association with their domain. For this reason, we do not
recommend such practices.
3.2.4. Virtual Private Networks (VPNs)
With this solution, roaming users allow their home provider to
authenticate them, and any SMTP traffic is sent through a secure
tunnel. That traffic then appears to issue from the network of the
home provider, where LMAP information may easily be published and
maintained.
3.2.5. Other message delivery systems
Internet Draft A Discussion of LMAP [Page 16]
Internet draft November 2003
Bi-directional POP, IMAP, Webmail, etc. all exist, and are sub-
optimal. But they work.
These alternatives have the added benefit that they are not required
to scale with the Internet. Rather, they scale with the number of
users at a domain. Therefore it is not the problem for the rest of
the Internet to deal with these issues, but only a problem for the
domain with roaming users.
3.3. Other methods addressing the spam problem
Many methods have been proposed to address the spam problem, and some
have claimed to be "complete" solutions. It is our belief that no
one method, including LMAP, will be a complete solution. Rather, an
overlapping set of solutions will be required, each of which address
different aspects of the problem.
That is, some anti-spam methods are better than LMAP at addressing
various aspects of the spam problem. Content filters may catch
viruses or trojans originating from a domain implementing LMAP.
Blocklists (e.g. RBL) may block spam from domains publishing LMAP
data. LMAP alone cannot address these types of message, and is not
intended to address them.
However, the down side of content filters and blocklists is that they
are subject to injection of arbitrary data by the maintainers, where
that data may not always satisfy the published criteria for
inclusion. It may be difficult for users of these methods to
determine why a particular piece of data is listed via the method.
In contrast, LMAP relies on public statements in the DNS by a domain,
which are easy to verify.
Each solution has its costs and benefits, and a limited scope of
applicability. We reiterate our belief that no one solution,
including LMAP, will fully address the spam problem.
3.4. Message relaying and forwarding are affected by LMAP
Mail forwarders have traditionally left the sender envelope
untouched. "Forwarding" is used in the sense of the Unix user
".forward" file, and by commercial companies offering forwarding
services.
Let us examine a situation where an LMAP conformant domain A sends a
message to address B which forwards the message to LMAP conformant
recipient C using the original sender address from A. If the B->C
forward had been set up without the consent of the recipient C, A's
LMAP records would be checked by C's LMAP client, and the message
Internet Draft A Discussion of LMAP [Page 17]
Internet draft November 2003
would be correctly rejected.
If the recipient C did desire the B->C forwarding, three workarounds
are possible.
1) B's MTA could rewrite the sender address to pass C's LMAP
criteria without involving the user B.
2) the user B could alter the .forward such that forwarded
messages are reinjected with B's address in the return-path.
For example, a .forward that was previously "C@example.com"
might now read "|/usr/sbin/sendmail -oi C@example.com"
3) the recipient C could provide a whitelist to C's MTA
indicating that forwarded messages are expected to arrive for C
from B.
LMAP conformant SMTP forwarders should implement a sender rewriting
scheme or its equivalent. Forwarders may work around this issue by
simply modifying .forward files to pipe messages to a local mailer.
3.5. Inertia to change is not a basis for opposition
Many organizations have failed to implement a well-designed mail
delivery structure, and have heavily based their network on asymmetry
between originator and recipient. Such organizations are hostile to
this proposal, because of the effort required to update and re-design
their mail infrastructure. While they may have a central mail server
for incoming mail, they often permit anyone to send messages alleging
association with the organization from anywhere in the world.
While such a mail system is simple to implement and maintain, it is
also open to abuse. As always, network security has costs.
Implementing a secure and well-designed mail system has costs that
some organizations are unwilling to bear. This proposal does not
affect those organizations in any manner. Rather, it affects the
other parties that they communicate with, and permits those parties
to request additional accountability from that organization.
As long as organizations insist on having policies which are open to
abuse, spammers will abuse those organizations and their policies.
3.6. Kiosk, greeting card, and mail-a-link systems
Many Web sites offer a facility to mail content from the site to a
third party, using the Web surfer's return address. The content may
be a greeting card, a magazine article, or a message entered by the
user. Few of these sites do any validation of the sender's address.
Internet Draft A Discussion of LMAP [Page 18]
Internet draft November 2003
They tend to be rate limited or inherently slow enough that they are
not useful for sending large volumes of spam. However, since users
can enter any return address, the mail they do send is technically
indistinguishable from mail with forged return addresses.
The most straightforward way to make such systems comply with LMAP
would be for them to use their own domain in the return address,
while using the user's entered address on the From: line.
4. Privacy Considerations
This proposal does not examine message contents, RFC2822 header
fields, or user identities in MAIL FROM. It therefore has no privacy
considerations which affect those fields.
The largest affects of this proposal on privacy are in three areas:
end users, publication of the network infrastructure, and traffic
analysis.
4.1. End Users
This proposal affects the privacy of end users in two ways. First,
it permits recipients to associate user identities or message content
with a domain that is accountable for the message. Second, it
prevents users from gaining anonymity by disassociating themselves
from a domain; i.e. forging associations with another domain, or with
a non-existent domain.
The first affect on privacy has little impact. The user sending the
message is already claiming association with a domain, so there is no
loss of privacy if that association is verified by the message
recipient. Also, as noted previously, this proposal does not prevent
users from fraudulently claiming to be another user within a domain.
The second affect on privacy is may be considered undesirable by some
users. True anonymity through the practice of forged association
with domains, forged email addresses, and by sending email through
hijacked or trojaned systems will become more difficult. This sort
of anonymity is highly correlated with spam, however, and is
precisely the kind of abuse that this proposal attempts to prevent.
Users who wish anonymity may gain i through accountable mechanisms.
Throw-away accounts at reputable network providers may be created and
paid for in cash under an assumed name, for example. Other
organizations will guarantee a degree of anonymity (more
realistically called shelter from others), if certain requirements
are met.
Internet Draft A Discussion of LMAP [Page 19]
Internet draft November 2003
We suggest that accountable methods of creating anonymity be used,
rather than unaccountable methods. A few individuals desire for
anonymity does not, and should not, require the rest of the Internet
to accept large volumes of spam.
4.2. Network Infrastructure
Publication of LMAP information results in a readily available list
of IP addresses of hosts authorized to send messages associated with
a domain. These lists yield information about the network structure,
business relationships, and possibly other information about the
domain owner, as growing number of domains are owned by single people
or families. Such lists may also provide hostile parties with a list
of targets for possible attacks.
However, such information is often already publicly accessible
through other means. Anyone communicating with individuals at a
domain may readily obtain this information, and share it with anyone
else. Business relationships have been discovered, for example,
prior to official public announcements, by examining DNS records.
Nearly all such private information about network structure and
relationships may therefore be described as already being readily
available. If such information is to be kept secret, it is the users
responsibility to send messages in such a way as to keep that
information private.
4.3. Traffic analysis
Any LMAP-aware MTA and DNS server requires additional network traffic
compared to servers which are not LMAP aware. This traffic may be
analyzed in order to verify that two parties are communicating, or
that a particular message has been received. The additional traffic
may still be analyzed in this manner, even if the SMTP session itself
is encrypted.
However, many MTAs already query MX and A records of a domain after
receiving a MAIL FROM command, so the additional security threat of
this new traffic is minimal.
5. Security Considerations
This document describes common uses of LMAP, attacks on it, and
defenses which may be implemented. While much of this document deals
with security issues, it does not propose any standard, and therefore
does not have any direct security effects.
However, implementers and administrators of systems using LMAP should
be aware of the issues raised herein.
Internet Draft A Discussion of LMAP [Page 20]
Internet draft November 2003
6. Acknowledgments
The author would like to thank Matthew Elvey, David Maxwell, Philip
Miller, Eric Raymond, Michael Richardson, and Yakov Shafranovich for
feedback on prior versions of this document.
7. Informative References
[1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] Hoffman, P. "SMTP Service Extension for Secure SMTP over TLS",
RFC 2487, January, 1999
[4] Myers, J. "SMTP Service Extension for Authentication", RFC 2554,
March, 1999.
[5] Klensin, J. (Ed) "Simple Mail Transfer Protocol", RFC 2821, April
2001.
[6] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC
1034, November 1987
[7] Carpenter, B. (Ed), "Architectural Principles of the Internet",
RFC 1958, June 1996
[8] Gellens, R. and Klensin, J., "Message Submission", RFC 2476,
December 1998
[9] Myers, J. and Rose, M., "Post Office Protocol - Version 3", RFC
1939, May 1996.
8. Contact Information
Alan DeKok
IDT Canada, Inc.
1575 Carling Ave.
Ottawa, ON K1G 0T3
Canada
Email: alan.dekok@idt.com
Phone: +1 613 724 6004 ext. 231
9. Contributors
The following contributors (in alphabetical order) have proposed
Internet Draft A Discussion of LMAP [Page 21]
Internet draft November 2003
various protocols within the LMAP family. While this document
summarizes the concepts behind their work, the reader is asked to
consult with the individual contributors for the latest drafts of
their proposals. At the time of publication, none of the proposals
had status other than Internet-Draft, so they are not referenced here.
For informational purposes, the acronym of the LMAP proposal is given in
brackets after the contributors name.
Raymond S Brand (DRIP)
P.O. Box 100486
Ft. Lauderdale, FL 33310
US
Email: rsbx@acm.org
Hadmut Danisch (RMX)
Tennesseeallee 58
76149 Karlsruhe
Germany
E-Mail: rfc@danisch.de
Phone: ++49-721-843004 or ++49-351-4850477
Gordon Fecyk (DMP)
Pan-Am Internet Services
24 - 482 Young Street
Winnipeg, MB R3B 2S6
Canada
Email: gordonf@pan-am.ca
Phone: +1 204 292-9970
John R. Levine (FSV)
Taughannock Networks
PO Box 727
Trumansburg NY 14886 USA
E-mail: johnl@taugh.com
Phone: +1 607 330 5711
Richard W Rognlie (DRIP)
2782 Prince Harold Ct
Oak Hill, VA 20171
US
Email: ietf-drip-draft@spamblock.gamerz.net
Laurence Sherzer (DRIP)
P.O. Box 5072
Deerfield Beach, FL 33442
US
Email: laurence@sherzer.net
Internet Draft A Discussion of LMAP [Page 22]
Internet draft November 2003
Meng Weng Wong (SPF)
IC Group, Inc.
105 S 12TH ST STE 310
Philadelphia, PA 19107
USA
Email: mengwong@pobox.com
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Internet Draft A Discussion of LMAP [Page 23]
Html markup produced by rfcmarkup 1.122, available from
https://tools.ietf.org/tools/rfcmarkup/