B.Candler at pobox
Feb 23, 2004, 9:06 AM
Post #2 of 2
(1219 views)
Permalink
|
On Mon, Feb 23, 2004 at 10:28:44AM -0500, Meng Weng Wong wrote:
> The intra-domain forgery scenario can be solved by ISPs requiring SMTP
> AUTH.
>
> http://archives.listbox.com/spf-discuss [at] v2/200401/1505.html
Which they could do now. But they don't, as they would break all users who
are legitimately sending mail from <me [at] my-vanity-domain>, or users with
5 mailboxes in the same household, and so on (apart from the fact that all
their existing customers would require reconfiguration, which is actually
the biggest issue)
It's not really part of SPF though. Effectively the ISP would have to
implement their own stronger-than-SPF policy, binding envelope sender to
individual AUTHenticated user. SPF could be used to tell the rest of the
world "you can't send mail from anyone [at] mydomai"
SMTP AUTH could be a useful enforcement mechanism. Each time a spammer
registers for an account (a dial-up, a leased line, etc), she would get a
single SMTP AUTH username/password. Her mail relaying privileges could
easily be revoked, in the same way that her access could be terminated, but
additionally she could also have per-user rate-limiting policies applied,
and it's easier to detect patterns in mail usage (or abuse) if you have an
authenticated user.
BUT: the benefit mainly accrues to the rest of the Internet, not to the ISP
who goes to all this trouble. They may save themselves a little abuse desk
work by keeping spammers off. But they will still be lost in a tide of spam
from the rest of the world.
If you are saying the whole Internet should be built around the above
scenario: that's great. IP-Blacklist everyone who doesn't comply. It's not
going to happen in the near future.
> SPF alone will not reduce the amount of spam you get. SPF is not an
> FUSSP; it is a way for me to not get joe-jobbed, and to help keep other
> people from getting joe-jobbed.
I think there are simpler ways of preventing the fallout from joe-jobs
though, which are effective immediately rather than having to wait for the
rest of the world to implement SPF.
> If you want to reduce spam, you have to involve a reputation system.
You mean reputation on domain name? I see the logic, but I'm not yet
convinced. In order to be effective there would be a huge bias against
genuine companies who are new to the Internet, and if it's 99.9% effective
against spammers, they will just have to register 1000 times as many domains
as now.
It will only be more effective than IP blacklists for dynamic-IP scenarios:
i.e. spam sent from dial-ups and DSL lines. I do agree that if people have
to "invest" in their domain becoming "trusted" in some fashion, then they
have something valuable to take with them, even if they change ISP and
therefore their IP netblock moves. I don't think new users will accept that
their dial-up account (or vanity domain) is being rejected by the rest of
the Internet just because it hasn't established a 'credit history'.
But the biggest problem I see is that it just depends on too many things
piled up together to become effective:
- widespread adoption of SPF (and SRS to fix broken forwarding)
- ISPs widely requiring SMTP AUTH and enforcing envelope sender validity,
so that only the reputation of spamaccount [at] myisp is affected, not
my entire myisp.net domain, by that user [*]
- a distributed reputation system with input from the unwashed masses
[*] If you are happy to tarnish all of myisp.net with the same brush, then
IP blacklists are just as effective anyway
If this is all really necessary, then a public-key cryptographic mechanism
might actually be a lot simpler and easier to implement.
Regards,
Brian.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2
|
