[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Deprecating plain POP accounts

To: asrg@ietf.org
Subject: Re: [Asrg] Deprecating plain POP accounts
From: "Alan DeKok" <aland@freeradius.org>
Date: Wed, 05 Mar 2003 07:27:47 -0500
In-reply-to: Your message of "Wed, 05 Mar 2003 12:08:39 EST." <20030305120839.63708d42.moore@cs.utk.edu>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-admin@ietf.org

Keith Moore <moore@cs.utk.edu> wrote:
> >     "People need to be able to send email from anywhere, to anyone,
> >      using any email address they choose."
> > 
> >   I don't think that's a good idea.
> 
> the people who need to do this don't care whether you think it's a good
> idea or not.

  My statement may have been unclear.  I agree they need to send
email. I don't agree that they need to be the SMTP originator, and to
connect to any SMTP destination.

  Authenticated SMTP allows them to relay via a well-known home
server.  HTTPS allows them to tunnel that traffic through broken
filters at remote sites.

> driving 200 miles per hour causes problems.  submitting mail from random
> places on the net does not.

  I disagree completely, and I won't argue about it.  SPAM is a DDoS
attack, originating from SMTP senders with random IP's.  That's a
problem.

  If getting rid of the "random SMTP sender" problem means that the
roaming user is required to use a home server, then that's fine.  It
stops the spammer, and has little cost to the roaming user.

> you have it backwards.  authenticated smtp is a clean solution; tying
> identity to network location is a hack.

  Hmm.. I don't think I wanted to tie identity to network location.

  If a user from your domain is roaming, and wants to send email, I
don't see why it's *my* problem to authenticate him.  Your laziness is
requiring me to:

    - allow SMTP from any IP
    - allow those people to claim to be anyone
    - allow those people to send to any of my users

  That looks a *whole* lot like spam to me.  I'm inclined to
bit-bucket your roaming users into the same garbage bin as spammers,
because I *can't tell them apart*.

  In contrast, if I can guarantee that:

    - SMTP comes only from machines which *intend* to send SMTP
    - DNS for a domain tell you which machines intend to send SMTP
    - email from users at a domain originates only from SMTP servers
      for that domain

  Then that looks like a pretty good solution to 99.9% of the spam
problem.

  Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Deprecating plain POP accounts
  - From: Hadmut Danisch
- Re: [Asrg] Deprecating plain POP accounts
  - From: Keith Moore

References:
- Re: [Asrg] Deprecating plain POP accounts
  - From: Keith Moore

Prev by Date: Re: [Asrg] Spam detection system proposal
Next by Date: Re: [Asrg] Spam detection system proposal
Previous by thread: Re: [Asrg] Deprecating plain POP accounts
Next by thread: Re: [Asrg] Deprecating plain POP accounts
Index(es):
- Date
- Thread