[Asrg] RE: Asrg digest, Vol 1 #32 - 9 msgs

["Tom Thomson" <tthomson@neosinteractive.com>]

> Date: Wed, 5 Mar 2003 11:24:06 -0500
> To: Hadmut Danisch <hadmut@danisch.de>
> From: Kee Hinckley <nazgul@somewhere.com>
> Subject: Re: [Asrg] Deprecating plain POP accounts
> Cc: asrg@ietf.org
>
> At 11:43 AM +0100 3/5/03, Hadmut Danisch wrote:
>>Surprise: That already exists. Many POP providers also offer the
>>service of delivering the mail. Authentication is possible through
>>either a so called "SMTP after POP" or a simple Password
>>authentication in the SMTP protocol, typically the same password as for
>>the POP account.
>
> If this were a solution, then ISP's wouldn't be blocking outbound
> SMTP connections.

Sure they would.  That would be an essential part of this solution - only
the ISP's own servers are allowed to make outgoing SMTP connections.

>
> Since there is no way to tell the difference between an outbound SMTP
> session from a client, and one from a server, your solution provides
> a mechanism for authorized delivery, but does not require it.
> Therefore the user sets up mail broadcaster at some safe location (or
> uses open relays) and sits happily at home using his ISP to send out
> email.  From the ISP's standpoint this looks just like legitimate
> use.  But he's spamming like crazy, and it's the ISP that gets the
> complaints.
> --
> Kee Hinckley
> http://www.puremessaging.com/        Junk-Free Email Filtering

No way to tell the difference?  As a general rule I can tell the difeence
between one of my servers and some client somewhere in my net - it's pretty
trivial.  Use the IP address for example (the server addresses are fixed;
the client addresses may be fixed or may come out of a pool - but they are
visibly different).

If the ISP's server keeps track of who sent what (no need for it to validate
the "From:" header or anything like that, so there's no difficulty in
sending using a source domain different from the domain I'm using right now)
for long enough to match up any spamming complaints to the originator, the
ISP can take action against the originator.  Or the ISP can be supoenad
("ripped" maybe in the UK? ) to provide the information for a prosecution if
the spam is illegal in his juridiction. Not a lot of data to keep (a msg id
and originator) and it doesn't need to be kept for very long (a couple of
days) - certainly it's data that is kept to maintain the ISP service by
assisting in enforcement of conditions of use, so even European privacy laws
(conforming to ECHR) won't be offended by retaining the data for long enough
to achieve that - and no data identifying the originator has been added to
the message by the ISP, so full sender anonymity can be preserved if
required in cases where the mail is not spam.

Doing that we can end up with a clear view of which ISPs will deal with spam
complaints effectively and which won't.  Probably the next stage is
blacklists - if an ISP is unwilling to deal with spam it's prohably because
he sees it as to his commercial advantage to allow it, and blacklisting will
make him useless to all his customers (whether spammers or not) so he'll
pretty quickly change his ways.


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg