[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] SMTP AUTH

To: asrg at ietf.org
Subject: Re: [Asrg] SMTP AUTH
From: aseem_jakhar at persistent.co.in
Date: Wed, 8 Dec 2004 13:08:42 +0530 (IST)
Importance: Normal
In-reply-to: <200412080237.iB82bdqE012563@smtp.pspl.co.in>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <200412080237.iB82bdqE012563@smtp.pspl.co.in>
Sender: asrg-bounces at ietf.org
User-agent: SquirrelMail/1.4.1-2

> Yes, although at least when we're dealing with (let's agree that we're
> talking
> mostly about POP3 here) E-mail, we can easily enough filter the message
> before
> the MUA gets it to block certain forms of potentially malicious (or at
> least
> "very dubious") HTML content, and we can do that with the knowledge of who
> (at
> least we believe that) the E-mail in question is coming from.  That makes
> the
> problem easier than handling the same things when they are coming into a
> Web
> browser, which probably doesn't give us a good intercept point and in any
> case
> doesn't provide any standardized way for us to determine who sent the
> E-mail (or
> whatever) that's on the Web page being viewed.

> As I've said, Web-based stuff is a different (and harder) problem that
> we'll
> have to deal with eventually, but at the moment that's mostly just a
> diversion
> and distraction from what we need to deal with HERE.
Filters can also be used prior to sending mail to web user.

>> The idea is to send mail with
> authentication and if a secured webmail does that one should prefer that
> rather than banging their head against the wall just because we need
> SMTP/POP to do the job which is done better by some other thing.
>
> Authentication proves NOTHING regarding legitimacy because a zombie
> spambot can
> trivially send what it sends using the authentication belonging to the
> hijacked
> system.
A zombie can send mail through SMTP not through HTTPS as of now
I'm talking about sending mail through secured webaccess after authentication

> Authentication is also at least VERY problematical in cases like airport
> or
> cruise ship Internet access terminals/kiosks, where people need to use
> their OWN
> E-mail addresses but have absolutely **NO** control over which SMTP E-mail
> server will be used by the kiosk software.

What is the %age of ppl using internet on cruise as compared to ppl using
internet on land at the same time. I dont know why you keep pushing the
idea of ppl on cruises.

>> We should remember that our goal is to stop spam by whatever means
>> possible,
> protocol is just a medium.
>
> Authentication does **NOTHING** to "stopping spam".  It only adds a few,
> relatively minor, restrictions on the technologies that spammers (and
> worms and
> viruses) use.
Again I was not only talking about Authentication. Atleast it stops forgery.
which still helps fighting spam in a way.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Prev by Date: Re: [Asrg] SMTP AUTH
Next by Date: RE: [Asrg] SMTP AUTH
Previous by thread: Re: [Asrg] SMTP AUTH
Next by thread: RE: [Asrg] SMTP AUTH
Index(es):
- Date
- Thread