[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] SMTP AUTH
>> Yes, although at least when we're dealing with (let's agree that we're
> talking
> mostly about POP3 here) E-mail, we can easily enough filter the message
> before
> the MUA gets it to block certain forms of potentially malicious (or at
> least
> "very dubious") HTML content, and we can do that with the knowledge of who
> (at
> least we believe that) the E-mail in question is coming from. That makes
> the
> problem easier than handling the same things when they are coming into a
> Web
> browser, which probably doesn't give us a good intercept point and in any
> case
> doesn't provide any standardized way for us to determine who sent the
> E-mail (or
> whatever) that's on the Web page being viewed.
>> As I've said, Web-based stuff is a different (and harder) problem that
> we'll
> have to deal with eventually, but at the moment that's mostly just a
> diversion
> and distraction from what we need to deal with HERE.
> Filters can also be used prior to sending mail to web user.
Sure, they could, but then they must (presumably) be deployed at some other
point than at the recipient end, perhaps at the Web server end, where it's far
more difficult to adapt their rules to the choices of the recipient. It also is
harder as a rule to get ISP concurrence to install stuff like this, as opposed
to something that the end user/recipient can install by themself and without
getting hassled for it.
>>> The idea is to send mail with
> authentication and if a secured webmail does that one should prefer that
> rather than banging their head against the wall just because we need
> SMTP/POP to do the job which is done better by some other thing.
>> Authentication proves NOTHING regarding legitimacy because a zombie
> spambot can
> trivially send what it sends using the authentication belonging to the
> hijacked
> system.
> A zombie can send mail through SMTP not through HTTPS as of now
1) Web protection is a separate issue. Let's address that issue later.
2) How long do you think it would take a capable hacker to create a worm that
sent mail using HTTPS? Two weeks? A month? Anyhow, it's likely to be a lot
less time than it takes us to convert the world to "authenticated" mail.
> I'm talking about sending mail through secured webaccess after authentication
And I presume that means that you're simply going to tell everyone using (and
preferring) SMTP-based E-mail that they can't use it anymore?
And what about SMTP mail senders that are built into backend applications
worldwide? You're just going to wave some kind of magic wand and make all that
stuff disappear, too?
>> Authentication is also at least VERY problematical in cases like airport
> or
> cruise ship Internet access terminals/kiosks, where people need to use
> their OWN
> E-mail addresses but have absolutely **NO** control over which SMTP E-mail
> server will be used by the kiosk software.
> What is the %age of ppl using internet on cruise as compared to ppl using
internet on land at the same time. I dont know why you keep pushing the
idea of ppl on cruises.
Because it's a good example of the type of LEGIMATE, IMPORTANT use that people
who ought to know better seem to be willing to IGNORE. You can't push an agenda
that works for 80% or even 95% of the users, if it leaves the remaining 20% or
5% (whose systems PRESENTLY WORK WELL) totally high and dry.
>>> We should remember that our goal is to stop spam by whatever means
>> possible,
> protocol is just a medium.
>> Authentication does **NOTHING** to "stopping spam". It only adds a few,
> relatively minor, restrictions on the technologies that spammers (and
> worms and
> viruses) use.
> Again I was not only talking about Authentication. Atleast it stops forgery.
which still helps fighting spam in a way.
No, it really doesn't.
Not only does it NOT prevent zombie spambots from forging their infected
machine's E-mail address onto their outgoing worms and spams, but stuff like SPF
also doesn't even prevent forging SOME OTHER machine's authenticated E-mail
address... If you send using (say) johnuser at comcast.net, that mail will
SPF-authenticate to (presumably) ANY Comcast mail server, anywhere in the world,
where comcast.net mail is presumed to legitimately originate. So a compromised
comcast.net (authenticated) user machine can presumably send mail claiming to be
from A DIFFERENT Comcast.net user halfway across the country, as long as they
have the necessary passwords maybe (which can be transmitted by a compromised
machine) since there are probably hundreds and maybe THOUSANDS of mail servers
which are "authorized" to send mail from users using the comcast.net domain name
for a return address.
Let's quit being dishonest about this. SPF and the like does NOT help
significantly in fighting spam. That's merely being used as a pretext to sell
it, much as "terrorism" is being used as a widely-understood pretext for selling
the waging of a war that is otherwise unjustified. Both are shameful and
dishonest. Those of us WHO KNOW BETTER should not allow ourselves to be duped,
or to be misled into blindly supporting a halfassed, stupid bandwagon just
because it's headed off somewhere and the band is playing loudly.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg