[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] attention bonds, was Email Postage

On November 29, 2008 at 13:28 rsk at gsp.org (Rich Kulawiec) wrote:
 > On Fri, Nov 28, 2008 at 03:56:07PM -0500, Barry Shein wrote:
 > > I don't see how 10^8 compromised systems can get past that, short of
 > > the ietf mail server being compromised which could happen but isn't
 > > likely, and is less likely to persist long enough to be much of a
 > > concern.
 > 
 > If the system of any subscriber is compromised, or if the email
 > credentials (username, password, server triplet) of any subscriber
 > are used on a system which is compromised, then the adversary has the
 > ability to send mail as the subscriber.  Note that compromise of some
 > systems will lead to disclosure of many sets of email credentials.

Not if you filter at the IP level of the servers for example. Or not
for long.

My original comment suggested you whitelist so only asrg at irtf.org
email could get to you, and only accept it if it came from an IETF
server (possibly via your internal servers, but at the border.)

10^8 zombies can't get past that.

As I said it leaves the remote possibility that they've compromised
the IETF mail servers but I don't think that's what you're talking
about, and I tend to doubt that would be a major problem.

Whitelists, if properly constructed, can work.

The problem is they're too restrictive for most people.

Anyone else remember when you could not send any email to any IBM
employee unless that employee specifically added you to their
corporate whitelist? You had to call the person on the phone or
similar (fax perhaps), or ask someone else who was whitelisted to
forward your requet.

That was in the 80s and it seemed so...draconian. Maybe it's still
like that.

I suspect in terms of spam and other unsolicited email it probably
worked pretty well depending on their own enforcement and policies.

-- 
        -Barry Shein

The World              | bzs at TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
_______________________________________________
Asrg mailing list
Asrg at irtf.org
https://www.irtf.org/mailman/listinfo/asrg