[TriLUG] Another seal broken... thinking of installing a C/R anti-spam system
Daniel Sterling
dan at lost-habit.com
Sun Jan 28 14:54:50 EST 2007
Jon Carnes wrote:
> Yep, in my 21st century world of authenticated smtp, folks would setup
> their email clients so that an account would have a server login for
> pop/imap *and* have a server login for smtp-auth as well.
Well, I hate to agree with the Magnus, but he's right: smtp-auth is
irrelevant for stopping spam. However, authenticating SMTP, which is
what you mean, is described well at wikipedia :
http://en.wikipedia.org/wiki/E-mail_authentication
Basically, right now, we have IP-based RBLs. If all SMTP traffic were
authenticated via SPF/DomainKeys, etc, we could instead have
domain-based blacklists, which would raise the barrier to entry to
sending email. Spammers would adapt by buying many domains and using
distributed botnets to mass-sign messages, but this would be easier to
defend against.
Of course, there are always issues to consider: you'd be required to use
Reply-To instead of From; signed messages could be invalidated by
mail-handling programs that mangle headers; we'd have to deal with
signing replay attacks; etc.
Additionally, it has the problem of requiring that everybody adopt and
enforce a standard; nobody seems to be able to make this happen. Until
mail is simply dropped on the floor unless it is authenticated, spammers
can continue to ignore SMTP authentication; or they can authenticate
their messages -- with the lack of a centralized blacklist,
authenticating spam messages might actually increase delivery rate.
-- Dan
More information about the TriLUG
mailing list