At 17:25 2005-02-03 -0500, Robert Arnold wrote:
This solution of smtp authentication assumes that creating accounts with
the given provider is secure against fraudulent signups. If fraudulent
That's a matter between the ISP and their customer base. The point of
using SMTP Auth is that only customers have access to your
mailserver. Sure, the login can be compromised - but it tracks directly to
a customer, and can be independantly disabled.
I wish ISPs would adopt a "we're going to charge your credit card if you
send spam" policy. Right there on your signup.
account signups can be easily scripted/automated,
Uh, I'm not talking about Yahoo, Hotmail, and other freemail
providers. I'm talking about real ISPs, providing dialup lines,
etc. There needs to be more accountability. Heck, if ISPs maintained a
list of deadbeat customers, tracking names associated with creditcards
(and, say, the verifyable billing addresses associated with same), there
could be an ISP blacklist to keep problematic users from signing up for
accounts with ISPs which want to stick to reputable users.
25). Whats more, this allows the possibility (and already practiced)
spamming vector of:
A) Spammer signs up fraudulent account
Solution: ISP requires use of credit card or electronic cheque for
signup. Sure, they can use stolen materials -- but that handily turns
their offence from some vague and hardly prosecuteably "spam" thing into a
very real credit card fraud and/or identity theft matter, where the
authorities may take more of a direct interest in prosecuting someone.
B) Spammer then spews from numerous zombie hosts through
provider's ASMTP rotor using fraudulent login,
.. which could be disabled at will by the ISP once they realize there's a
spam situation. This beats the turd out of relaying for everything that
has a From: at the domain (regardless of who is ACTUALLY sending
it). Further, since SMTP AUTH is generally database driven, it wouldn't be
too much of a chore to manupulate that database based on criteria as I
'random zombie host' -> 'provider's ASMTP server' -> Internet
Some hosting services "throttle" mail. Now, this technique could be
morphed into one which limits the number of remote IP addresses which can
be used by a single account in some time span. An excess of messages
and/or varying IPs triggers an account lock. Likewise, an excess of NDNs
could trigger an account lock.
As already indicated, this is running far afield of procmail at this point.
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
procmail mailing list Procmail homepage: http://www.procmail.org/