On Tue, Mar 04, 2003 at 12:08:07AM +0000, Adam Back wrote:
Hadmut Danisch wrote:
Even when I'm on the road and using a foreign ISP on the other side
of the world, I always drop my email to the very same relay machine,
simply because thats easier. My notebook doesn't need to bother with
DNS queries and temporarily unavailable peers. I drop all my
outgoing mail to central host, and this host is doing the job.
That doesn't generally work because the mail hub will tend to reject
mail so sent because you're coming from a different ISP. eg. sales
person uses aol.com, eartlink.net (or other international ISP) drops
of mail at mail.foo.com mail hub, and if the mail hub isn't vulnerable
to the open relay problem, it will reject the mail.
Hmm, I silently presumed that everybody is aware that we don't
have an open relay. The machine supports several kinds of
authentication through STARTTLS and SASL. You can drop mail only
if you authenticated before.
(I don't even use SMTP to drop my mail. All mail sent from home
(DSL with dynamic IP) or when I'm on the road is exchanged with
the central Mail hub through BSMTP/UUCP over SSL. That's much
faster, more secure and more robust than plain SMTP.)
The other problem with RMX is that it relies on DNS which itself has
horrendous security vulnerabilities due to inherent limitations in the
protocol. RMX inherits them and so is inherently easy to spoof and
bypass. See for example: http://www.securityfocus.com/guest/17905
for a good survey paper on DNS vulnerabilities.
Agreed, but we won't get rid of DNS here, and in context of
mail transfer we need DNS anyway. Fixing the security problems of
DNS is the task of another IETF working group. We shouldn't try
to improve the whole world, but focus on spam.
Also I'm not sure as another poster noted how much it even helps:
disposable ISP free accounts (AOL CD syndrome) are a major source,
with RMX the problem is not even improved.
I don't see the problem. If anyone uses such a CD, she is still
limited to the aol domain and can't send e.g. as @hotmail.com or
@danisch.de.
Furthermore, I see the end of the AOL CD era coming for several
reasons. First is, that people are throwing their modems and
ISDN cards away and are running to have a DSL account. Sales
of modems and ISDN cards have dramatically decreased. That's the
end of those AOL CDs.
Second is, under german - and I believe under european - law
ISPs are required to state their customers identity. I guess
the same will come in the USA after 9/11. It will become
more and more difficult to have anonymous access to the internet.
Third, when a thing like RMX comes to fly, anonymous customers
will have to find a RMX covering the AOL addresses in order to
send spam. There will be very few domains doing so, maybe just
aol.com. If AOL goes on with supporting spam, they will be
blacklisted (which is effective in this case). They will have
to solve the problem.
regards
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg