Date: Wed, 5 Mar 2003 11:24:06 -0500
To: Hadmut Danisch <hadmut(_at_)danisch(_dot_)de>
From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>
Subject: Re: [Asrg] Deprecating plain POP accounts
Cc: asrg(_at_)ietf(_dot_)org
At 11:43 AM +0100 3/5/03, Hadmut Danisch wrote:
Surprise: That already exists. Many POP providers also offer the
service of delivering the mail. Authentication is possible through
either a so called "SMTP after POP" or a simple Password
authentication in the SMTP protocol, typically the same password as for
the POP account.
If this were a solution, then ISP's wouldn't be blocking outbound
SMTP connections.
Sure they would. That would be an essential part of this solution - only
the ISP's own servers are allowed to make outgoing SMTP connections.
Since there is no way to tell the difference between an outbound SMTP
session from a client, and one from a server, your solution provides
a mechanism for authorized delivery, but does not require it.
Therefore the user sets up mail broadcaster at some safe location (or
uses open relays) and sits happily at home using his ISP to send out
email. From the ISP's standpoint this looks just like legitimate
use. But he's spamming like crazy, and it's the ISP that gets the
complaints.
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
No way to tell the difference? As a general rule I can tell the difeence
between one of my servers and some client somewhere in my net - it's pretty
trivial. Use the IP address for example (the server addresses are fixed;
the client addresses may be fixed or may come out of a pool - but they are
visibly different).
If the ISP's server keeps track of who sent what (no need for it to validate
the "From:" header or anything like that, so there's no difficulty in
sending using a source domain different from the domain I'm using right now)
for long enough to match up any spamming complaints to the originator, the
ISP can take action against the originator. Or the ISP can be supoenad
("ripped" maybe in the UK? ) to provide the information for a prosecution if
the spam is illegal in his juridiction. Not a lot of data to keep (a msg id
and originator) and it doesn't need to be kept for very long (a couple of
days) - certainly it's data that is kept to maintain the ISP service by
assisting in enforcement of conditions of use, so even European privacy laws
(conforming to ECHR) won't be offended by retaining the data for long enough
to achieve that - and no data identifying the originator has been added to
the message by the ISP, so full sender anonymity can be preserved if
required in cases where the mail is not spam.
Doing that we can end up with a clear view of which ISPs will deal with spam
complaints effectively and which won't. Probably the next stage is
blacklists - if an ISP is unwilling to deal with spam it's prohably because
he sees it as to his commercial advantage to allow it, and blacklisting will
make him useless to all his customers (whether spammers or not) so he'll
pretty quickly change his ways.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg