From: Kee Hinckley [mailto:nazgul(_at_)somewhere(_dot_)com]
Sent: 06 March 2003 16:04
To: Tom Thomson
Cc: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] RE: Asrg digest, Vol 1 #32 - 9 msgs
At 3:04 PM +0000 3/6/03, Tom Thomson wrote:
Doing that we can end up with a clear view of which ISPs will deal with
spam
complaints effectively and which won't. Probably the next stage is
blacklists - if an ISP is unwilling to deal with spam it's prohably
because
he sees it as to his commercial advantage to allow it, and blacklisting
will
make him useless to all his customers (whether spammers or not) so he'll
pretty quickly change his ways.
What you are describing is exactly the situation now. The message
headers indicate the originator of the email by IP address. When you
report the email, the ISP terminates the account if they are
responsible and doesn't if they are not. The ISP doesn't need to log
message-ids, the received headers contain all the necessary
information for them to map back to the sender.
At one point WorldCom reportedly had over 100 people doing nothing
but dealing with spam complaints. And on the other side of the
fence, I haven't noticed the ISP 163.net in China going out of
business just because they are a major source of spam.
PS. Could someone tell me why there are these Chinese ISPs that use
numbers like 163 an 263 as their names? Is there some significance
to the numbers?
--
Kee Hinckley
No, it isn't the situation we have now. It's closer to the situation we had
a while back, but the spammers have got a lot cleverer since. Injecting a
few "Received-From:" headers at source, complete with IP addresses and
domain name that corresponded to that IP at the time the message was
delivered to that MTA, means that when the message is delivered there is no
authenticated point of origin. Having MTA's sign the "Received-From:" lines
they insert would distinguish the fake ones from the real ones, and give us
a real point of origin - then we could complain to the right place (allowing
for the possibility that the point of origin signs a Received-From: header
properly, so the point of origin may be either the last signer or the
machine pointed at by the last signer). Similarly a signed "From:" header
would work, but of course we can't expect the spammer's MUA to provide that
for us and it takes longer to get MUSa updated than MTAs.
Now the anti-spammers have moved on too, and we have some MTAs which will
add a "probably forged" comment into the string of "Received-From" lines,
which is an improvement, but that unfortunately isn't bullet-proof and we
can expect the spammers to get ahead of that one next (why shouldn't the
point of origin inject such a comment some way down the chain to point a
misleading finger, and avoid using talking to MTAs known to provide this
comment when appropriate?).
I agree that some ISPs are going out of business depite appearing to be
major spam sources; but do we know they actually are major spam sources
though, without any authentication of the point of origin or of the
Received-From trail? That's what makes me favour blacklists once we have
reliable authentication of point of origin, but only when we have that
reliable authentication (and have a pile of complaints not dealt with).
And I haven't a clue why Chinese ISPs use these numeric names.
Tom Thomson
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg