From: Matt Sergeant <msergeant(_at_)startechgroup(_dot_)co(_dot_)uk>
...
How does authentication give stronger blacklisting? Blacklisting
by domain name and IP address works pretty well today.
Mandatory auth (and assuming its trustable auth, however that is
implemented) means the spammer can no longer use open proxies (unless he
auths against his own servers via an open proxy) nor open relays.
If you can't get open relays closed, how do you get them to install
mandatory authentication? If mandatory authentication meant anything
effective, you could use the same magic to say "mandatory no relaying
without SMTP-AUTH" and close all open relays.
Mandatory authentication does not prevent the use of proxies, because
the proxy is transparent. Any authenticating by the SMTP server will
not be of the proxy's IP address or of one of the IP addresses of a
multi-homed legitimate SMTP client, but of the client itself beyond
any proxies or network interfaces. If the message carries a good
certificate from the original SMTP client, then it will still carry
a good certificate when sent through a proxy.
All that authentication does is give you another thing to blacklist
in addition to domain names and IP addresses. The fatal flaw is that
it will be quicker and easier to get new certs than to find IP addresses
of open proxies and at least as easy as getting new domain names.
Worse, you can now test an IP address to see if it is an open proxy
and blacklist it. Given a cert that has been involved with spam, do
you blacklist it? If so, why don't you blacklist the domain names and
IP addresses of all big outfits today, because they've all sent spam?
That
means he has to have fixed resources. Yes, the larger spammers can setup
fake ISPs and so on, but they are the minority (in my spam traps) because
this is difficult to do (and *still* results in fixed resources, albeit
with a greater freedom to move around within his slash-space).
Spammers will not need to have "fake ISPs" unless you limit the use
of SMTP clients to AOL and other big outfits. (By the way, what
MUA-MTA protocol do you use? Are you sure it's not SMTP, making your
system a "fake ISP?")
Are you sure you are recognizing the large spammers in your traps instead
of mistaking them for small fry?
Why won't all spammers still be equally able to use open relays as
amplifiers of their bandwidth?
So at the
end of the day auth buys you a reasonable level of certainty that the user
is who they say they are, which means you can more effectively hit a wider
swathe of the spamming population with your blacklists.
...
If as you say most spammers are small fry that you don't recognize,
then being able to check their authentication won't tell you anything
you don't already know. You'll not be able to recognize the flood of
new small fry whether by their new user names, domain names, or certs.
.....
] From: Matt Sergeant <msergeant(_at_)startechgroup(_dot_)co(_dot_)uk>
] > > Plus I think the above pushes Ralsky (or whoever) into a whole other
] > > legal bracket than spamming, and thus gives the FTC the teeth they need
] > > to go after him for federal crime. But IANAL so this may be false.
] >
] > Where's the crime, false advertising, or other naughtiness, besides
] > wrecking the hopes of people who think authentication is magic pixie dust?
]
] I believe it would be fraud. Hiding behind hired goons is *not* a valid
] defense against fraud charges.
Where is the fraud? If there is no fraud, then there's no crime to
hire people to front for you. If that were a crime, then all corporations
and all U.S. presidents for that last 50 or 100 years would be guilty
because they all have transient "goons" fronting for them.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg