On Thu, Mar 27, 2003 at 11:04:36AM -0500, Preston, Tony wrote:
The problem has to be solved on the sending end or you do not have
a solution. The only ideas that seem to make sense are the idea of
validating the sender at each hop (then as more and more MTAs get
updated to do this, the sender is better identified and can be blocked)
and the idea of estamps.
What exactly do you mean with "validating".
We have some 1000 POP3/IMAP customers that use our mailservers also for
relaying.
Should we disallow our customers to send emails with a different
envelope sender than the one they have authenticated (SMTP AUTH) with?
How about small companies that host their own mailserver?
If not and he uses joe(_at_)example(_dot_)com, the SMTP server could go down a
chain of LDAP/X.500 server and query the server for example.com whether
joe(_at_)example(_dot_)com exists.
This leads at least to three problems:
1) Those LDAP/X.500/whatever servers will be vulnarable to dict query
attacks and will reveal valid email addresses that helps the bad guys
to clean up and populate their databases
2) it reveals nothing about the identity of the sender. Everyone could
use joe(_at_)example(_dot_)com and no MTA has a chance to know whether it's
real or fake.
3) it doesn't prevent spammers to allocate another 12345abcde.com domain
for two weeks, set up a LDAP/X.500/whatever server that always
answers "validated" and spam on.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg