ietf-asrg
[Top] [All Lists]

RE: [Asrg] Re: Asrg digest, Vol 1 #133 - 14 msgs

2003-03-28 13:04:49

It wouldn't even reduce the amount of spam.
Is it just me or why do I get the impression that a lot of 
people think
that spammers are dumb idiots and that telling them "nanana, you can't
do this anymore" will change a thing?

Lightweight authentication by IP address will reduce the amount
of spam in the short term. In most part the same way that car
alarms reduce the chance that YOUR car is the one stolen.

I am rather sure they are on this list and watch closely to 
be prepared
and they are no idiots.

Some are idiots, quite a lot in fact and yes it would be 
rather good if those millions of CDROMs with email addresses
on started to become useless.


It shouldn't be too big a problem to combine pairs from their 
databases
(just like a lot of outlook viruses already do from the addressbook)
and use the same ole algorithms.

That is whay any authentication mechanism has to be set up
so that it can progress from lightweight authentication on
the sender IP address to more robust, cryptographic means.

Eventually we are going to have to deploy DNSSEC or SSL mail
certificates to defeat the bastards but we don't need to do 
that on day one to reduce the problem. 

Have you ever asked them what they think about DUL?
What will they think about validating services or RMX? From my
experience 80% won't even understand what you are talking about.

Clearly the distinction between Dial up lists ceases to have
any utility once everyone is using DSL. Plenty of companies are
legitimately using DSL to support mail servers. DSL has plenty
of capacity for that task - heck not so long ago the whole of CERN
had less bandwidth than my cable provider gives me for my house.

There is an important point here, what appears to be expensive
to geekdom can be cheap to businesses, what appears cheap can
be very very expensive. In particular IETF solutions tend to
view geek time as being free. There is perhaps even a conflict
of interest here since many of the people who press for geek
intensive solutions then go out to sell expensive consulting
services. 

So proposing that someone use SSL and get a CA issued certificate
for $350 is a no-no, but devising an obfusticated and complex 
protocol that requires many days of $2000/day consultancy is OK.

Err... right.

 
I really don't know ... does hotmail, yahoo etc all provide SMTP
relay services or do you have to use their web interfaces?
If they don't provide SMTP relay there is also missing a solution for
the thousands of public mail service provider users that use those
addresses for this and that, from Internet cafes or from their
mailbox.

The only mechanisms I can think of that is currently deployable
for that application would be to either relay email through a
hotmail SMTP relay (with appropriate authentication of course),
or to issue the users with S/MIME certificates, probably as
part of a 'premium account' package.

Of course the volumes of the certificates involved would probably
make the cost per cert pretty minor.

[In cae you are wondering why I don't suggest PGP, well first,
Hotmail and AOL are both parts of companies that produce S/MIME
products so it is very unlikely they would support a competing
spec, second the authentication model of PGP is not at all easy to
automate for the customers who use Hotmail, Yahoo, Earthlink and 
AOL.]


We need a rather easy and widely adoptable solution or it won't work.

Amen.

Also a solution that needs a "if you 
support system
X it's nice, if you don't I'll take it too" is rather absurd.

What is needed is a way for Hotmail to say 'we support system X,
everything else should be rejected'.

                        Phill 
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg