ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...)

2003-04-06 19:10:03
from [Chuq Von Rospach] [Permanent Link] 

On Sunday, April 6, 2003, at 03:06  PM, Kee Hinckley wrote:
Welcome to the problem of updating MUAs. Where there's no perceived benefit, the changes don't get made.
where there are significant benefits, the changes still don't get made. a good percentage of open relays being used by spammers are sites still running sendmail 8.9, from back when relay was default on. Despite all of the security holes closed since then, and huge performance increases -- they're still running it.
Which leads to assuming all of those sites fall into one of three categories: 

1) they want to be open relays.
2) they don't care.
3) they don't know any better.
4) they ain't home. the admin who set things up isn't there any more, and neither is 
        anyone else.
(1) is likely to be the smallest percentage. (2) through (4) are all variations of the same general thing, and if nothing YET has convinced them to upgrade, what possible thing can this group come up with that would change their mind, other than making their software non-functional. And then, they'd have a cow (if they even noticed), and since any change to non-compatible systems would require a transition period and/or a gateway, would it really make a difference?
I think the continued existance of open relays and open proxies is the best argument against systems that require updates to the sending systems: if people can't be bothered to make basic security and technical updates from sendmail 8.9, expecting them to upgrade for anti-spam changes is unrealistic. It's not gonna happen, unless it's by virtual gunpoint.
(now, me, I personally wouldn't be too against a decision to stop accepting e-mail from sendmail versions prior to, say, 8.11.0 after some given date, just to force that issue. But that's some other discussion -- I am surprised, however, that nobody seems to have tried forcing this issue by rejecting e-mail from seriously out of date servers, just to get their attention...)
This seems to lead back to solutions that can be implemented at the receiving end, either server-based or client-based. Any solution that requires "they" cooperate has to answer how we plan to find out who "they" are, and then get "them" to go along with it.
That includes, by the way, "tehy" being major ISPs like AOL or Earthlink. "They" may not be running sendmail 8.9, but anything that requires them to implement better be worth the time and energy to do so. The "nuke bounces" discussion, for instance, impacts all of AOL's email, since they'd have to entirely rearchitect their systems. What's in it for them? Something like that seems like a basic non-starter, unless AOL comes on board early. And I dn't see any real advantage to THEM to do so. (actually, I don't see much, if any, real advantage to that proposal at all, but that's different from it being a multi-million dollar, multi-man year, god-knows-how-many-calendar-months project for AOL to do. What's the ROI on that kind of project for them? If you can't asnwer it, it's dead, Jim) 


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Ban the bounce; improved challenge-response systems, Kee Hinckley
Next by Date:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...), Kee Hinckley
Previous by Thread:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...), J C Lawrence
Next by Thread:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honypot plug, Brad Spencer
Indexes:  [Date] [Thread] [Top] [All Lists]