Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...)
2003-04-06 19:10:03
On Sunday, April 6, 2003, at 03:06 PM, Kee Hinckley wrote:
Welcome to the problem of updating MUAs. Where there's no perceived
benefit, the changes don't get made.
where there are significant benefits, the changes still don't get made.
a good percentage of open relays being used by spammers are sites still
running sendmail 8.9, from back when relay was default on. Despite all
of the security holes closed since then, and huge performance increases
-- they're still running it.
Which leads to assuming all of those sites fall into one of three
categories:
1) they want to be open relays.
2) they don't care.
3) they don't know any better.
4) they ain't home. the admin who set things up isn't there any more,
and neither is
anyone else.
(1) is likely to be the smallest percentage. (2) through (4) are all
variations of the same general thing, and if nothing YET has convinced
them to upgrade, what possible thing can this group come up with that
would change their mind, other than making their software
non-functional. And then, they'd have a cow (if they even noticed), and
since any change to non-compatible systems would require a transition
period and/or a gateway, would it really make a difference?
I think the continued existance of open relays and open proxies is the
best argument against systems that require updates to the sending
systems: if people can't be bothered to make basic security and
technical updates from sendmail 8.9, expecting them to upgrade for
anti-spam changes is unrealistic. It's not gonna happen, unless it's by
virtual gunpoint.
(now, me, I personally wouldn't be too against a decision to stop
accepting e-mail from sendmail versions prior to, say, 8.11.0 after
some given date, just to force that issue. But that's some other
discussion -- I am surprised, however, that nobody seems to have tried
forcing this issue by rejecting e-mail from seriously out of date
servers, just to get their attention...)
This seems to lead back to solutions that can be implemented at the
receiving end, either server-based or client-based. Any solution that
requires "they" cooperate has to answer how we plan to find out who
"they" are, and then get "them" to go along with it.
That includes, by the way, "tehy" being major ISPs like AOL or
Earthlink. "They" may not be running sendmail 8.9, but anything that
requires them to implement better be worth the time and energy to do
so. The "nuke bounces" discussion, for instance, impacts all of AOL's
email, since they'd have to entirely rearchitect their systems. What's
in it for them? Something like that seems like a basic non-starter,
unless AOL comes on board early. And I dn't see any real advantage to
THEM to do so. (actually, I don't see much, if any, real advantage to
that proposal at all, but that's different from it being a
multi-million dollar, multi-man year,
god-knows-how-many-calendar-months project for AOL to do. What's the
ROI on that kind of project for them? If you can't asnwer it, it's
dead, Jim)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|