ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 6. Proposals - A Brief Defence of "Pull"

2003-10-01 14:49:32
from [Dag Kihlman] [Permanent Link] 
----- Original Message ----- 
From: "Brad Knowles" <brad(_dot_)knowles(_at_)skynet(_dot_)be>
To: "Brett Watson" <famous-asrg(_at_)nutters(_dot_)org>
Cc: "Brad Knowles" <brad(_dot_)knowles(_at_)skynet(_dot_)be>; 
<asrg(_at_)ietf(_dot_)org>
Sent: Wednesday, October 01, 2003 9:51 PM
Subject: Re: [Asrg] 6. Proposals - A Brief Defence of "Pull"


 Requiring a callback to fetch the message data makes this approach much
 harder for a spammer, as it would require proxies in both directions:

an HTTP

 proxy will not suffice at all, and the longer the callback is delayed,

the

 more likely a zombie will have gone offline (at least temporarily),

thus

 causing delivery failure.


I disagree.  In the case of zombies, which is becoming more and
more the method of choice, they have complete control of the machine.
They can send out the notices, wait for the callbacks, and then send
the payload.  All safe in the knowledge that they control the
machine.  Moreover, a network of zombies could easily be configured
so that one zombie designates another as the call back server, and
that process could even be distributed and load-balanced.


In a pull system the mail must be pulled from one special IP address. It
could be on top of a distributed and load balanced system, as you say, but
it must keep that IP address or the mail will not reach the recipient. That
is the nice thing with a pull system. You get an IP address that must be
valid and together with an efficient real time blacklisting system it would
work very well. It is true you do not need a pull system to have a blacklist
but since the IP address must be valid a longer time the blacklist works
best together with a pull system.

I agree fully when you say that some pull servers will be attractiv to hack.
In a pull system the best way to avoid blacklists is to hack pull servers.
With SMTP you do not have to do it, it is a complete waste of time. That is
why I suggested encryption. If the mails are encrypted and the key trown
away there will be no point in hacking the pull server. After "decryption"
the mails will be unreadable. :-)

/DK



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 6. Proposal - Sender Pays - Article (was Re: [Asrg] ziff-davis editorial on sender-pays), Eric S. Johansson
Next by Date:  Re: 6. Proposal - Sender Pays - Article (was Re: [Asrg] ziff-davis editorial on sender-pays), david nicol
Previous by Thread:  Re: [Asrg] 6. Proposals - A Brief Defence of "Pull", Brad Knowles
Next by Thread:  Re: [Asrg] 6. Proposals - A Brief Defence of "Pull", Brad Knowles
Indexes:  [Date] [Thread] [Top] [All Lists]