ietf-asrg
[Top] [All Lists]

Re: [Asrg] 0. General - Inquiry about CallerID Verification

2003-11-28 14:44:39
Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
The method under discussion is not a new idea, yes.  It's a band-aid, 
but so is LMTP.  Both ARE USEFUL!

  I agree that both methods are useful.

  The difference is that the problem (spam) is a side-effect of a
poorly designed system (open SMTP).  Sender checks don't change the
existing behaviour of SMTP.  Instead, they (ab)use SMTP to discover
some information about the sender which may, or may not, be true.
(See what happens when the outgoing MTA isn't the MX for a domain...)

  Such "solutions" are therefore band-aids, because they attempt to
lessen the impact of a problem, without fixing the root cause of that
problem.  That is, they try to recover from the problem, without
preventing it in the first place.

  In contrast, systems which change the system design directly attack
the root cause of the problem.  The problem is therefore lessened
because the potentials for abuse of the system are less. not because
the abuse was discovered, and worked around.

  This is why firewalls are useful: they make certain classes of
attacks impossible.  This is also why firewalls are only one part of a
security system: they don't prevent other classes of attacks.


  LMAP (and similar authentication systems) prevent senders from
undetectably forging association with a domain.  The problem of
forgery therefore doesn't exist, and we're left with a sub-set of the
problem, which is non-forged spam.

  If spammers had a better way of sending spam right now, they'd be
using it.  They're forging spam precisely because it's so beneficial
to them.  Therefore preventing such forgery should be a matter of
serious interest in any anti-spam system.

  Alan DeKok.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>