Why Pull instead of SMTP (push) / authentication or freedom to put up own
servers
The failing of SMTP is that it allows the sender to cheat or lie. Any
authentication in SMTP is just authentication in an academic sense. In
reality spammers will hack even more than today and send using fully
authenticated mail servers.
A pull system can be designed in many ways. My proposal is that the mail
client communicates with the mail server letting the user see any outgoing
mail. This way the user can detect outgoing mails containing viruses or spam
and remove them. This will make it harder for viruses to infect through
mail. It will also make it less attractive to hack someone to send mail
since the mail can be deleted. In a push system it is common to put a limit
on incoming mails "full mailbox". In a pull system it will make good sense
to put a limit on outgoing mails. This is a good thing since it will make it
even harder for viruses and less attractive to hack someone to send mail.
In short: By moving the storage from the recipient to the sender we will
make it harder to spam, less attractive for a spammer to hack, harder for
viruses to infect and harder to lie about your identity.
You could also skip all those ridiculous messages sent between servers in
SMTP. In a pull system you send a notification containing all information
but the body of the mail. In turn you receive an OK (In my proposal the OK
contains an encryption key which the senders server uses to encrypt the
mail...) If something is wrong you get an "error:xxx" message. Just call and
return as any textbook on n-tier design advocates.
The opponents will say that it is easy for a spammer to put up pull servers
of their own. Yes it is true but they must be reached through a given
IP-address, making them vulnerable to blacklisting. Actually it is not a
very interesting argument since a push system is even more vulnerable. If no
authentication is needed anyone can put up a mail server and spam. If
authentication is needed noone could put up a push or pull server. So it is
really not a valid argument against pull...
Scott raised the issue on what is most important: authentication or the
possibility to put up mail servers of their own. I think there is a middle
way. Servers containing mails in a pull system should be reached through
certain ports. No ISP should allow traffic to those ports if the IP-address
is dynamic. Mail servers should use static IP-addresses and this way they
can be identified and blacklisted. Actually it would make good sense for an
ISP to prohibit all traffic to clients using those ports. The ISP ought to
charge a small amount for opening the ports to static IP-addresses. This way
something like 99,9% of home users with static IP-addresses will be useless
for a hacker forcing the hacker to successfully hack 1000 computers to find
one useful. If virus programs or even the operating system warned about
these ports being opened it will become even less attractive for spammers to
hack.
/DK
----- Original Message -----
From: "Jon Kyme" <jrk(_at_)merseymail(_dot_)com>
To: "Dag Kihlman" <dag(_dot_)kihlman(_at_)htu(_dot_)se>
Cc: "ASRG" <asrg(_at_)ietf(_dot_)org>
Sent: Saturday, November 29, 2003 1:16 PM
Subject: [Asrg] Re: 6. Proposals - Pull System (revisited)
What exactly is the specific failing of SMTP which is addressed by pull
systems?
Have I missed something?
--
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg