Dag Kihlman wrote:
"Alan DeKok" <aland(_at_)ox(_dot_)org> wrote:
"Dag Kihlman" <dag(_dot_)kihlman(_at_)htu(_dot_)se> wrote:
The failing of SMTP is that it allows the sender to cheat or lie. Any
authentication in SMTP is just authentication in an academic sense. In
reality spammers will hack even more than today and send using fully
authenticated mail servers.
Pull systems do not change this behaviour. See recent spammer
behaviour of hosting web sites on trojaned machines. They could just
as easily host mail for a "pull" system on the trojaned machine.
The benefits of a pull system are different. It allows recipients
to do things like wait 12 hours to pick up mail from unknown senders,
at which point the trojaned machine probably has a different IP, and
thus can't send the spam.
Why on earth should computers with dynamic IP addresses be allowed to host
mail in a pull system??? My suggestion was that all traffic to the pull
server ports are forbidden to dynamic IP addresses. The ISP:s must enforce
this rule or they will be cut off too.
at which point the trojaned machine probably has a different IP
No, no, no!!! Do not trust on that! In theory I have a dynamic IP-address.
In reality it has not changed for three months. Several of my friends
experience the same thing. Your suggestion makes mine and tens of thousands
similar cable modem machines honey pots for spammers. With my suggestion
they are uninteresting. The fewer the honey pots are the more costly it will
be to find them and the fewer the spammers will be.
I too have, in theory, a dynamic IP address. Mine hasn't changed in even
longer. I also host a legitimate email server for a domain. However, my MTA
doesn't make direct connections to recipient MTAs, but instead use Comcast's
'smart host', which relays any mail for anyone on their network, because
many large providers (notably AOL) subscribe to the DSBL and other similar
lists.
How does this setup relate to pull systems? Would I now be responsible for
my own pull server? Or would major service providers still have to block
supposedly dynamic addresses because the ISPs hosting them aren't following
the rules you stated? My point is, in order for this idea of pull servers
only being hosted on machines that should be hosting them, you need complete
buyin from ISPs, who have little motivation not to get their netblocks
blacklisted, because that's actually less administrative work for them than
maintaining their own blocks. The only way to push them towards compliance
is to use the tactics used by the MAPS blacklist, which intentionally caused
collateral damage to get attention.
If I want to install a pull server I ought to subscribe to a static IP
address and pay some fee for having the ports opened. (The market will make
this fee reasonable)
If I want to install a legitimate MTA, I can do it for free, right now.
Nothing prevents me from sending mail using whatever email address I
legitimately have except for hackneyed blocking measures in place across the
Internet. If I own a domain, I can set up A and MX records for my server,
but those don't tell the recipient that my server is authorized to send mail
for the domain. LMAP and MTAMark together achieve this, without a fee, and
without bringing in the worse-than-useless ISP 'support' staff.
When I say spammers can not lie in a pull system I mean they must be honest
about their IP-address. Any other honesty is unfortunately not possible on
the Internet.
Under your pull system, there is no benefit to receivers until every ISP
turns on your blocking or gets blacklisted. Until then, there will be quite
a mess. There will always be non-compliant sites and service providers. Your
proposal doesn't deal with that issue any better than SMTP does currently.
--
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg