ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Re: 6. Proposals - Pull System (revisited)

2003-11-30 17:07:28
from [Chris] [Permanent Link] 


If I want to install a pull server I ought to subscribe to a static IP
address and pay some fee for having the ports opened. (The market will

make

this fee reasonable)


You would have to enact a law that states fees must be charged.
That would only be valid in the country where the law is enforced.

no ISP is going to start charging for a service he now provides essentially
free. not if he wants to stay in business.

and where does this fee get applied ?

the ISP. his provider?, backbone providers?

I could see this fee very quickly concentrating into a few hands, and then
we have a monopolisation occuring.

how would it be charged ?

per port?, per email?



 Pull systems do not change this behaviour.  See recent spammer
behaviour of hosting web sites on trojaned machines.  They could just
as easily host mail for a "pull" system on the trojaned machine.




Trojaned machines are a major setback to any anti spam e-mail system.
regardless of type because they run with the parent machines permissions.

I have personally been IP blacklisted because my mail system was on the same
shared machine as a vulnerable formmail script
(exactly the same effect as a trojan)

This problem is not confined to owners of windows desktop machines. ISP's
have it as well no matter what they run.

I don't see how any technical sender verification system can overcome this.
please feel free to enlighten me if one comes to mind.
(most I can think of would rely on forcing the ISP to play our way not
theirs)

A big legal stick may force ISP's to be more careful about allowing users
access to formmail etc. or smtp but thats not a technological solution, and
again only applicable where the law is enforced.


At least one benefit of a pull system is that the sender can't be dummied
even by a trojan. it may take over the the resources but incoming bounces
"message denied" etc.. will make it abundantly clear to the user that his
machine has been trojaned.

as it stands a trojan can take over a machine quietly send out e-mails,
return address them to no-one or some other joe and no one is the wiser. not
even the user unless his resource are exhausted by the trojan.



Regards
Chris



-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org 
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of Dag
Kihlman
Sent: Sunday, November 30, 2003 9:56 PM
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Re: 6. Proposals - Pull System (revisited)


"Alan DeKok" <aland(_at_)ox(_dot_)org> wrote:


"Dag Kihlman" <dag(_dot_)kihlman(_at_)htu(_dot_)se> wrote:

The failing of SMTP is that it allows the sender to cheat or lie. Any
authentication in SMTP is just authentication in an academic sense. In
reality spammers will hack even more than today and send using fully
authenticated mail servers.



 Pull systems do not change this behaviour.  See recent spammer
behaviour of hosting web sites on trojaned machines.  They could just
as easily host mail for a "pull" system on the trojaned machine.



 The benefits of a pull system are different.  It allows recipients
to do things like wait 12 hours to pick up mail from unknown senders,
at which point the trojaned machine probably has a different IP, and
thus can't send the spam.


Why on earth should computers with dynamic IP addresses be allowed to host
mail in a pull system??? My suggestion was that all traffic to the pull
server ports are forbidden to dynamic IP addresses. The ISP:s must enforce
this rule or they will be cut off too.


at which point the trojaned machine probably has a different IP

No, no, no!!! Do not trust on that! In theory I have a dynamic IP-address.
In reality it has not changed for three months. Several of my friends
experience the same thing. Your suggestion makes mine and tens of
thousands
similar cable modem machines honey pots for spammers. With my suggestion
they are uninteresting. The fewer the honey pots are the more
costly it will
be to find them and the fewer the spammers will be.

If I want to install a pull server I ought to subscribe to a static IP
address and pay some fee for having the ports opened. (The market
will make
this fee reasonable)

When I say spammers can not lie in a pull system I mean they must
be honest
about their IP-address. Any other honesty is unfortunately not possible on
the Internet.

/DK


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: 6. Proposals: LMTP proposals, Philip Miller
Next by Date:  Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification), Hector Santos
Previous by Thread:  Re: [Asrg] Re: 6. Proposals - Pull System (revisited), Alan DeKok
Next by Thread:  RE: [Asrg] Re: 6. Proposals - Pull System (revisited), Chris
Indexes:  [Date] [Thread] [Top] [All Lists]