At 9:16 AM +0000 12/1/03, Fridrik Skulason wrote:
LMAP is supposed to be checking the IP of the connected client against DNS.
Unless they can forge a TCP connection with the MTA without seeing any of
the traffic, they can't pull that off with LMAP going. Now, if they were
actually fastmail.fm users, that would be another story. In particular, I
think dealing with that falls under the umbrella of 'local policy'.
LMAP will never eliminate all cases of forgery - which actually has a
rather nasty side-effect. Think of it as the "survival of the fittest"
in action. If something like LMAP was universally adopted, any spam
mechanism not affected by it would be "encouraged", so to speak.
So, which cases would not be affected by LMAP? Now, in addition
to all the "non-forged" methods (disposable accounts, rogue ISPs and so
on) there is the following:
A spammer gains access to a compromised computer, and determines
the mail address of the owner of the machine. The spam is then
sent out in the name of the owner of the machine, just as if
the real owner was actually pressing the keys.
In other words, widespread implementation of LMAP (which would be a good
thing) would lead to more compromised machines (which would be a bad
thing) ;-)
That raises the question of whether significantly more compromised
machines is a possibility, or whether we are already seeing that
problem limited by factors other than 'demand' from spammers and
others. We've already seen worms that send spam, install backdoors,
install open proxies, install SMTP relays, and check-in compromised
machines for orders from their master to attack anti-spam facilities.
It seems to me that the demand is already effectively infinite. what
would likely increase if the fraction of spam using machines that
have been blatantly taken over.
That's not a bad thing. Right now there are a significant number of
spammers who work in the very dark gray area of abusing open relays,
open proxies, and insecure web-mail systems. Making those tools
worthless will drive the slimeballs using them off to mechanisms like
full system compromise which cannot be argued by anyone sane to be
anything less than criminal: the spammer cannot argue to his provider
or law enforcement that a crackable system was intentionally left
that way so he could crack it, as some now argue successfully in
regards to open proxies and open relays.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg