Fridrik Skulason wrote:
But to trojan a machine to send spam. no way that becomes a federal crime,
and today I believe it can be even classed as an act of terrorism.
You are forgetting one thing. Most of the activity behind the zombie nets
is directed from countries where that is not the case, or where the laws
are weaker. For example some of the East European countries have only
recently introduced copyright laws, similar to those in the western world.
In one country - I think it was Moldavia (but I may be mistaken), it is only
a crime to hack into a government-owned machine, for example.
This is a legitimate problem. I think that as a policy matter, we should
push governments that do have and enforce such laws to put pressure on
countries that don't. There may be technical approaches to this as well, but
I don't think they adequately address this political problem.
I am all for that - as I have said before, I am all in favour of any
method of authentication that meets the following criteria:
I'll take a shot at justifying LMAP here. If any of this doesn't appear in
the proposal draft we currently have, it may need to be added in some form.
1) Has a realistic chance of being adopted globally. It does not
matter how elegant the method is, if none of the "big players"
adopt it.
LMAP replaces current DNS lookups (rDNS, MX, A, etc). Current solutions are
ad-hoc and have little to no semantic meaning. Switching to LMAP will reduce
the global DNS load because there will be fewer lookups and better caching
of the relevant data. Since a whole lot of the forgery out there is of the
major sending domains (AOL, Yahoo, MSN/Hotmail), and there's currently no
way for them to prevent that, they have an incentive to implement and
enforce it.
2) Solves the problem of establishing with a reasonable degree of
certainity that the sender is who he is. Any such method will
fail on a compromised system - there is no way any software on
a different machine can deteremine whether the "right" human is
actually pressing the keys. We just have to acknowledge that
limitation and move on - a "solution" to the problem of
compromised systems is beyond the scope of this.
In terms of establishing one part of that, that's exactly the purpose of
LMAP. It prevents a random server claiming to send mail on behalf of a
domain that hasn't authorized it.
3) Can not be (easily) abused to result in a DoS attack.
I can think of a potential issue with LMAP and DoS attacks. Consider:
If someone can poison the caches used by, say, AOL's incoming MXs to not
list your legitimate MTA, then your mail is PERMFAILed incorrectly.
Unfortunately, this is something that we as a group cannot try to solve. Our
best approach would be to note this possibility and move on.
__
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg