ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: 6. Proposals: MTA MARK

2003-12-10 05:15:49
Alan DeKok wrote:
----- Original Message ----- 
From: "Alan DeKok" <aland(_at_)ox(_dot_)org>
To: <asrg(_at_)ietf(_dot_)org>
Sent: Tuesday, December 09, 2003 8:10 PM
Subject: Re: [Asrg] Re: 6. Proposals: MTA MARK


"Tomi Panula-Ontto" <tomi(_at_)panula-ont(_dot_)to> wrote:
LMAP is based on two concepts: publication of policy by a domain, and
application of that policy by a recipient MTA.

  Exactly.

I fear that LMAP doesn't address the problem. Why so?
Who can prevent spammers from stealing credit cards and
registering thousands of domains to use in their spamming
business?

  Law enforcement.  Theft of credit cards isn't an issue we can solve
in the network.

Yes.. but spam generated from these domains is something we
can solve. What I mean is: Domains are simple and easy to register.
In simply few hours one is able to register a domain and setup
it for spamming. Networks are different thing. It isn't that easy
to register a C-block for your company and set it up.
We need to secure the network [to protect ourselves and others],
not just domains.


  Right now, much of spammers behaviour is already illegal.  LMAP
makes it more likely for them to engage in more illegal behaviour.
This makes them easier to catch, and gives law enforcement more
inducement to catch them.

In the detailed story of compromised server [link posted by Jon Kyme], there
are couple of countries ilvolved. At least Russia, Germany and Portugal are
mentioned.
(Here is the link http://www.securityfocus.com/guest/24043)

Not knowing in which country the spammer actually operates,
it'll be damn hard job for the law enforcement to catch up with
these guys. And it usually requires that the company, whose computers
are compromised, must make report of an offence. Usually [in my
experience] companies don't want bad publicity. Their reputation is
at stake. So, if companies don't want to make it official, how can
the law enforcement ever catch up with them?


  It also gives registrars more inducement to do sanity checking on
registration, if large percentages of registrations are found to be
fraudulent & criminal.

Theft of credit cards is just an example. They can as well buy the
domains legally. It really depends how much money they are making.


Tomi




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg