There are two problems caused by the potential forgery that is possible in SMTP:
1. Filtering by sender's address is hard when someone could forge a friend's
address.
2. One can't hold the victim of the forgery accountable for the junk
transmitted.
The first problem makes whitelisting slightly troublesome. However, it
doesn't actually affect any other filtering, because a spammer with a
million addresses on his list can't figure out who's on the whitelists of
all of his recipients. Thus, the best the spammer can do is use addresses
that are totally unknown. The one exception to this would be a stolen
distribution list of an email newsletter, in which case that spammer could
forge the publisher's address. As long as filters don't implicitly trust
unknown addresses, this forgery doesn't get any more spam through.
Accountability is a much thornier issue. Technical solutions are attractive,
but they require widespread buy-in before one can start rejecting messages
that don't have a sender to hold accountable. On the other hand, a legal
approach could be more powerful than we think. If the owner of an IP address
were held responsible for mail transmitted from that address, there would be
specific motivation for everyone to do their part towards security.
Businesses would have a quantifiable legal liability to compare to the cost
of locking down their networks, and ISPs would have a reason to secure their
customers' computers. My biggest misgiving is that this would be a strong
push in the 'filter port 25' direction for ISPs.
--
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg