ietf-asrg
[Top] [All Lists]

Re: Forgery in SMTP (was [Asrg] [1] Why SPAM is worse in SMTP than in other protocols)

2003-12-24 20:32:42
On Wed, Dec 24, 2003 at 03:34:56PM -0500, Alan DeKok wrote
Philip Miller <millenix(_at_)zemos(_dot_)net> wrote:
There are two problems caused by the potential forgery that is possible in 
SMTP:
1. Filtering by sender's address is hard when someone could forge a friend's
address.

  Which is where accountability comes in.

2. One can't hold the victim of the forgery accountable for the junk
transmitted.

  Why not?  If they haven't done anything to prevent the (ab)use of
their name, how can the recipient tell if a message is real, or
abusive?

  A spammer sends out a viagra spam "From: "Alan DeKok" 
<*****(_at_)ox(_dot_)org>".
How are the 20 million strangers it's addressed to going to *REJECT* it?
At these volumes, merely accepting the email and storing it in
recipients' "spam folders" will cause smaller ISPs to run out of
mailspool space.  What actions can *YOU* take that would allow
verification/authentication of the "From:" during the SMTP transaction ?

  In many jurisdictions, communications providers are indemnified for
any illegal activities by their customers.

  Maybe the responsibility should be placed on the person/company
nominally in control of the sending machine.  I.e. the owner of a
compromised home machine that is spewing out this garbage, or the renter
of compromised colo machine who has put a copy of "Matt's Monstrosity"
in his CGI directory.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>