ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Re: 03.1 Re: Forgery in SMTP (applying flame retardent)

2003-12-25 17:06:55
from [Matthew Elvey] [Permanent Link] 
On 12/24/2003 7:25 PM, Walter Dnes sent forth electrons to convey:


On Wed, Dec 24, 2003 at 03:34:56PM -0500, Alan DeKok wrote

Philip Miller <millenix(_at_)zemos(_dot_)net> wrote:

There are two problems caused by the potential forgery that is possible in SMTP:
1. Filtering by sender's address is hard when someone could forge a friend's
address.

 Which is where accountability comes in.
Walt: I think Alan is implicitly referring to the LMAP technology, which WILL allow the victim to prevent abuse of their name. Of course, it doesn't work IRL yet, and I can see how you wouldn't realise he was referring to it. Flamewar quenched, I hope. Chill, guys. 


2. One can't hold the victim of the forgery accountable for the junk
transmitted.

 Why not?  If they haven't done anything to prevent the (ab)use of
their name, how can the recipient tell if a message is real, or
abusive?


 A spammer sends out a viagra spam "From: "Alan DeKok" 
<*****(_at_)ox(_dot_)org>".
How are the 20 million strangers it's addressed to going to *REJECT* it?
At these volumes, merely accepting the email and storing it in
recipients' "spam folders" will cause smaller ISPs to run out of
mailspool space.  What actions can *YOU* take that would allow
verification/authentication of the "From:" during the SMTP transaction ?


 In many jurisdictions, communications providers are indemnified for
any illegal activities by their customers.


 Maybe the responsibility should be placed on the person/company
nominally in control of the sending machine.  I.e. the owner of a
compromised home machine that is spewing out this garbage, or the renter
of compromised colo machine who has put a copy of "Matt's Monstrosity"
in his CGI directory.
Most blacklists and complaints to abuse desks tend to cause the ISPs in control to accept responsibility, but they're far from perfect. Laws sometimes do require them to accept responsibility. IIRC, AOL successfully sued a spammers ISP where the ISP itself really was a front for the spammer, but I'm getting OT. 



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 6. Proposals: LMAP - Forwarding Comment and Recommended Changes, Jon Kyme
Next by Date:  [Asrg] Microsoft publicly announces Penny Black PoW postage project, Steve Schear
Previous by Thread:  Re: Forgery in SMTP (was [Asrg] [1] Why SPAM is worse in SMTP than in other protocols), Walter Dnes
Next by Thread:  Re: [Asrg] Re: 03.1 Re: Forgery in SMTP (applying flame retardent), Walter Dnes
Indexes:  [Date] [Thread] [Top] [All Lists]