ietf-asrg
[Top] [All Lists]

Re: [Asrg] SMTP AUTH

2004-12-07 19:47:25
Well, if we keep working to make SMTP mail unusable by more people, more
people
might be FORCED into using Web mail, more often.  I don't think that's a
very
bright thing to do, in part because Web mail (just as accessing ANY Web
sites)
comes with its OWN whole new set of risks and dangers (malicious
scripting,
ActiveX, decryption of obscured content, text-as-image, cookies, etc etc),
which
if anything are MORE difficult to deal with and secure than SMTP mail is.

Let me refresh ur memory that even MUAs can display HTML and hence we face
more or less the same problem in MUAs too.

Yes, although at least when we're dealing with (let's agree that we're talking 
mostly about POP3 here) E-mail, we can easily enough filter the message before 
the MUA gets it to block certain forms of potentially malicious (or at least 
"very dubious") HTML content, and we can do that with the knowledge of who (at 
least we believe that) the E-mail in question is coming from.  That makes the 
problem easier than handling the same things when they are coming into a Web 
browser, which probably doesn't give us a good intercept point and in any case 
doesn't provide any standardized way for us to determine who sent the E-mail 
(or 
whatever) that's on the Web page being viewed.

As I've said, Web-based stuff is a different (and harder) problem that we'll 
have to deal with eventually, but at the moment that's mostly just a diversion 
and distraction from what we need to deal with HERE.

The idea is to send mail with
authentication and if a secured webmail does that one should prefer that
rather than banging their head against the wall just because we need
SMTP/POP to do the job which is done better by some other thing. 

Authentication proves NOTHING regarding legitimacy because a zombie spambot can 
trivially send what it sends using the authentication belonging to the hijacked 
system.

Authentication is also at least VERY problematical in cases like airport or 
cruise ship Internet access terminals/kiosks, where people need to use their 
OWN 
E-mail addresses but have absolutely **NO** control over which SMTP E-mail 
server will be used by the kiosk software.

We should remember that our goal is to stop spam by whatever means possible,
protocol is just a medium.

Authentication does **NOTHING** to "stopping spam".  It only adds a few, 
relatively minor, restrictions on the technologies that spammers (and worms and 
viruses) use.

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!  http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


<Prev in Thread] Current Thread [Next in Thread>