Well, if we keep working to make SMTP mail unusable by more people, more
people
might be FORCED into using Web mail, more often. I don't think that's a
very
bright thing to do, in part because Web mail (just as accessing ANY Web
sites)
comes with its OWN whole new set of risks and dangers (malicious
scripting,
ActiveX, decryption of obscured content, text-as-image, cookies, etc etc),
which
if anything are MORE difficult to deal with and secure than SMTP mail is.
Let me refresh ur memory that even MUAs can display HTML and hence we face
more or less the same problem in MUAs too.
Yes, although at least when we're dealing with (let's agree that we're talking
mostly about POP3 here) E-mail, we can easily enough filter the message before
the MUA gets it to block certain forms of potentially malicious (or at least
"very dubious") HTML content, and we can do that with the knowledge of who (at
least we believe that) the E-mail in question is coming from. That makes the
problem easier than handling the same things when they are coming into a Web
browser, which probably doesn't give us a good intercept point and in any case
doesn't provide any standardized way for us to determine who sent the E-mail
(or
whatever) that's on the Web page being viewed.
As I've said, Web-based stuff is a different (and harder) problem that we'll
have to deal with eventually, but at the moment that's mostly just a diversion
and distraction from what we need to deal with HERE.
The idea is to send mail with
authentication and if a secured webmail does that one should prefer that
rather than banging their head against the wall just because we need
SMTP/POP to do the job which is done better by some other thing.
Authentication proves NOTHING regarding legitimacy because a zombie spambot can
trivially send what it sends using the authentication belonging to the hijacked
system.
Authentication is also at least VERY problematical in cases like airport or
cruise ship Internet access terminals/kiosks, where people need to use their
OWN
E-mail addresses but have absolutely **NO** control over which SMTP E-mail
server will be used by the kiosk software.
We should remember that our goal is to stop spam by whatever means possible,
protocol is just a medium.
Authentication does **NOTHING** to "stopping spam". It only adds a few,
relatively minor, restrictions on the technologies that spammers (and worms and
viruses) use.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg