On Sun, 08 May 2005, Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
On 5/8/05 1:37 PM, John Levine sent forth electrons to convey:
That's completely, hopelessly impractical if a user is traveling and has no
control over the originating path of their outgoing E-mail.
G P:
Your comments doesn't make sense to me. What's impractical?
Your quotation style makes your post even more confusing.
Sorry you don't like it. I don't much care for other folks', either.
There's nothing in the draft that requires anything impractical of a
traveling user.
If you think otherwise, please refer to specific text in the draft.
Leibzon read more into the draft than was there.
The draft contains no text that says that users must use SUBMIT.
What the draft does is require support for a practical method already in
common use for traveling users to continue to use the same From: address
and server no matter where they are.
And THERE is the problem. "common use" is NOTHING remotely close to "universal
use", and a *lot* of venues one might use when travelling do NOT give the
ability to select what MTA is going to be used for the E-mail being sent.
It does not require or even
suggest that this is the only appropriate way for traveling users to
send mail (even though it is extremely practical).
It's practical for SOME, SOMETIMES. It's completely impossible for many.
(Feel free to quote, unabridged, on ietf-smtp.)
Thanks, but I'm not on that list. Since we're dealing here with approaches
designed to control/limit spam, and that's what we're discussing, I feel it's
appropriate to talk here.
Examples of such users are those using airport waiting lounge
Internet access kiosks, Internet cafes ...
It probably would be a good idea to clarify the distinction between
what's in the From: line and the identity of the sender.
If I connect to my MSA from a known IP address inside my network, or I
use SMTP AUTH to provide a username and a password, the MSA knows who
I am based on the IP address or the user/pass pair. This works fine
for people who travel with a computer so the computer is set up with
the appropriate addresses and passwords configured it. On the other
hand, if I walk up to a kiosk and send mail through a funky client on
the kiosk, nobody has the faintest idea who I am.
The root problem is the core, base presumption that because a trusted user's
COMPUTER is the source of the message, or because their MTA matches somehow the
From: address, that the E-mail is legitimate. In fact, NOTHING could be
further
from the truth.
Spammers can TRIVIALLY send mail from a commandeered system, using the
authenticated user's E-mail address, approved MTA, and certifications. While
one can argue about the merits of authenticated SMTP (i.e. needing a name and
password to a mail server, rather than having a more-or-less 'open' relay) it
is
certainly NOT the case that such authentication either precludes spamming, or
that mail sent with such "certification" is probably not spam.
In fact, spam is BEST determined IMHO on the basis of WHAT THE MAIL CONTAINS.
And THAT is best compared (again IMHO) against the "look" of legitimate mail
FROM THAT SPECIFIC FAMILIAR AND TRUSTED SENDER. If suddenly four messages
ostensibly from that sender suddenly look like spam and not like what I expect
to get FROM THEM, then I think it's perfectly reasonable to treat those four as
spam.
I don't CARE what MTA handled the messages. If they LOOK right (again, based
on
the sender), I don't particularly care what path they took to get to me.
(That's NOT to say that KNOWN spammer IPs shouldn't be blacklisted... only just
that said approach is becoming far less useful than it once was.)
Meanwhile, the seven other messages coming from the sender that LOOK "RIGHT"...
i.e. that look like the type of mail I normally get from that person... can be
delivered post haste.
In either case, I can set any From: address I want, and nothing in
this draft changes that. The difference is who vouches for it. In
the former case, the reputation with the mail is that of the MSA,
regardless of where I am or who I say I am. In the latter case, it's
the reputation of the kiosk which, depending on how good their rate
limits and outgoing spam filters are, may be good or may be bad.
It's easy enough to just throw rocks at Internet cafes, libraries, post office
Internet facilities, and the like, but (again) that's a buckshot approach which
harms innocent and legitimate users who DO occasionally have the legitimate
need
to use unfamiliar facilities and connections while they are travelling.
I don't want to see my mails blocked just because some other jerk happened to
have used the same kiosk to send spam, a week or two before. That's not MY
fault, and one can even argue that it's not the fault of the kiosk provider.
I could imagine trying to invent yet another scheme to send
authenticated mail from random clients, but I don't see any point.
I don't either, since "authenticated mail" does SO LITTLE to prevent the
sending
of spam. It only just changes HOW they spam, but hey, they've changed tactics
before (and it does very little to dissuade them).
It's no big deal to slap a web mail front end onto a mail system for
the benefit of roaming users without their own computers,
1) Web-based mail introduces a whole litany of new hazards and risks. Plain
ASCII text is FAR safer.
2) You must not expect that users are necessarily going to have live Web
access
while they are reading and composing their E-mail messages. Remote locations
that use high-price connectivity (MARISAT satellite links, for example, used
from ocean liners or oil drilling platforms) usually have local mail
composition
tools and local MTAs and only go online for occasional sessions to upload and
download mail and other important traffic.
Even in less extreme situations, much of the world still pays-per-minute for
Internet connectivity; it's crazy for them to need to routinely be online
during the whole time they spend managing their E-mail.
...and I don't see how we could do any better than that.
Perhaps part of the revelation is realizing that no simplistic single solution
(especially not one based on short-sighted US-centric views of the Net) are
applicable to everybody.
There are plenty of folks hawking things like authenticated mail or
certifications or the like, and there may be SOME value in SOME of those
schemes, but they certainly aren't universally acceptable, nor do most of them
do anything terribly convincing to stop spam.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg