[problem of botnets as spam originators]
Isn't the solution to decline ALL mail from obvious pool
addresses? I hear
the argument that you can't put pool addresses in a
DNSBL because next
week the bot will have a different address. So put the
whole pool in the
BDSBL.
The solution to the problem is actually AMAZINGLY
simple... I know that a lot of y'all have this fixation on
IP-based solutions, but a FAR better solution (rather than
attempting to block spam AFTER the botnets are recruited)
is to block the virus/worm code-containing E-mail messages
BEFORE they infect those computers.
And that is really rather easy... you simply block any
HTML or attachments (and particularly EXECUTABLE
attachments) that isn't coming from a sender that is known
and trusted by the recipient TO SEND THEM EXECUTABLE
CONTENT.
Note that MOST users (probably 98-99%) will not whitelist
ANYBODY to send them executable content in E-mails...!
The other way that botnets are recruited are by people
visiting infectious Web sites, but that is a problem for a
different list.
...This will result
in a security
disaster when an MTA holding thousands of private keys
becomes
compromised. Clients transmitting or signing email MUST
be
identifiable and spam MUST be made illegal. Lack of
SMTP client
identification and spamming is _directly_ responsible
for the spread
of much of today's malware!
The fixation on "client identification" (like SPF does)
isn't very effective for the simple reason that an
infected machine can send spam using all of that machine's
certifications and habitual outgoing mail server.
Likewise, a person can need to send legitimate mail from
an inhabitual location (such as a cruise ship Internet
cafe).
What IS (much more!) effective is to determine whether an
outgoing (/arriving?) mail message LOOKS "LIKE" the mail
that the legitimate user of the now-infected machine
habitually sends to a given correspondent. Ideally, that
"looks like:" rule and criteria would be different for
each correspondent recipient.
The criminal element has demonstrated individuals can
not be easily
tracked in today's Internet. Those in the business of
transmitting
messages should identify their clients and not abuse
network
resources by allowing bulk unsolicited promotions of any
sort.
What is 'legal' and 'not legal' will depend on from which
country the messages originate. "Identifying clients"
doesn't accomplish much if a legitimate, honest user finds
that their machine has been infected. What do you want to
do, sue the previous, also-innocent victim?
Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area
networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg