ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] attention bonds, was Email Postage

2008-11-30 12:34:13
from [Barry Shein] [Permanent Link] 

On November 29, 2008 at 13:28 rsk(_at_)gsp(_dot_)org (Rich Kulawiec) wrote:

On Fri, Nov 28, 2008 at 03:56:07PM -0500, Barry Shein wrote:

I don't see how 10^8 compromised systems can get past that, short of
the ietf mail server being compromised which could happen but isn't
likely, and is less likely to persist long enough to be much of a
concern.


If the system of any subscriber is compromised, or if the email
credentials (username, password, server triplet) of any subscriber
are used on a system which is compromised, then the adversary has the
ability to send mail as the subscriber.  Note that compromise of some
systems will lead to disclosure of many sets of email credentials.


Not if you filter at the IP level of the servers for example. Or not
for long.

My original comment suggested you whitelist so only asrg(_at_)irtf(_dot_)org
email could get to you, and only accept it if it came from an IETF
server (possibly via your internal servers, but at the border.)

10^8 zombies can't get past that.

As I said it leaves the remote possibility that they've compromised
the IETF mail servers but I don't think that's what you're talking
about, and I tend to doubt that would be a major problem.

Whitelists, if properly constructed, can work.

The problem is they're too restrictive for most people.

Anyone else remember when you could not send any email to any IBM
employee unless that employee specifically added you to their
corporate whitelist? You had to call the person on the phone or
similar (fax perhaps), or ask someone else who was whitelisted to
forward your requet.

That was in the 80s and it seemed so...draconian. Maybe it's still
like that.

I suspect in terms of spam and other unsolicited email it probably
worked pretty well depending on their own enforcement and policies.

-- 
        -Barry Shein

The World              | bzs(_at_)TheWorld(_dot_)com           | 
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] The fundamental misconception about paying for mail POSTAGE, Barry Shein
Next by Date:  Re: [Asrg] POSTAGE, was The fundamental misconception about paying for mail, Barry Shein
Previous by Thread:  Re: [Asrg] attention bonds, was Email Postage, Rich Kulawiec
Next by Thread:  Re: [Asrg] attention bonds, was Email Postage, mathew
Indexes:  [Date] [Thread] [Top] [All Lists]