----- "Alessandro Vesely" <vesely(_at_)tana(_dot_)it> wrote:
Douglas Otis wrote:
SMTP is heavily abused, and soon IPv6 is about to become a
necessity.
To remain practical, connectivity must be based upon _immediate_ and
_stable_ evidence of legitimate email operation, and not upon any
number
of authorization transactions. Each additional transaction to
support
an authorization scheme will be multiplied by the typical number of
attempts made by abusive senders. This means providers need to
exclude
problematic users, and not become a task pushed toward recipients.
Such
pushing is not practical and often leads to unfortunate mistakes.
What do you mean by "problematic users"? Providers of residential
cables, WiMAX, and similar connections could block or redirect port
25, just like most universities and companies do. They used to do it,
as long as they provided mailboxes as a bonus and ISP and ESP were
synonyms. Submission port 587 is not yet universally employed, and
some customer may not accept to be unable to reach their favorite
server's ports 25 or 465. "Blocking port 25 except for a set of
servers used for submission" is not something that can be easily
defined and maintained by ISPs, IMHO.
yes I'm not sure that blocking port 25 will ever be possible. I think less and
less people want their mailbox tied up to an ISP, this is why they get a
mailbox on yahoo, google, etc... So these services requires you usualy to
connect via port 25 and authenticate, but that means for the ISP to let port 25
open. Blocking port 25 and letting port smtps/465 open to allow users to still
submit email is better, but just a temporaray measures until botnet use smtps
to submit.
The only think I see in this system, is to identify IPs of mail servers via an
out of band process. Like a record in the DNS. To avoid DDNS (the ability of
the compromised machine to push a record in the DNS), it should be in the
Reverse DNS or in a subdomain.
Now a receiving MTA would be able to use this filter, either the sending MTA
authenticate (MUA) or the sending MTA is recorded as a MTA in the DNS. Now this
cannot be enabled overnight, but a spamassassin filter could give a negative
score if the sending MTA is DNS recorded.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg