On 10/27/2010 6:29 AM, Rich Kulawiec wrote:
It doesn't matter. The entire issue of end-user authentication is
dead, dead, dead thanks to 100+ million zombies with keystroke loggers.
It doesn't matter how clever the tech is, how slick the UI is, how
minimal the effort is.
Oh, then, port 25 blocking and SMTP submit authentication is dead dead
dead too, predicated on the _same_ zombies and keyloggers?
Actually, it's not, at least on the sending side, because for various
reasons, botnet writers haven't (with only trivially small exceptions)
done it.
On the receiving side, yes, the volume is still gruesomely high (because
of sites that haven't/won't see the light), but (a) it'd probably be
MUCH higher without it and (b) you can often use knowledge about who
don't (and where their IP space is) to block it anyway (cue SORBSDUL,
PBL, EL etc) or (c) partially evolve to "default block" approaches.
Certainly, the equation would change if "everybody did it", but it could
provide considerable breathing space, and perhaps change the spammer ROI
sufficiently to get more of them out of the biz.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg