ietf-mxcomp
[Top] [All Lists]

RE: When spoofing is.

2004-03-21 15:39:42

Here's another valid use of spoofing (again, apologies to Dave):
Anonymous remailers.  If the postcard contingent aren't viewed as
valuable in this discussion, how about the bulk of the pro-privacy and
cryptography communities?

Alan and John (et al - correct authors cited this time!) covered this in the
LMAP discussion draft.

It is possible for an enterprise to provide both accountable and anonymous
services.  Now this is a good reason to verify by domain only and not
necessarily by sender, though a clever design could verify by anonymous
sender too, without exposing the identity of the sender.

No.  But as Meng states on the pobox.com SPF pages, ISPs don't _yet_
block port 587, which he points out as justification for using it as a
workaround for ISPs blocking 25 outbound.

I would think any mail host offering SMTP on port 587 requires some kind of
authentication, and only authorized users would use it.  It wouldn't be open
to abuse by default.  At least not from a "responsible" mail host but that's
another discussion altogether.

The original point of blocking outbound port 25 was to avoid dial-up and
relay spam, though some ISPs use it as a means to enforce corporate identity.
If not 587 then some other port, probably - users would get uppity if port
1863 (MSN Messenger) was blocked.  Or Jabber ports.  Or Protocol 47 (GRE used
for PPTP).  Or Port 443 for secure webmail.  Or whatever.  You'd have to be a
pretty repressive ISP, coprorate entity or government to block these and not
get lynched by your customers.

User education as solution?

Customer service issue.  Of course I've ranted about this at length, too.

-- 
PGP key (0x0AFA039E): 
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4> 


<Prev in Thread] Current Thread [Next in Thread>