ietf-mxcomp
[Top] [All Lists]

RE: DEPLOY: Sender-ID provides little or no defense against adaptive threats

2004-09-04 06:06:54

Not "accomplished nothing" but we would have accomplished the need for the next 
step:  SMTP AUTH
that incorporates spoofing prevention.

Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085


-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Dean 
Anderson
Sent: Saturday, September 04, 2004 4:51 AM
To: Hallam-Baker, Phillip
Cc: 'Anne P. Mitchell, Esq.'; IETF MARID WG
Subject: RE: DEPLOY: Sender-ID provides little or no defence against
adaptive threats



On Fri, 3 Sep 2004, Hallam-Baker, Phillip wrote:


Even if we end up with spammers using disposable domains it will
mean a major switching cost for every message variant. In effect
the use of hash busters will be completely negated.

Saying that Sender ID will not work because of the throaway domain
problem is like saying that it is pointless putting locks on your
doors because a burglar can break a window. In the real
world breaking
windows creates noise and leads to burglars being caught.

There is no point in putting a lock on a free-standing
doorframe when the
burglar can simply walk around the door. And that is the situation we
face.  Spammers can still forge email, even without
disposable domains.
They can forge email from the domain (any domain) serviced by
their ISP.
There are infinitely many user addresses to the left of the @
sign.  Since
there no walls, there is no point in having doors with locks.

If the abuser just doesn't want to give an email address they
use, they
can forge an address at their ISPs domain. Or they can use a
disposable
address.  One still has to contact the ISP with the IP
address and time of
use of the abuser.  Same as one would without sender-id/SPF/RMX.

If the abuser is interested in harrassing a particular email
address (a
joe job), they can just forge email to their ISP's relay.
That relay will
then bounce the message to the target.  The target then has to contact
each ISP to report the abuse. But they had to do that before
sender-id/SPF/RMX. The problem is the same.

At great expense, you've accomplished nothing.

              --Dean