[Top] [All Lists]

RE: MyDoom, Sorbig - Actions taken?

2004-02-05 10:19:37

Wouldn't it be nice if the same sort of thing could be done with email

no, it wouldn't be nice to be forced to always submit mail from the same

IP addresses are inherently tied to network locations.  email
addresses are not.

That's right. That's why I said this isn't really possible with
SMTP. After all, being able to send from anywhere as anyone is
allowed AND used frequently today.

It's possible, and reasonable, for an SMTP server that accepts
mail submission to require a username/password and apply policy
based on that username/password.  This is available today with the
AUTH extension to SMTP.

Of course today nearly all SMTP servers that accept mail
submission merely validate the legitimacy of the sender based
on the sender being in the ISP's (or enterprise's) IP address

In either case, though, the SMTP server that accepts mail submission
can fairly trivially validate the MAIL FROM address, and even the
From: address, based on the IP address (or username/password) of
the user.  For example, all business mail egressing Cisco's network
should have a MAIL FROM with, and should be virus
checked and perhaps also be spam checked.  And all mail egressing
AOL's network should have a MAIL FROM with

So I don't agree that "it isn't possible with SMTP".  It actually
is possible with SMTP.

I think I didn't make my point clear. I was suggesting a
conceptual vision, which would rely on a briefly mentioned topic
on the mail-ng list as "sender authentication/verification".

If you can verify the sender then it could become possible to
control message "injection" into the "mail system".  And one of
those controls could be "is this sender allowed to send from this
'location'?". I'll handily leave "location" undefined.

This not really possible with SMTP as it stands now anyway.

Agreed -- some changes are necessary to achieve the goal you are

Imagine all the viruses that would be blocked because they could only
send mail on behalf of the "originating location's mail domain".

the viruses wouldn't be blocked, they'd just have different
From addresses.

True. Perhaps I should have said "now we can track down the
person who has a machine that's infected".

If the identity is tied to only a domain, the best you can do is
tie the email to that domain.  At that point you can contact the
domain and inform them of the problem.  It's then their problem
to track down the virus- (or spam-) infected system.

At the least, all the "hey you have a virus" automated replies
will go to a somewhat more appropriate location ;-)

Unfortunately, the AV companies have no doubt found there is
marketing value in sending notices these far and wide.


<Prev in Thread] Current Thread [Next in Thread>