Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> writes:
When a user is able to limit those with which they exchange messages (a
buddy list), there isn't any spam problem. Even when bad actors return
under a different name, they still don't make the list.
This statement is only true in a world with perfect host security. In
practice, compromising a system and then spamming everyone in the person's
address book using that person's configured mail server, mail settings,
and authentication credentials is common. The more emphasis is placed on
buddy-list authentication, the more prevelant this practice will become as
spam adapts to the email environment it's attempting to exploit.
Most users even use webmail systems and many of those users will happily
send their passwords to anyone who asks nicely, making this even easier.
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>