ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: namedroppers, continued

2003-01-06 08:16:15
from [Valdis . Kletnieks] [Permanent Link] 
On Mon, 06 Jan 2003 02:01:27 EST, Doug said:


There are many comercial email servers that require the people sending email
with their server to log into the server using a valid username and pass
before
doing so. I doubt they are losing any valid emails. All it does is to keep
unauthorized users from using the server without a valid password. The
reason
to require that the sender address in the outgoing email matches the email
address refrenced in the account is to keep people from sending spam from
these email servers and using fraudulant return and/or sender address.
I fail to see how this throws out any babies. perhaps I am missing
something.


What you're missing is that I can configure *MY* server so it will only:

1) Accept mail *TO* a local recipient.
2) Allow relaying of mail to a *remote* recipient after doing some sort of
authentication that it's one of my users.

And in fact, the last I heard, open relays were only 1% or so of the total
mailservers out there - so the above is already the usual state of affairs.

Note there's no requirement that *inbound* mail be authenticated, which is
the basic source of the spam problem.  Your mail server will probably
accept mail for your userid from anyplace without authentication.

Now let's say you *do* start requiring authentication for inbound mail.
Let's consider this piece of mail, which is being sent to both you and
the IETF list...

1) What userid/password does the IETF mailserver use to authenticate
itself to your mail server?  Remember in your answer to note that forcing
users to manually update a whitelist of mailing lists they are on is
a helpdesk nightmare, and hard to scale - our main mailserver has some
80K mailboxes/aliases on it, and I'm on a lot of lists.  However, just
because *I* am on a list hosted at some site doesn't mean that any other
users on my mail server wants to accept mail from that site.  However,
even if you decide *that* cost is toleralble, there's still:

2) What userid/password does my laptop use to authenticate itself to your
mail server?  And note that you can't just say "my laptop has to send it to
my mail server" - because then you need to get the userid/password pair to
my mail server.  Remember that your answer has to scale to 40 million .coms,
and that it has to work on a sender/recipient pair basis (otherwise, it's
like inviting a vampyre in - if they can get one person at your server to
OK the mail, then they can commence spamming all your users).  Note that
answers like the "reply to this message to prove you're not a spammer"
schemes are *NOT* a long-term solution - if any of those packages becomes
widespread enough to actually impact the spam problem, the spammers will
have a little Perl program scanning the bounces and canning the "yes I'm
not a spammer" responses.



-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: pgpVTjrjEWSwn.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: namedroppers, continued, Harald Tveit Alvestrand
Next by Date:  Re: Fw: namedroppers, continued (flamed in less than an hour. figures), Bill Cunningham
Previous by Thread:  Re: namedroppers, continued, Harald Tveit Alvestrand
Next by Thread:  Re: namedroppers, continued, Doug
Indexes:  [Date] [Thread] [Top] [All Lists]