|
Re: namedroppers, continued
2003-01-06 12:58:34
I believe the answer to your first question is you would send mail
using
your own mail server not someone else's. Although...I do see unique
issues
involved in people using mail servers that are not part of their
network
(hotmail, yahoo...) to send email if they try to authenticate you as
part of
their network before allowing you to send email. I believe the
solution to
that problem is that those commercial mail servers (free or premium)
would
not be able to authenticate you as part of their network before
allowing you
to send your email. They would then require clients logging into those
accounts (with valid user names and passwords) to send email from a
valid IP
address with no unsecured proxy services running on them (much like
many IRC
servers are doing) and transmit this IP information along with the
email
being sent. This would allow for pinpoint identification of the
sender's
using IP addresses MAC addresses and time stamped logs for the
specific
purposes of taking legal action against these network abuses.
Your second question is a bit harder for me to answer. I believe (I
may be
incorrect) that there is already a difference between a receiving mail
server's transaction with a sending or relaying mail server and a mail
client. I would never claim that it is impossible for a malicious user
to do
anything (I know better). On the other hand if we can achieve
authentication
before sending email and it becomes a requirement of the system then
it
should make the actions of a malicious user stand out in the logs of
the
server allowing for tracking, blocking, and prosecution of those users
for
the unauthorized access and (mis)use of private network resources. My
solution does NOT have a way of completely stopping spam from being
sent but
perhaps in conjunction with other actions it can stop a majority of
spam
from being sent. Additionally, my solution makes it easier for end
users and
administrators to track the actions of spammers and find their virtual
locations. I would further suggest that once this information is
gathered
and verified with the spammers ISP subpoenas, court orders, cease and
desist
orders, fines under existing laws, and criminal prosecution could do
the
rest.
I am not claiming that this will eliminate spam on it's own. I am
claiming
that it will make it harder for the offending parties to get away with
sending spam in a manner that is not compliant with TOS agreements and
the
law. This solution would require a concerted effort by the
administration
comunity as a whole and I think that is where the problem truely is.
----- Original Message -----
From: "Harald Tveit Alvestrand" <harald(_at_)alvestrand(_dot_)no>
To: "Doug" <Dougxx2(_at_)carolina(_dot_)rr(_dot_)com>;
<Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu>
Cc: <ietf(_at_)ietf(_dot_)org>
Sent: Monday, January 06, 2003 10:00 AM
Subject: Re: namedroppers, continued
--On mandag, januar 06, 2003 02:01:27 -0500 Doug
<Dougxx2(_at_)carolina(_dot_)rr(_dot_)com>
wrote:
Your proposal would fix the problem, but end up tossing a large
quantity
of babies out with the bathwater. The problem is that for the
case of
a mailing list, you have *4* (at least) things to keep track of:
There are many comercial email servers that require the people
sending
email with their server to log into the server using a valid
username
and
pass before
doing so. I doubt they are losing any valid emails. All it does is
to
keep
unauthorized users from using the server without a valid password.
The
reason
to require that the sender address in the outgoing email matches
the
email
address refrenced in the account is to keep people from sending
spam
from
these email servers and using fraudulant return and/or sender
address.
I fail to see how this throws out any babies. perhaps I am missing
something.
well....think about how mail from someone who is not an user of that
system
(like me) can send mail there....
how does your system tell the difference between a remote mail
server and
a
malicious user?
Harald
|
|