On Fri, 29 Aug 2003, shogunx wrote:
The better question for the IETF is whether we should do something to
SMTP to make it less easy to send spoofed mail.
what, so one couldn't telnet in and send arbitrary mail? include a
reversedns lookup in SMTP? good luck on widespread implementation.
Reverse DNS lookups tell one nothing about the legitimacy of the email
being sent. This has been hashed over on both namedroppers and DNSOP.
I also recently hashed out the Information Theoretic problems with
suppressing spam with a group of PhDs from one of my old companies.
After a great deal of arguing about the definition of Covert Channel (in
particular whether cooperation was required or not), it was determined (to
a high degree of confidence--but not to a formal proof) that spam is
indeed a covert channel, and therefore subject to the axiom that one
cannot prove there are no covert channels. I should note that during the
course of research I made to on the topic, which included reading a number
of original papers on the subject of Covert Channels, Side Channels, and
like concepts, I could find no written proof of this axiom, but neither
was it challenged as being untrue.
This confirms the intuition that digital signature schemes, and cost
schemes and other such suppression schemes cannot succeed. Spam is
essentially dependent on the will of the sender, and given viruses, that
will can be subverted for many senders no matter what suppression scheme
is used. Spam can be detected, and stopped after detection, but it cannot
be made impossible to send.
The question is really whether SMTP has sufficient identification
information to track down an abuser, or infected user. The answer to this
question is "yes". Even with an open proxy, the SMTP information will
identify the open proxy. The anonymity offered by the open proxy is
completely independent of SMTP. However, to identify the abuser, one may
need law enforcement authority, or be willing to undertake a civil action
at some expense. This is consistent with the PSTN, in which the identify
of a user can't generally be determined by another end user, but can
usually be determined using law enforcement authority. Indeed, as with
the PSTN, some anonymity is appropriate. One would probably not want to
allow end users to be able to identify another end user against their will
without a court order of some sort or some evidence of a criminal act.
--Dean