----- Original Message -----
From: "Florian Weimer" <fw(_at_)deneb(_dot_)enyo(_dot_)de>
To: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
Hector Santos wrote:
When you don't authenicate, as long as the mail destination is for the
local user, fundamentally, it is basically the spirit of SMTP to accept
this message with no restrictions. In other words, you really don't
care
who connects to you as long as its for a final destination user.
This is how SMTP was designed, but it is no longer operated in this way
by the majority of sites (at least weighted by the number of active
users).
Right, but it also represents the reason for the majority abuse we have.
Is it true that is where most of the abuse lies? The industry research
estimates 60-80% of all spams are spoofers - anonymous liars. Our CBV
system (CallBack Verifier) confirms this.
Most junk mail I receive comes from dial-up/cable/DSL users and free
webmail providers. I can completely trace it within the mail system (no
3rd party SMTP relay is involved). In the case of webmail, I've even
got a valid phone number to which I could complain and an address to
which a court order could be delivered (even under German jurisdiction).
Does it make a difference? No.
This should not neglect what has to be done.
By the way, we knock out 40% of those dial-up/cable/dsl systems at
HELO/EHLO, not by us. They do it themselves for lack of SMTP compliance!
Just create a multiple line greeting! You will knock out atleast 40% of
them instantly!
See our stats are http://www.winserver.com/sslinfo (I believe it was about
Dec 25 where we added the multiline greeting, helo/echo rejections jump from
12-15% to around 60%!).
The underlying issue (nobody is accountable for mail which is merely
passed through) is a social problem which cannot be addressed by
protocol changes.
I don't totally disagree with that. But a computer is stupid. It does
what we tell it to do. It has no understanding of what your intentions are.
But it can perform logic, sound technical design and expected secured
client/server logic and if you don't do it right or don't follow certain
rules, it doesn't (shouldn't) matter what your "social intent' really is.
This is not really about SPAMMERS. They just made enough trouble to show
the world we have a problem with the current infrastructure.
Just imagine if AUTHENTICATION was a requirement. What do you think will
happen? In what way will the behavior of the net change? How will the
spammer changes?
You might say, "Well Hector, then email will not work! I can't send you
legitimate mail." I will say then you might be right, with the current
standards, with the current way things are done, it will restrict
legitimate first time contact. (In our case, for current specs, using a
CBV, we require that your return path is verifiable).
But just imagine with a NEW system, if it was required for you to "signup
somewhere" in order to be sender/receiver on the network? Never mind it is
was realistic or not, but it was now part of what made you part of the
backbone, the network. It is possible to work now?
What is wrong with the idea that "spammers" should register or create a
relationship with systems that they bombard to send mail?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com