Paul Wouters <paul(_at_)xtdnet(_dot_)nl> wrote :
On Thu, 9 Oct 2003, Mr. Ned wrote:
First of all, with all the free email out there, who would need to
adpot this, it just becomes another race again.
Your argument is unclear. The only thing I understood in those two sentences
is the suggestion that spammers will just go get more and more free email
accounts.
The more people who go abuse free email providers, those providers will invest
to prevention of robots generating new email accounts, or be crushed by the
spammers robbing them. Either way is failure for the spammer.
It is one thing to get a free email account someplace like Hotmail or Yahoo,
where all of your email is handled through a web interface. Such a service is
commonplace, and not expected to go away anytime soon. It is another thing for
somebody to offer free SMTP service, especially if it requires username and
password to get in. This is almost nonexistent, and when it does exist, it's
abused and blacklisted quickly.
When somebody signs up for free email service, they won't get free SMTP. Much
less free VSMTP. If the provider provides free SMTP or VSMTP, trust me they
will soon be blacklisted.
When somebody writes a program to automatically work through the web interface
of a free email provider, they are costing the email provider money, and
providing them incentive to stop robots from creating new email accounts.
Plus, this spam can only work for a little while before being blacklisted. So
sign up for another account. And get blacklisted. Etc etc. The free email
provider will soon either be blacklisted, button up security, or go bankrupt.
When you get spam from spammy(_at_)hotmail(_dot_)com, you don't really think
that message was sent from hotmail's SMTP servers, do you? The address was
forged. If hotmail used VSMTP, the message would be rejected for delivery,
unless somebody hacked hotmail's VSMTP server.
I do not claim that hotmail is unhackable for somebody to get in, and start
generating LUMIDs on hotmail's MX, but I do claim that such a problem will be
handled as fast as hotmail's IT staff can handle it. If somebody cracks their
way into hotmail's internal network, you think they don't prosecute?
The problem of protecting passwords is a problem I WANT to have, because it's a
whole lot better than letting them do it for free. Worse, if they don't use a
password, it's completely legal because it's an unrestricted public service.
Second, PC security
sucks. Some people believe most spam already comes from
hacked/infected
It's true that PC security sucks. But you didn't list your PC's IP address as
the MX for your domain, did you. Even if somebody hacks into your PC and
starts using you as an SMTP service, they won't have any GUMIDs, and therefore
mail is rejected if the receiver (and you) use VSMTP. Even if they set up a
program to start verifying GUMIDs on your PC, your PC will never be queried
because you're not the MX for your domain.
If they can hack/infect the machine, they can either 1) create new accounts
at free isps or 2) steal the user's identity, or 3) asks
lots of LUMID's.
If there's a free ISP, please let me know. Furthermore, if there's a free ISP
that doesn't require any time to create an account there, and doesn't require
any evidence that I'm a real human, and is actually usable, especially with
high speed connection, what a deal. Tell me where to sign. They don't exist.
If a MX, a domain, or somebody's individual account is compromised, they will
be abused by unethical individuals, and therefore blacklisted until they
correct the problem.
The same goes for generating lots of GUMIDs.
And now a re-install of his pc wont even help, the identity will be put
on blacklists and this person has to get a new email address.
There currently exist blacklists. Are you suggesting that these blacklists are
immutable, and the person whose security was compromised remains there for
life, even after security is regained?
Obviously you can be cleared from a blacklist by showing that you've regained
security of your identity.
fighting spam by relying on user's ability to keep their password/token
secret is a lost race.
Whenever you see an obstacle, you should look for a way around it. The user
isn't necessarily trusted to keep their password secret, if the ISP or whoever
enforces it. It's entirely reasonable for the ISP to provide a system
generated password for the life of the account, and for the password
authorization to be implemented encrypted, according to the policy of the ISP,
who obviously has incentive to protect the password.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦ç?2b¥yÈbox(_dot_)com