Andy Bakun wrote:
On Thu, 2005-09-22 at 22:19 -0400, Dick St.Peters wrote:
OTOH, those same MUAs represent a threat when they're on laptops or
other computers that get stolen. Some of my users have been slow or
reluctant to have their passwords changed following such thefts.
Some have even forgotten that there even is such a thing as a password
when they never have to enter it for anything.
As you said in
<17202(_dot_)45449(_dot_)252229(_dot_)440238(_at_)saint(_dot_)heaven(_dot_)net>,
"Please
don't confuse explanation with advocacy." :) I'm not a big fan of
automatically remembered passwords either, for the exact reasons you
outlined. But the fact is that additional authentication checks for
email submissions via SMTP currently doesn't inconvenience the user, nor
will it, because of the habits that users are currently using. Unless
you're using the Outlook client someone mentioned where the consultant
couldn't find the option to submit to another port (I suspect that MUA
was Outlook _Express_, not one of the versions with a number/year in
it's name, which is notoriously lacking in basic features).
Outlook Express does allow the configuration of SMTP logon by SASL on port 587 - that is
why I use it.
However, the latter amount to only a few of my users' addresses, and
most of my on-network users are considered authenticated by virtue of
being on my network.
It's interesting you mention this. One network I administer is setup to
have more lax permissions on the wired side than on the wireless side
(which are two completely independent segments) and this has actually
helped both increasing awareness of security and awareness of all the
built-in settings in applications. Plug their laptop into the network
with a wire, they can do different things (some with passwords, some
without) than if they are using a wireless card. Sure, the wired
network can still be sniffed and is not significantly more secure
(anyone can plug a wire in, but there is physical security that doesn't
exist with wireless), but as for people understanding the different
kinds of exposures and risks of using networks, it's helped a lot.
As for "authenticated by virtue of being on [your] network", I think you
mean "authorized" -- either way, that works out perfectly for a
relatively small network with few endpoints. A cable provider, for
example, has multiple endpoints, most of which they don't directly
control (because they are in people's homes) to which people can connect
a multitude of insecure networking devices. Just because packets can be
routed in this situation doesn't mean that the traffic is either
authorized or authenticated.
This is not a small operator - it is big in Alaska -
[quote] GCI has a 45 percent share of the state's long-distance market, and is the state's
largest provider of Internet services with dial-up, cable modem, wireless, digital
subscriber line (DSL) and dedicated access.[/quote]
http://www.gci.com/about/index.htm
so they have a massive number of physical access points in homes and offices, all of which
are authenticated to an open smtp relay by virtue of paying their monthly fee. This is
ridiculous.
Considering this ISP seems to be not entirely unusual in USA, and the fact that USA
generates well over 50% of the world's junk mail, you don;t have to be a rocket scientist
to see the correlation - - - and the obvious solution.
The only consolation is that SPF will catch a lot, if not most of the junk mail injected
by such means.
Slainte,
JohnP.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com