Andy Bakun writes:
As for "authenticated by virtue of being on [your] network", I think you
mean "authorized" -- either way, that works out perfectly for a
relatively small network with few endpoints. A cable provider, for
example, has multiple endpoints, most of which they don't directly
control (because they are in people's homes) to which people can connect
a multitude of insecure networking devices. Just because packets can be
routed in this situation doesn't mean that the traffic is either
authorized or authenticated.
Yes, technically "authorized" is the relevant concept, but in the SMTP
context the primary point of authentication is for the purpose of
acquiring relay permission - of becoming authorized to relay. There's
no pretense that SMTP "AUTH" implies authenticated mail. However,
just because the concepts are more or less fused in the SMTP context
is no reason to muddle them, so I'll try to keep my wording more
precise.
By ISP standards, mine is a very small network. However, compared to
a home user's network or a typical small business network, it is very
large. More importantly, it is very diverse. I specialize in serving
small user communities and users with specialized needs.
My users have a choice of three outbound mail relays. One requires
the client be on my network, one requires POP-before-SMTP, and one
requires SMTP AUTH. Yes, in principle it's possible someone could
sneak onto my network and use my trusting relay to send spam. It's
also possible someone could obtain access to an account and use it to
authenticate to one of the other servers and send spam as authorized
mail. In practice, neither has ever happened on my network. Other
types of spam episodes have happened (rarely), and they've been
quickly quashed.
If the Alaska network does not police against spamming, it will become
a haven for spammers. They will be authorized users sending
authorized mail, and requiring them to authenticate first would make
little if any difference.
If the Alaska network does police against spamming, users who use
their presence on the network to send spam as authorized mail (or who
create inadvertent backdoors giving spammers access) will lose their
email privileges. This will happen whether or not the network's users
have to authenticate to the mail relays.
That was my original point: requiring on-network users to authenticate
does not prevent spam. Policing the users prevents spam.
The same is true for off-network users. If the ISP doesn't care about
spamming and lets spammers have email accounts, all authentication
does is authorize them to send spam.
--
Dick St.Peters, stpeters(_at_)NetHeaven(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com