Stuart D. Gathman writes:
On Sat, 24 Sep 2005, Dick St.Peters wrote:
The point you keep missing is that SMTP AUTH does nothing to fix
this. If users can send mail using SMTP AUTH, they can send spam
using SMTP AUTH, and an ISP that does not police its users sending
mail without AUTH is even less likely to police those using AUTH.
Policing is what matters.
The point I think you are missing is that with SMTP AUTH, the ISP
can prevent forgery. Your point is correct: if all customers are simply
using the ISP provided domain, then SMTP AUTH adds absolutely nothing
(except to prevent forgery of another customers localpart - if implemented).
However, an ISP can require all customers wishing to use their own domain
to register that domain with the ISP relay (if they want to use the relay).
Combined with blocking port 25, this will stop all forged mail from
the ISPs net blocks. Here at SPF, we are not directly concerned with stopping
spam, but with stopping forgery.
The point I would say you are missing is that it's not SMTP AUTH
that's preventing forgery, it's the things you describe as layered on
top of SMTP AUTH that would prevent forgery. The point is
non-trivial: my pop-before-smtp relay will relay only mail from
registered domains even for pop-authorized IPs, no SMTP AUTH required.
So I'm achieving the result you describe using basically the mechanism
you describe, but I'm doing it without SMTP AUTH on that server.
(My users don't actually have to "register" a domain with me - it's
done automatically if I handle the domain's mail.)
I do use SMTP AUTH on another server, and I would love it if all my
users would switch, but it ain't gonna happen.
None of this has anything to do with whether the user is using the
ISP's domain - my domain in my users' case. My domain is just another
"registered" domain, one that happens to have a lot of users.
I'm sure you'll point out that a spammer can simply register his/her
throwawy spam domain de jour. But this is yet another cost to a
spammers business that is insignificant for a legitimate user with
a long lived domain. Also, a high rate of domain registration is
a big red flag for an ISP policing spam (as opposed to preventing forgery).
I agree, but this has nothing to do with SMTP AUTH.
True, this does nothing to stop spammers from sending their crud MAIL FROM
the ISP domain, and the ISP will have to continue doing the stuff you
talk about to maintain their own domain's reputation. But those
of us clamoring for SMTP AUTH (with cross customer forgery prevention
implemented) are after the forgery prevention - not because we think
it will directly stop spam. We just want accountability.
I will make the same claim about forgery I made about spam: what
matters is that there not be any forgery, not how the ISP achieves
that.
"Cross customer forgery" can be hard even to define in the real world
with users who have multiple businesses with multiple domains sharing
facilities and people with other businesses with other domains.
--
Dick St.Peters, stpeters(_at_)NetHeaven(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com