[TriLUG] Another seal broken... thinking of installing a C/R anti-spam system

Tanner Lovelace clubjuggler at gmail.com
Sun Jan 28 00:12:50 EST 2007


On 1/27/07, Magnus <magnus at trilug.org> wrote:
> jonc at nc.rr.com wrote:
> > We really need to press for smtp-auth to become the standard of the
> > 21st century.
>
> How will that fix anything?  This only fixes mail within the confines of
> a domain but inter-domain mail wouldn't be protected by this at all.
>
> http://en.wikipedia.org/wiki/SMTP-AUTH says:
> > SMTP-AUTH provides an access control mechanism. It can be used to
> > allow legitimate users to relay mail while denying relay service to
> > unauthorized users, such as spammers. It does not guarantee the
> > authenticity of either the SMTP envelope sender or the RFC 2822
> > "From:" header. For example, spoofing, in which one sender
> > masquerades as someone else, is possible even with SMTP-AUTH.
> >
> > The SMTP-AUTH extension also allows one mail server to indicate to
> > another that the sender has been authenticated when relaying mail. In
> > general this requires the recipient server to trust the sending
> > server, meaning this aspect of SMTP-AUTH is rarely used in the
> > Internet. The recipient of an e-mail message cannot tell whether the
> > sender was authenticated, so use of SMTP-AUTH is only a very partial
> > solution to the problem of spam.

Magnus,

You need to go back to his previous message in this thread:

JonC said:
>We need for all SMTP to be authenticated and only accepted from the
>authoritative source of that domain. That would effectively cripple
>Spammers. It's not like we allow folks to POP email as a user without
>using a password! Why should we let people drop off email without the
>same protection. Alas, that would mean that folks who make email clients
>would have to adapt them to using auth-smtp. Something so logical seems
>to be beyond the capabilities of Microsoft.

I believe the point is that if everyone must authenticate to their server
then you can specify the authoritative MX for that domain and only
accept e-mail from that server for that domain.

There are, however, two problems I see with this.

1. Forwarding domains.  For instance, I have an e-mail address @acm.org.
Acm.org doesn't store it for me.  Instead, I give them a valid e-mail address
and they forward it there.  If Jon's wish became true, I would have to send
all e-mail with that as a return address from the acm.org servers.  This would
basically make the forwarding service that much harder to implement (because
of the need to also provide outgoing SMTP servers) to make it basically not
worth it.  Right now, I can specify that as a return address from anywhere,
and if my e-mail address ever changes, just update the forwarder.

2. I have e-mail addresses in several domains.  Right now, I can specify
whatever return address I want and sent it from whatever e-mail
server I can authenticate to.  (the TriLUG SMTP server, for instance).
With Jon's scheme in place, this would not work.  I would have to specify
individual servers for each and every return e-mail address.  While I
believe Thunderbird does support this somewhat, I've heard it's not
completely stable (i.e. sometimes it will just try to send e-mail through
the main smtp server).

So, those are two objections. The second one is solvable with better software.
The first one, however, is much more problematic.  I'd love to hear suggestions
for it (but not ones that suggest not using it).

Cheers,
Tanner

-- 
Tanner Lovelace
clubjuggler at gmail dot com
http://wtl.wayfarer.org/
(fieldless) In fess two roundels in pale, a billet fesswise and an
increscent, all sable.



More information about the TriLUG mailing list