[TriLUG] Another seal broken... thinking of installing a C/R anti-spam system

[Jon Carnes]

On Sun, 2007-01-28 at 00:12, Tanner Lovelace wrote:
> On 1/27/07, Magnus <magnus at trilug.org> wrote:
> > jonc at nc.rr.com wrote:
> > > We really need to press for smtp-auth to become the standard of the
> > > 21st century.
> >
> > How will that fix anything?  This only fixes mail within the confines of
> > a domain but inter-domain mail wouldn't be protected by this at all.
> >
> Magnus,
> 
> You need to go back to his previous message in this thread:
> 
> JonC said:
> >We need for all SMTP to be authenticated and only accepted from the
> >authoritative source of that domain. That would effectively cripple
> >Spammers. It's not like we allow folks to POP email as a user without
> >using a password! Why should we let people drop off email without the
> >same protection. Alas, that would mean that folks who make email clients
> >would have to adapt them to using auth-smtp. Something so logical seems
> >to be beyond the capabilities of Microsoft.
> 
> I believe the point is that if everyone must authenticate to their server
> then you can specify the authoritative MX for that domain and only
> accept e-mail from that server for that domain.
> 
> There are, however, two problems I see with this.
> 
> 1. Forwarding domains.  For instance, I have an e-mail address @acm.org.
> Acm.org doesn't store it for me.  Instead, I give them a valid e-mail address
> and they forward it there.  If Jon's wish became true, I would have to send
> all e-mail with that as a return address from the acm.org servers.  This would
> basically make the forwarding service that much harder to implement (because
> of the need to also provide outgoing SMTP servers) to make it basically not
> worth it.  Right now, I can specify that as a return address from anywhere,
> and if my e-mail address ever changes, just update the forwarder.
> 

You're right, forwarding services would be more limited. However, your
"Reply-To:" should still work. Even though the "From:" would be whatever
local account you are using; the "Reply-To:" could still be the
forwarding service. 

Your mail would still be logically tagged by the domain and user account
used for submitting this email. The responsibility for the origination
would be maintained... but folks could still respond to the "Reply-To:"
address and the "Reply-To:" forwarder can still forwarded on any replies
to whatever accounts you like to use for receiving mail.


> 2. I have e-mail addresses in several domains.  Right now, I can specify
> whatever return address I want and sent it from whatever e-mail
> server I can authenticate to.  (the TriLUG SMTP server, for instance).
> With Jon's scheme in place, this would not work.  I would have to specify
> individual servers for each and every return e-mail address.  While I
> believe Thunderbird does support this somewhat, I've heard it's not
> completely stable (i.e. sometimes it will just try to send e-mail through
> the main smtp server).
> 
> So, those are two objections. The second one is solvable with better software.
> The first one, however, is much more problematic.  I'd love to hear suggestions
> for it (but not ones that suggest not using it).
> 
> Cheers,
> Tanner
> 

Yep, in my 21st century world of authenticated smtp, folks would setup
their email clients so that an account would have a server login for
pop/imap *and* have a server login for smtp-auth as well.

==
Now that I'm looking around at Grey-listing, I'm seeing all kinds or
interesting stats (and kicking myself for not using it earlier). I'm
seeing stats of 90% of spam being turned away by just rejecting the
initial connection.... 

Of course this is just a temporary spam saving measure. It only works
because the original (broken) bots, are still effective at spreading
spam. As soon as folks take a considerable chunk out of those bots
effectiveness, then humanity will come up with a better bot and those
will be propagated in place of the current lot.

The current system is based on an academic world-view of conscientious
technical folks sharing information. Amazingly, it has worked very well
for a long time - and businesses have come to be depend on it working
very well.

Aside: I view the fact that the web and email have worked so well for so
long (and not been exploited worse) shows the strength of character of
the vast majority of technically savvy folks. The folks who understand
the underlaying technology of the internet and its protocols are a very
moral and ethical lot! This affirms by belief that Man is basically
good.

But children will play. And some folks have learned to make money by
abusing the trust of others. I hate spam.

The current system of SMTP has worked so well for so long, it is very
difficult to change it. But there is currently a problem with that
system. A growing problem. We need to address the problem of spam with
more than just defensive moves (like gray listing). 

Jon