Firewall Wizards mailing list archives
Re: Spam (or, how to buy Cheap Korean Cellphones :-)
From: Rod Gilchrist <rod () borderware com>
Date: Sat, 7 Feb 2004 10:44:58 -0500
On Saturday, February 7, 2004, at 08:32 AM, Paul Robertson wrote:
On Fri, 6 Feb 2004, Rod Gilchrist wrote:Anyway, not a huge problem there. That's what smtp authentication is for. Send your mail via the other domain's smtp proxy (from the outside) and have them sign it. In order to do so you need a valid user ID and password.So, now you're requiring domains that don't normally allow 3rd party relayto enable it to allow their customers to continue to use their primary e-mail domain?
I'm not requiring anything. I'm noting that a protocol that is becoming increasingly popular if not widespread, deals pretty effectively with the issue you raised. Companies are implementing smtp authentication primarily becausetheir people who are traveling want to have the email they send come from
their corporate mail address so that it appears official and doesn't get stopped as spam.
If they don't have a policy that involves them knowing who is sending mail through their smtp gateway and ensuring that none of theauthorized users behave like spammers, their reputation gets mucked up.Yet, if they have a policy that allows relay for their own IPs, you'resuddenly opening up an authentication scheme and worse-yet authenticationcredentials to external attack. I really don't believe that forcing authentication credentials is theanswer- we are, after all taking about home users where there are already *hundreds of thousands* of compromised machines. Putting credentials oncompromised machines compromises the credentials. Requiring more credentials to be distributed and more authentication mechanisms to be exposed does not raise the net security of the Net. I'd really rather not replace an exploited infrastructure with an exploitable infrastructure.
I'm of the opinion that a perfect solution is just not going to drop into
our lap. The only thing that is going to work is bite size partial solutions that get deployed. Eventually they'll become enough of a solution that spam will largely be dealt with. Everything else takes way, way too much debate to get enough of a consensus to be useful. In terms of exploited machines inside your net, again this isn't an insurmountable problem. Apply a policy on your outbound smtp gateway; only so many messages from any one machine before you stop acceptingmail from it. Reset every 24 hours to allow for the machine being reinstalled.
- Rod _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 05)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 05)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 06)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 06)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 05)
- <Possible follow-ups>
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 06)