Re: Spam (or, how to buy Cheap Korean Cellphones :-)

[Rod Gilchrist <rod () borderware com>]

On Saturday, February 7, 2004, at 08:32  AM, Paul Robertson wrote:

> On Fri, 6 Feb 2004, Rod Gilchrist wrote:
>
> > Anyway, not a huge problem there. That's what smtp authentication
> > is for. Send your mail via the other domain's smtp proxy (from the
> > outside)
> > and have them sign it. In order to do so you need a valid user ID and
> > password.
>
> So, now you're requiring domains that don't normally allow 3rd party 
> relay
> to enable it to allow their customers to continue to use their primary
> e-mail domain?

I'm not requiring anything.

I'm noting that a protocol that is becoming increasingly popular if not
widespread, deals pretty effectively with the issue you raised.

Companies are implementing smtp authentication primarily because
their people who are traveling want to have the email they send come 
from
their corporate mail address so that it appears official and doesn't get
stopped as spam.

> > If they don't have a policy that involves them knowing who is sending
> > mail through their smtp gateway and ensuring that none of the
> > authorized users behave like spammers, their reputation gets mucked 
> > up.
>
> Yet, if they have a policy that allows relay for their own IPs, you're
> suddenly opening up an authentication scheme and worse-yet 
> authentication
> credentials to external attack.
>
> I really don't believe that forcing authentication credentials is the
> answer- we are, after all taking about home users where there are 
> already
> *hundreds of thousands* of compromised machines.  Putting credentials 
> on
> compromised machines compromises the credentials.  Requiring more
> credentials to be distributed and more authentication mechanisms to be
> exposed does not raise the net security of the Net.
>
> I'd really rather not replace an exploited infrastructure with an
> exploitable infrastructure.

I'm of the opinion that a perfect solution is just not going to drop 
into
our lap.

The only thing that is going to work is bite size partial solutions that
get deployed. Eventually they'll  become enough of a solution that spam
will largely be dealt with.

Everything else takes way, way too much debate to get enough of a
consensus to be useful.

In terms of exploited machines inside your net, again this isn't an
insurmountable problem. Apply a policy on your outbound smtp gateway;
only so many messages from any one machine before you stop accepting
mail from it. Reset every 24 hours to allow for the machine being 
reinstalled.

- Rod

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards