funsec mailing list archives
Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)
From: Rich Kulawiec <rsk () gsp org>
Date: Fri, 16 Oct 2009 07:56:32 -0400
On Tue, Oct 13, 2009 at 10:36:00AM -0500, Dan White wrote:
There is a difference. SMTP is not based on end-to-end security. It's based on a chain of trust, and most of the chains have absolutely no security - if I send email to AOL, they pretty much have to trust me. I don't verify who I am. If I'm an ISP and I accept email from a customer (because they're on my network, or they authenticate to me), I relay their email to AOL, and I can't reliably tell that it's SPAM.
<pedantic> First, the proper term is "spam". "SPAM" is a product of the Hormel Corporation and has nothing to do with SMTP. </pedantic> And second, this is not true:
If email was based on end-to-end security, then SPAM is a problem between two specific users of the internet (my residential broadband customer and an AOL user).
If you're relaying spam, then it's [in part] *your* spam. Everyone involved in propagating and supporting abuse has to take a share of the blame: the spammer who paid for it, the botnet operator who generated it, the user who allowed their system to be hijacked, the network operator who transited the traffic, the mail system operator who relayed the message, the web site hoster providing services, everyone. Nobody gets a pass. Nobody gets to evade their share of responsibility.
SMTP needs to go away, and be replaced by something that resembles end-to-end messaging passing, rather than the horrible touchy feely pseudo-chain-of-trust that it is today.
And even if did, that would do absolutely nothing to solve the problem we currently face (i.e. 100M+ zombies): it'd just shift it to another protocol. And while SMTP abuse is one of the more visible external symptoms of the underlying security problem, it's by no means the only one and probably not even the most important, given that we developed quite effective defenses against it years ago. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: dumb. Comcast pop-ups, (continued)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
- Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 11)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 12)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Larry Seltzer (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) G. D. Fuego (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Dan White (Oct 19)