Re: Spam (or, how to buy Cheap Korean Cellphones :-)

[Paul Robertson <proberts () patriot net>]

On Fri, 6 Feb 2004, Rod Gilchrist wrote:

> Anyway, not a huge problem there. That's what smtp authentication
> is for. Send your mail via the other domain's smtp proxy (from the
> outside)
> and have them sign it. In order to do so you need a valid user ID and
> password.

So, now you're requiring domains that don't normally allow 3rd party relay
to enable it to allow their customers to continue to use their primary
e-mail domain?

> If they don't have a policy that involves them knowing who is sending
> mail through their smtp gateway and ensuring that none of the
> authorized users behave like spammers, their reputation gets mucked up.

Yet, if they have a policy that allows relay for their own IPs, you're
suddenly opening up an authentication scheme and worse-yet authentication
credentials to external attack.

I really don't believe that forcing authentication credentials is the
answer- we are, after all taking about home users where there are already
*hundreds of thousands* of compromised machines.  Putting credentials on
compromised machines compromises the credentials.  Requiring more
credentials to be distributed and more authentication mechanisms to be
exposed does not raise the net security of the Net.

I'd really rather not replace an exploited infrastructure with an
exploitable infrastructure.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards