Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups)

[Valdis.Kletnieks () vt edu]

On Tue, 20 Oct 2009 08:29:53 EDT, "G. D. Fuego" said:

> Am I naive in considering spoofed sender spam and true sender spam  
> (including stolen credentials) two separate problems requiring two  
> separate tactics.

In both cases - spoofed and stolen creds - the mail isn't sent by the
person it claims to be sent by.  The only difference is the details.

> Implementing an as of yet undefined solution to limit all emails to  
> the real domain infrastructure seems worthwhile to me even if it  
> dosent solve the stolen credential or incompetant admin problems.

There are two easily implemented ways for the spammers to do it. You address
one, and totally fail to fix the other.  All this does is create a lot of work
for a lot of people in order to shift the problem over to the other way, where
they continue unabated.

So why is it worthwhile?

As has been pointed out, there's around 100M compromised boxes with credentials
waiting to be abused.  Anything that fails to account for that is simply
not worth the effort, as it's broken as designed.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.