Re: SMTP authentication for broadband providers

[Sean Donelan <sean () donelan com>]

On Wed, 11 Feb 2004, Alex Bligh wrote:
> I think you are missing the point. I have lots of people abusing my port
> 25. They can abuse this due to the nature of the (current unadorned) SMTP
> protocol as I have to leave it open and unauthenticated in order to receive
> mail to users served by my server.

The bulk of the abuse (some people estimate 2/3's) is due to compromised
computers.  The owner of the computer doesn't know it is doing it.
Unfortunately, once the computer is compromised any information on that
computer is also compromised, including any SMTP authorization
information.

SMTP Auth is not the silver bullet to solve the spam problem.  As it
becomes more widely deployed, it will become less effective.  It only
appears to work now because SMTP AUTH is still a bit of a niche.
Nevertheless SMTP AUTH is already being abused, and I expect complaints
about users using plain smtp and smtp auth to eventually be equal.

Right now SMTP AUTH is a bit more useful because the mailer can directly
identify the compromised subscriber.  But I expect this to also be
short-lived.  Eventually the compromised computers will start passing
authentication information.

But it seems like people latch on to the "shiny new thing."

I think MUA-to-MTA authentication for submission as well as collection
is a good thing.  Its been developed several times already, and maybe
this time it has the right features to catch on.  But it will not solve
either spam nor abuse.