<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [anti-spam-wg@localhost] feasibility of antispam actions

On Fri, Oct 24, 2003 at 04:44:05PM -0400, der Mouse wrote:
> Your MUA<->MTA is SMTP rather than SUBMIT?  That seems..suboptimal

No, mine is qmail-inject ;-)

> (albeit admittedly common).  I see no particular reason for your MTA to
> demand an SSL key if it can identify you by some other means (eg,
> RADIUS logs combined with your address and a timestamp).  Where such
> things will be really useful is in MTA<->MTA conversations.

We have a lot of customers that are roaming users or customers that have
field workers. For our roaming users we can identify them (some with
SMTP AUTH which is stronger, some with SMTPafterPOP (*sigh*) this is
weaker. Same for field workers or foreign representatives of our customers
that authenticate with SMTP AUTH only.
But we still have (and I am sure a lot of other ISP have also)
whitelisted IP ranges for free access to some of our mailservers.
If such a host is cracked or has an open proxy the attacker can simply
"CONNECT <ip>:25" and that's it :((
With required SSL and valid certs this would become harder.

> I'm not sure.  If the technique is effective, the enforcing ISP will be
> dumping a lot less spam on its customers, and/or sourcing a lot less
> spam, depending on which way the thing goes (the former has immediate
> benefits to customers; the latter indirect, largely through less
> blocking by recipients).  This will make the good guys more attractive.
> If it doesn't make them enough more attractive to offset the cost, then
> the technique is the wrong anti-spam technique.

Webhosters with stable links and servers /should/ be more attractive to
customers, even if they charge 10.99 instead of 9.99 as some hosters with
about 80% availability do. However the 9.99 are still alive and have a
broad customer base, as the customers can't weight the difference.

So one important point is to know how the admins would estimante the
costs of deploying various anti-spam techniques to circumvent the above
phenomenon. If the system is deployable with reasonable costs (e.g. a
software upgrade like it happens 100 of times anyway) it is IMHO no
problem that the system will spread fast and easy and non-supports will have
to adhere or they get isolated and as the supports won't charge
additional costs but offer positive service they'd be the winners.

If the systems however requires to replace existing software on 100s of
mailservers and big changes to internal admin tools and also additional
schoolings to the employees the cost factor is probably too high to get
the system going.

So what would be interesting is an analysis done by the (mail) admins
what the implementation costs of various proposals would be. If they are
too high the proposal is a dead end, as it will not be deployed, so
having 10 people work on it is probably of academic interest only.

There is a draft that touches this topic:


SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

<<< Chronological >>> Author    Subject <<< Threads >>>