Re: Anti-spam measures
- Date: Tue, 13 Jan 1998 10:47:10 +0200 (EETDST)
- Organization: MicroLink Online
- Priority: normal
>
> I have been thinking about something much more easily implemented:
>
> Participating ISPs adds a TEXT record in DNS for the IP numbers
> of all their dial-in ports which say
>
> W.X.Y.Z.IN_ADDR.ARPA. IN TXT "NOSMTP"
>
> Sendmails refuse email from such IP#, unless specifically instructed
> otherwise (ie: at the home ISP of the ports).
>
> How is that for a short term solution ?
>
> This allows responsible ISPs to clearly signal to the rest of the
> net that "Don't trust this guy for SMTP".
I believe there are lots of possible short term solutions, or hacks.
Many of them are very good and working. But their most problem is that
they call for free cooperation, not a standard.
I believe that every single sysop already ten years ago knew dead sure
that SMTP is totally unsecure and is calling for trouble. At these
days perhaps noone could imagine that the first real trouble would be
spam, perhaps people were more afraid of fake mail fraud.
It is probably unrealistic to implement SMTP authentication or strict
SMTP interdomain (or interAS) routing. SMTP so deeply depends on trust
of remote site that it has overgrown for now.
Your proposed method perhaps works ok, if all follow that, but it is
IMHO allow-all-deny-some policy, and as such, prone to human errors
and plain time-shortage (or carelessness). I'd wish to see a kind of
follow-rules-or-it-simply-doesn't-work policy.
To enforce that for now, we for eg. force all our dialin users to use our
mail server as mail relay, thus we can always track down exactly who
was the abuser. By also running anti-spam patches we filter our all
sort of invalid domains. Spammers are not common here. So, we don't
need that TXT record in the dns at all. If we have a spammer, we are
very deeply worried about it, because we take responsibility for what
our users do under our name. But this is not widely adopted policy,
you know. Now, what I'd really like to be sure in, is that no
other host on earth ever uses successfully our domain name for spamming,
and I feel that the only way to ensure this would be a technical
solution that makes this impossible. Simple rule that you can receive
a message from a domain _only_ from a host responsible for that domain
cuts off all kind of outsiders who might wish to spam with your name.
But, for this rule to have any power, it have to be a standard.
By implementing widely proposed method, we'd effectively force
all internet users to use their home mail server, thus making it
possible at least in theory to track down any spammer. And if added
the only way to post mail message is via authenticated pop3 session,
we can make sure that locked users never appear on the net again.
Thus we can still make authenticated SMTP service, sort of..
Only then we can talk about trust between different sites. If you
don't trust remote site, you can cut it off in worst case. If you
do trust, then you rely on responsibility of remote administration
and this usually works ok.
What I basically propose, is to reduce anarchy in SMTP world before
its too late. I'd love to see new RFC on SMTP, that pretty strictly
specifies how SMTP servers and clients MUST behave, leaving out
end-nodes and hinting that end-users should (or must) use other means
to inject email messages to the SMTP world. Then, ideally, update
RFC on pop3 to add method to inject mail from there and call for
vendors to follow this RFC. After some time, when enough client software
appears, make a slow switch, cutting off non-followers.
----------------------------------------------------------------------
Andres Kroonmaa mail: andre@localhost
Network Manager
Organization: MicroLink Online Tel: 6308 909
Tallinn, Sakala 19 Pho: +372 6308 909
Estonia, EE0001 http://www.online.ee Fax: +372 6308 901
----------------------------------------------------------------------
