[thelist] SMTP and spam prevention (was:The Spam Argument [long] (was: ....)

Steve Lewis nepolon at worlddomination.net
Fri Jul 25 16:24:09 CDT 2003


Andrew Seguin wrote:

>>So quit yapping and do something about it Bruce!  Write a replacement
>>    
>>
>protocol for SMTP that requires senders to authenticate. It has to be a
>lightweight protocol because even without the weight of spam, email is a
>very important network service.  It has to allow authentication against
>an administrator's prefered user base (LDAP, SQL, PAM, BDB, whatever)
>
>Postfix (a unix MTA) supports requiring authentication before sending.
>  
>
I know that there are geeks among us who can configure most MTAs to do 
all of this stuff, they require hacks or use of advanced features that 
are not intuitive, however. This thread really does not need to delve 
into these details, but they are suboptimal solutions. One problem with 
these "Authenticated" SMTP mechanisms that most MTAs use is that it does 
not change the protocol to require authentication, it uses some 
mechanism outside of the SMTP connection to decide if the user is 
authorized or not (source IP address for instance). Adding wrappers to 
an application != integration and the penalty for that is ease-of-use.  
That leads to configuration errors.  That is why I think it would be 
valuable to integrate authentication into the protocol, and that 
requires an RFC.

>>Then write an easy to install and administer piece of software for
>>    
>>
My point is that these are not standard features of the daemons, they 
are based on Frankencode, patches, hacks, and proxies.

>Postfix can either do all that or be made to do all that. To the best of
>  
>
I don't particularly want to go research the mechanisms Postfix uses but 
I know the mechanisms that Sendmail and Qmail uses and while they are 
functional I do not find them elegant or ideal.  Exchange is a nightmare 
for some, Sendmail is a nightmare for others, etc... Postfix I am sure 
has its detractors too.  All of them are limited in their elegance by 
limitations of the protocol.

>each. All from the same two hosts. Both were in the US, one from NYC,
>customer of an ISP, the other in California, customer of a email service
>provider... both were violating the terms of their contracts, so both got
>shut down.
>  
>
I have been the guy who shuts spammers down before, and I loved that 
job.  Domestic spam is easy to deal with.  The problematic spam I 
receive is from oversees fly-by-night hosts.  Regardless, none of these 
reporting-it or filtering-it stategies addresses the problem proactively 
and I have better things to do, and other jobs to do, besides tracking 
down spammers. 

>would be a bad idea to start charging for emails: part of my cost of
>internet is the email account at my ISP. So if everybody is basicaly
>paying the cost of sending, should we also be paying for the receipt? I
>  
>
The point is: why are you paying the cost of receipt of UBE?  The cost 
ought to be incured by the sender, not the receiver, in the first place IMO.





More information about the thelist mailing list