Anti-spam measures
Andres Kroonmaa andre at ml.ee
Tue Jan 13 09:47:10 CET 1998
> > I have been thinking about something much more easily implemented: > > Participating ISPs adds a TEXT record in DNS for the IP numbers > of all their dial-in ports which say > > W.X.Y.Z.IN_ADDR.ARPA. IN TXT "NOSMTP" > > Sendmails refuse email from such IP#, unless specifically instructed > otherwise (ie: at the home ISP of the ports). > > How is that for a short term solution ? > > This allows responsible ISPs to clearly signal to the rest of the > net that "Don't trust this guy for SMTP". I believe there are lots of possible short term solutions, or hacks. Many of them are very good and working. But their most problem is that they call for free cooperation, not a standard. I believe that every single sysop already ten years ago knew dead sure that SMTP is totally unsecure and is calling for trouble. At these days perhaps noone could imagine that the first real trouble would be spam, perhaps people were more afraid of fake mail fraud. It is probably unrealistic to implement SMTP authentication or strict SMTP interdomain (or interAS) routing. SMTP so deeply depends on trust of remote site that it has overgrown for now. Your proposed method perhaps works ok, if all follow that, but it is IMHO allow-all-deny-some policy, and as such, prone to human errors and plain time-shortage (or carelessness). I'd wish to see a kind of follow-rules-or-it-simply-doesn't-work policy. To enforce that for now, we for eg. force all our dialin users to use our mail server as mail relay, thus we can always track down exactly who was the abuser. By also running anti-spam patches we filter our all sort of invalid domains. Spammers are not common here. So, we don't need that TXT record in the dns at all. If we have a spammer, we are very deeply worried about it, because we take responsibility for what our users do under our name. But this is not widely adopted policy, you know. Now, what I'd really like to be sure in, is that no other host on earth ever uses successfully our domain name for spamming, and I feel that the only way to ensure this would be a technical solution that makes this impossible. Simple rule that you can receive a message from a domain _only_ from a host responsible for that domain cuts off all kind of outsiders who might wish to spam with your name. But, for this rule to have any power, it have to be a standard. By implementing widely proposed method, we'd effectively force all internet users to use their home mail server, thus making it possible at least in theory to track down any spammer. And if added the only way to post mail message is via authenticated pop3 session, we can make sure that locked users never appear on the net again. Thus we can still make authenticated SMTP service, sort of.. Only then we can talk about trust between different sites. If you don't trust remote site, you can cut it off in worst case. If you do trust, then you rely on responsibility of remote administration and this usually works ok. What I basically propose, is to reduce anarchy in SMTP world before its too late. I'd love to see new RFC on SMTP, that pretty strictly specifies how SMTP servers and clients MUST behave, leaving out end-nodes and hinting that end-users should (or must) use other means to inject email messages to the SMTP world. Then, ideally, update RFC on pop3 to add method to inject mail from there and call for vendors to follow this RFC. After some time, when enough client software appears, make a slow switch, cutting off non-followers. ---------------------------------------------------------------------- Andres Kroonmaa mail: andre at online.ee Network Manager Organization: MicroLink Online Tel: 6308 909 Tallinn, Sakala 19 Pho: +372 6308 909 Estonia, EE0001 http://www.online.ee Fax: +372 6308 901 ----------------------------------------------------------------------
[ lir-wg Archives ]