Anti-spam measures

> 
> I have been thinking about something much more easily implemented:
> 
> Participating ISPs adds a TEXT record in DNS for the IP numbers
> of all their dial-in ports which say
> 
> 	W.X.Y.Z.IN_ADDR.ARPA.	IN	TXT	"NOSMTP"
> 
> Sendmails refuse email from such IP#, unless specifically instructed
> otherwise (ie: at the home ISP of the ports).
> 
> How is that for a short term solution ?
> 
> This allows responsible ISPs to clearly signal to the rest of the
> net that "Don't trust this guy for SMTP".

 I believe there are lots of possible short term solutions, or hacks.
 Many of them are very good and working. But their most problem is that
 they call for free cooperation, not a standard. 

 I believe that every single sysop already ten years ago knew dead sure
 that SMTP is totally unsecure and is calling for trouble. At these
 days perhaps noone could imagine that the first real trouble would be 
 spam, perhaps people were more afraid of fake mail fraud.

 It is probably unrealistic to implement SMTP authentication or strict
 SMTP interdomain (or interAS) routing. SMTP so deeply depends on trust
 of remote site that it has overgrown for now.
 Your proposed method perhaps works ok, if all follow that, but it is
 IMHO allow-all-deny-some policy, and as such, prone to human errors
 and plain time-shortage (or carelessness). I'd wish to see a kind of
 follow-rules-or-it-simply-doesn't-work policy.

 To enforce that for now, we for eg. force all our dialin users to use our
 mail server as mail relay, thus we can always track down exactly who
 was the abuser. By also running anti-spam patches we filter our all
 sort of invalid domains. Spammers are not common here. So, we don't
 need that TXT record in the dns at all. If we have a spammer, we are
 very deeply worried about it, because we take responsibility for what
 our users do under our name. But this is not widely adopted policy,
 you know. Now, what I'd really like to be sure in, is that no
 other host on earth ever uses successfully our domain name for spamming,
 and I feel that the only way to ensure this would be a technical
 solution that makes this impossible. Simple rule that you can receive
 a message from a domain _only_ from a host responsible for that domain
 cuts off all kind of outsiders who might wish to spam with your name.
 But, for this rule to have any power, it have to be a standard.

 By implementing widely proposed method, we'd effectively force
 all internet users to use their home mail server, thus making it
 possible at least in theory to track down any spammer. And if added
 the only way to post mail message is via authenticated pop3 session,
 we can make sure that locked users never appear on the net again.
 Thus we can still make authenticated SMTP service, sort of..
 
 Only then we can talk about trust between different sites. If you 
 don't trust remote site, you can cut it off in worst case. If you
 do trust, then you rely on responsibility of remote administration
 and this usually works ok.

 What I basically propose, is to reduce anarchy in SMTP world before
 its too late. I'd love to see new RFC on SMTP, that pretty strictly
 specifies how SMTP servers and clients MUST behave, leaving out
 end-nodes and hinting that end-users should (or must) use other means
 to inject email messages to the SMTP world. Then, ideally, update
 RFC on pop3 to add method to inject mail from there and call for
 vendors to follow this RFC. After some time, when enough client software
 appears, make a slow switch, cutting off non-followers.



 ----------------------------------------------------------------------
  Andres Kroonmaa                                mail: andre at online.ee
  Network Manager
  Organization:            MicroLink Online       Tel:        6308 909
  Tallinn, Sakala 19                              Pho:  +372  6308 909
  Estonia, EE0001        http://www.online.ee     Fax:  +372  6308 901
 ----------------------------------------------------------------------