Spam Philosophy (was: Re: [lug] Getting mail out of the Qwest/MSN mire)

Nate Duehr nate at natetech.com
Mon Jul 10 20:17:29 MDT 2006 

On Jul 10, 2006, at 11:15 AM, Sean Reifschneider wrote:

> On Mon, Jul 10, 2006 at 09:49:42AM -0600, Nate Duehr wrote:
>> address I like from here.  The headers will show it came from my  
>> server,
>> and the reply address will go to your real white-listed friend, but I
>> still got my spam into your inbox.
>
> Depends on how you whitelist.  If it's just based on the envelope  
> sender
> address, then you are right.  If you use SPF, or the whitelist is  
> based on
> sender address and remote address maybe even recipient address,  
> it's much
> more difficult to spoof.  vPostMaster, for example, allows you to  
> whitelist
> based on these and more.  You can do things like give a dedicated
> sub-address to a company, and then blacklist it from every mail server
> except ones with reverse DNS matching a regex for that company...

SPF's a dud.  Plenty of spammers out there using rotating IP's and  
SPF records that cause the SPF checks to pass.  I have it on, but I  
don't block with it... doesn't seem worth it.  Spammers use accounts  
from real places like Yahoo and MSN also and those pass the SPF  
record test, if I remember correctly.  Complaints to their abuse  
departments are always too little too late, the spammer has already  
signed up for ten more "authenticated" accounts.

>> I don't think we really have authentication to a person on Yahoo or
>> Qwest DSL users.  We have authentication to a username.  Big  
>> difference.
>
> So, you're saying that people would get only one identity.  Who  
> enforces
> that?  What happens when someone loses theirs?  What happens when a  
> spammer
> steals the identities of millions of people through phishing, key  
> logging
> and spamware, etc?

Don't know - that's one of the challenges.  :-)  It's time to figure  
that out.  Maybe it'll be as screwed up as ICANN when we all get done  
setting up something that works but is completely screwed from a  
political perspective.  I'm just dreaming here.  :-)

> As far as biometrics and a password, how is my mail server or my e- 
> mail
> client supposed to scan your retina and ask for a password from the  
> sending
> user?  If I don't, how do I know the user sent it instead of being  
> stolen
> by a key logger and retina logger?

How do any biometric systems know this?  (Other than personal  
identification of people standing at the entranceway to a data- 
center...)  Another challenge.  Maybe your biometric devices need to  
be better, they eventually will be.  :-)

>> Why don't you care what other hops it took?  Wouldn't it be nice  
>> to know
>> who's harboring the spammers upstream?
>
> In most cases the remote hop is the originating mail server, it's  
> not like
> we're using bang paths and everything goes through 4 or 8 hops...

Very good point... but still doesn't answer the question WHY NOT know  
EXACTLY who's servers passed a message to you?  It's also not like e- 
mail being anonymous is rarely if ever REALLY needed, ever.  I'm sure  
SMTP being open on various messed up configuration boxes worldwide  
helps all sorts of good and bad people alike, but mostly bad.  Time  
to fix the protocol, or at least make it a whole lot better.

I'm not saying it's going to happen soon, I'm just saying it'll never  
happen if we all like SMTP and the mess we've all made and helped  
continue by not saying, "Let's make something better."

--
Nate Duehr
nate at natetech.com

More information about the LUG mailing list