On Tue, Oct 13, 2009 at 10:36:00AM -0500, Dan White wrote: > There is a difference. SMTP is not based on end-to-end security. It's based > on a chain of trust, and most of the chains have absolutely no security - > if I send email to AOL, they pretty much have to trust me. I don't verify > who I am. If I'm an ISP and I accept email from a customer (because they're > on my network, or they authenticate to me), I relay their email to AOL, and > I can't reliably tell that it's SPAM.
<pedantic> First, the proper term is "spam". "SPAM" is a product of the Hormel Corporation and has nothing to do with SMTP. </pedantic> And second, this is not true: > If email was based on end-to-end security, then SPAM is a problem between > two specific users of the internet (my residential broadband customer and > an AOL user). If you're relaying spam, then it's [in part] *your* spam. Everyone involved in propagating and supporting abuse has to take a share of the blame: the spammer who paid for it, the botnet operator who generated it, the user who allowed their system to be hijacked, the network operator who transited the traffic, the mail system operator who relayed the message, the web site hoster providing services, everyone. Nobody gets a pass. Nobody gets to evade their share of responsibility. > SMTP needs to go away, and be replaced by something that resembles > end-to-end messaging passing, rather than the horrible touchy feely > pseudo-chain-of-trust that it is today. And even if did, that would do absolutely nothing to solve the problem we currently face (i.e. 100M+ zombies): it'd just shift it to another protocol. And while SMTP abuse is one of the more visible external symptoms of the underlying security problem, it's by no means the only one and probably not even the most important, given that we developed quite effective defenses against it years ago. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
