On Oct 17, 2009, at 9:31 AM, "Larry Seltzer" <la...@larryseltzer.com> wrote:
>>> With a fully authenticated protocol we could limit the valid source >>> addresses of the spam to the one associated with the compromised >>> user. > > That reduces it to a trust decision, right? We've had this option for > years with DKIM, at least at the domain level, and it doesn't seem to > have changed things much. Would authenticating down to the sender > level > really improve things? (I hate it when I talk defeatist, but that's > how > I feel about this issue.) DKIM is optional and not widely implemented. When implemented by a domain its not always validated by recipients. In it's best case it prevents spoofing of individual domains, forcing spammers to use one of the many many other non-DKIM or unsed domains. XMPP implements server to server communication with two unidirectional channels. If I try to send a message to your user, my server connects to yours and yours connects back to a listed server for the domain. This should limit sender spoofing. From there it would be a matter of trust. Malicious domains could be blacklisted. Malicious users can be kept in check by server admins trying to avoid blacklisting. Of course none of this matters unless we could coordinate a shift off of smtp, which would likely be about as fast as the IPv6 migration unless there was a simple migration path. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
