> From: [EMAIL PROTECTED]
> ...
> > If your skin doesn't crawl at the thought of a third party adding headers
> > to your SMTP messages, you need to take some time out to think about things.
>
> You mean *other* than the required RFC822 Received: headers, and/or the
> RFC2476-approved re-writing? Gaak if so.
Consider the following:
] From: [EMAIL PROTECTED] (Jay Levitt)
] Newsgroups: news.admin.net-abuse.email
] Subject: Re: AOL Spammer online now, now what?
] Date: 30 Mar 2000 05:18:23 GMT
] Message-ID: <[EMAIL PROTECTED]>
] ...
] rly-ip* are the new hosts that will catch all port 25 connections from
] *.ipt.aol.com and attempt to filter spam. They will also add the
] X-Apparently-From: header with the real AOL/CS/whatever screen name. ...
That all sounds fine, if you worry only about reducing spam in the
cheapest way possible. I think their modifications would be compliant
if they the were done by a host that legitimately answers the IP address
to which the SMTP sender thinks it is connection. As it stands, how
can these redirectors comply with the postmaster mailbox requirement?
Assuming you figure out what's been done to your SMTP stream, how would
you contact postmaster at the stealthy redirector/filter.
I think it's certifiably crazy to assume that all TCP connections to a
distant port 25 involve SMTP. Assigned numbers doesn't say you can run
only SMTP on port 25.
It's even crazier to not consider the inevitable next step, stealth SMTP
and HTTP redirector/filters to deal with dirty words or taboo subjects,
and not just sex but politics.
And that's based on the best possible, content-neutral interpretation of
Mr. Levitt's words "filter spam." I hope AOL would not look for telltale
spam keywords and only do connection rate limiting, if only because I hope
AOL knows that reports of spam would trigger content filters. I'm even
less confident about other outfits.
Think about port 25 redirecting used for other kinds of filtering
at certain national borders.
On the other hand, if this doesn't get IPSEC as well as application
layer encryption going, nothing will.
Vernon Schryver [EMAIL PROTECTED]
