 ParanoiaInc
join:2002-08-28
Tucker, GA
| Why no revision to SMTP to include authentication? I've wondered about this for years, but why do we see a need to authenticate only on the POP-side and not on the SMTP-side? Also, why are there no new email protocols using a new POP/SMTP that affords not just authentication but security features as well.
I would think a company in a business for email servers could go long ways (with free clients) in this area. | |
|
 | keyboard5684
join:2001-08-01
Youngsville, PA
 ·Verizon Online DSL
 ·Vonage
 ·WestPAnet Inc. CA..
| Re: Why no revision to SMTP to include authenticat The problem is not authenticating clients that use SMTP, the problem is authenticating email servers. For example, a client sending mail can authenticate with there ISP's mail server to send mail but how do we authenticate that ISP's mail server when it send to the remote domain.
We could not possibly make up logins for every single mail server in the world so they all could communicate.
SPF addresses this in a good way. This way the domain provider themselves says what specific mail servers are allowed to send email with that from address. | |
|
| | fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
| Re: Why no revision to SMTP to include authenticat said by keyboard5684  :
The problem is not authenticating clients that use SMTP, the problem is authenticating email servers.
Exactly. And SPF does not stop spam, it stops forged from addresses. Nothing more. | |
|
| | | Megladon1
join:2003-09-05
Minneapolis, MN | Re: Why no revision to SMTP to include authenticat ...and right now thats about 99% of the spam we are all getting. | |
|
| | ParanoiaInc
join:2002-08-28
Tucker, GA | I would think that by only allowing subscribers to send out email through the ISP's authenticating-email servers (block port 25), and disallowing subscriber-centered email servers, this could help address the problem. | |
|
| | | 
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ | Re: Why no revision to SMTP to include authenticat This would mostly be an inconvenience for people who don't send SPAM. A lot of people use 3rd party email services because we don't want to use the one provided by our ISP for various reasons. | |
|
| | | | 
coward
@pacbell.n | Re: Why no revision to SMTP to include authenticat tough - i'm sick of spam, and i'm even more sick about spam from bogus email addresses. true, some jerks have ruined it for the rest of us, but we all learned to deal with things like that when we were 6 years old.. | |
|
| | | | |
| | | fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
edit:
June 18th, @01:01PM
|
Spammer sets up his throw away domain. Puts up DNS for it at a place where it can be changed easily and quickly.
He finds a trojaned Comcast machine to use. He changes his DNS file to show the proper SPF record for that Comcast machines IP addy.
Then he fires his spamm off from that machine and SPF stops nothing because he controls the domain and the SPF records.
Rinse-Lather-Repeat. SPF only stops someone from using my or your address as a forged from, and it stops the virus that use forged froms.
It will not stop spam nor will it slow it down much. | |
|
| | | | |
| | | | | fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
| Re: Why no revision to SMTP to include authenticat said by TamaraB :
Nope! SPF forces all mail from a domain to come ONLY from the allowed (SPF'd) domain's mail servers, which are advertised only by that domain's listed DNS servers. Spammer Fails!
Hopefully you are still here, I did not check this thread recently. been a busy weekend.
Spammer controls his domain. He can set up DNS and SPF any way he wants to point to any machine he wants.
So he lists the comcast trojaned machine as his domains mail server. And SPF fails. | |
|
| | | | | | |
| | | | | | | fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
| Re: Why no revision to SMTP to include authenticat said by TamaraB :
He can't! He is not listed as authoritave for comcast IP's, he can use a redirect mechinism, but that does the oposite of what he wants.
I have not seen a spec on SPF that says you check IP addresses. It only checks the SPF records for the domain name in the from field.
quote:
My smtp server gets a connect from that trojened comcast machine, my server checks with COMCAST DNS for spf, not his DNS...
You got that backwards. That is not what SPF does. If I have that wrong point me to a website that explains it is otherwise.
All SPF does is check the authoritative DNS for the DOMAIN name in the from field. It checks the DNS records for that domain name and makes sure there is an SPF record that shows the sending computers IP address. If spammer controls his own domain name then he can put any IP address he wants in the SPF record.
Check here: »spf.pobox.com/faq.html
And scroll down to the part where the headline is:
"It doesn't really prevent spam. Spammers can always get throwaway domains, etc."
Don't get me wrong, SPF is needed, to fix the virus bounces and the forged from address's in spam, it does a great job of that, but not much more. | |
|
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ | Here's a good solution for filtering Nearly all of the SPAM that I receive contains a URL for a domain that is not hosted in the US - at least this is what SPAMCOP tells me.
If this filter criteria were applied by default by US based ISPs, then a lot of SPAM would be eliminated. | |
|
gecho XXX
join:2004-06-02
Muscatine, IA
| Why Auth Won't Work Without Subscriber Level If subscriber 1 gets a virus that sends SPAM, they send it through their server A which authenticates to other servers B, C, etc. and delivers the SPAM to their subscribers because the from is server 1's domain. But which subscriber?
Suppose you block port 25 and subscriber 1 had to authenticate specific from addresses to server A to send. Then only the allowed and authenticated from address could be included. Now you have accountability to the subscriber level where it belongs. If subscriber 1 has a different domain email address they want to use they need to register (authenticate) it with server A or they can't use it. Authenticate does not mean just be server 1,s normal network IP address. It means associate joe@serverA.com to subscriber joe and joe@differnetdomain.com also to subscriber joe so if it is sent through server A it has to have been approved as a real userid allowed through server A and it has to have come from subscriber joe.
Then you insure that server A is a registered mailserver. Non-registered servers can't play. Servers that do not use subscriber auth cannot register. Total subscriber accountability. SPAM would become a thing of the past. | |
|
| Goldengamego
Premium
join:2004-02-22
Okemos, MI
edit:
June 18th, @12:20PM
| Re: Why Auth Won't Work Without Subscriber Level Most viruses use their own SMTP engine, in which case they don't use your ISP's mail server. If it does use your ISP's mail server then they will spot you quickly and cut off your access.
--
Because Goldengamegod won't fit:p | |
|
| | gecho XXX
join:2004-06-02
Muscatine, IA
| Re: Why Auth Won't Work Without Subscriber Level Exactly. But if, as I said, port 25 is blocked they would, and from my logs still do by the way, try to use the ISP mailserver.
So if we just auth mailservers they just rewrite viruses to use the domain server and SPAM still flows, even though now isolated to from within the server domain. Still doesn't address who though, so you need subscriber accounting to finally close and lock the door. Otherwise whole ISPs get shut off which would be like closing down the local post office of origion for someone sending forged illegal paper mail through it. Court battles would ensue and SPAMMERs would be laughing all the way to the bank. | |
|
Goldengamego
Premium
join:2004-02-22
Okemos, MI
edit:
June 18th, @12:24PM
|  OMFG
AOL did NOT create SPF, they just implemented it in their mail system.
Also SPF stands for 'Sender Policy Framework' not 'Sender Permited Form' 
»spf.pobox.com more info about SPF.
--
Because Goldengamegod won't fit:p | |
|
| keyboard5684
join:2001-08-01
Youngsville, PA | Re: OMFG Right, but it used to be Sender permitted from, they changed it during development. It is documented on the very bottom of there FAQ... »spf.pobox.com/faq.html . You read that, correct? | |
|
| | |
| |
xv920
join:2002-08-27
Campbell, CA
edit:
June 18th, @12:28PM
| limit the number of outgoing emails Legit users don't send tons of email per minute. Let
the SMTP server limit the number to, say, 1000 emails
per user per month with a per-day max of 100? You will
not be negatively affected unless you are a spammer.
If you run a business and you want to send more than
1000 emails, why don't you buy the credit from
your ISP that allows you to send out another 1000 emails
for just $9.95 per month? | |
|
| JPCass
join:2001-01-23
Denver, CO
|  Re: limit the number of outgoing emails
Limits don't even need to be tied to higher fees, though the chance to charge a bit more might provide some incentive for some of the greedier or more callous ISPs. ISPs could just by default set low limits on outgoing mail, unless the user contacted them and specifically asked for higher limits because they sent out mailing lists or had some other specific need. And ISPs could still check suspicious mailing patterns regardless of limits, just as credit and phone card companies do when unusual usage shows up. | |
|
| Goldengamego
Premium
join:2004-02-22
Okemos, MI
edit:
June 18th, @03:29PM
| No need to charge. A business should just have to call their ISP and register as such, anyone sending large amounts of mail and not registered (hacked PC) will be cut off.
EDIT: rats you beet me to it
--
Because Goldengamegod won't fit:p | |
|
| 
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| having your own hosted server is cheaper than that
And what about those people that happen to send more that 100 emails in a day? Are they automagically classified a spammer?
--
Be patriotic or I'm reporting you to Ashcroft. | |
|
| | xv920
join:2002-08-27
Campbell, CA
| Re: limit the number of outgoing emails ) And what about those people that happen to send more
) that 100 emails in a day? Are they automagically
) classified a spammer?
You don't "happen" to send 100. If you take just 5 minutes
to compose one, that's 500 minutes total. That's more than
8 hours. That's a job.
But I'll raise it to 200 if it makes you feel any better.
Maybe you can compose one in two and a half minutes. Or
even 500. Now you may compose one email in every single
minute for 8 hours straight. But let me tell you what.
If you have to write somebody something that fast, you
better get a messenger. Email is not a realtime
communication tool. | |
|
| | |
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs: | Re: limit the number of outgoing emails You're too funny  | |
|
|
anon000
| this is like claiming only Pirates use Cd burners/Dvd burners and high upload bandwidth... stop tring to make the service crappy and find a real solution | |
|
| | xv920
join:2002-08-27
Campbell, CA
edit:
June 20th, @10:13AM
| Re: limit the number of outgoing emails My point is that limiting the number of outgoing
emails doesn't make you, ordinary users, suffer a bit. Or
are you doing something that it might make any difference? | |
|
| | |
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| Re: limit the number of outgoing emails said by xv920 :
Or
are you doing something that it might make any difference?
I'm going to get a few email addresses or start my own ISP. LOL!
--
Be patriotic or I'm reporting you to Ashcroft. | |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| Amusing... I used to work for MCI. They used Entrust, internally, for "non-repudiation". In one of the recent articles quoting Cerf, he says that adoption of PKI within MCI is universal. Ironically, when I send emails to former co-workers, half of them can't read the emails I send because I use (Thawte) S/MIME signatures on my emails (cleartext signed; not encrypted). Apparently, either their Entrust software is misconfigured, or they've lost/forgotten their passwords, because they rarely use the application. So, not quite universal.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" | |
|
|
|
|
Authenticate Us From Evil
