Re: recent spam to this list
Miquel van Smoorenburg <miquels@cistron.nl> wrote:
[...]
>> And it does not help in the first szenario at all
>> (unless you think it to be ok that user a receives the bounces for
>> user b).
Just for a reminder: Two people using different domains with a changing
smarthost on one computer.
> If you read RFC822 and see the distinction between Sender:
> and From: that isn't really as strange as it would seem.
It does not seem strange at all to me that envelope from gets the
bounce.
> Sure, it isn't as flexible as the current "solution" (impersonate
> whoever you want) but that is going to be true of *any*
> better solution, alas.
Probably.
> And I don't think you can get all users
> to sign their e-mail with PGP or use SMTP AUTH exclusively
> overnight. You need something that will work in most cases,
> without end-user changes, on the current Internet.
Agreed, the alternative suggestions who think that forcing anybody to
use authenticated SMTP together with certificate-checked SSL between
SMT-server's totally ignore the complexity of setting up and enforcing
a global "web of trust".
> You need something that will work in most cases,
> without end-user changes, on the current Internet.
I am just not very confident that SPF and similar stuff will work as
well as proposed. I think after a short time spammers will just get
the needed bit smarter, and all we get for going through the pain of
implementing SPF is making abuse work easier.
> This is something that if it breaks, it will most likely be
> for the users who know how to fix it.
[...]
I do not know how to fix the szenario listed above. I can only think
of these possibilties, neither of which is a good enough to be
considered a fix.
* Rewrite envelope from two one user and ignore the privacy concerns
- me getting somebody else's bounce message.
* Throw away flexibility. Select an internet acces provider who
offers e-mail addrsses, everybody on the computer has to switch to
a mailbox by this provider.
* Buy a domain and "root server" (i.e. computer with a fixed IP) and
host the domain and my own smarthost there. Every local user has to
use an e-mail on my domain.
* Route by sender, it is manual work, and would not work for me, as
the smarthosts connected to e-mail addresses don't do SMTP AUTH.
cu andreas
Reply to: