[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: recent spam to this list

Miquel van Smoorenburg <miquels@cistron.nl> wrote:
>> And it does not help in the first szenario at all
>> (unless you think it to be ok that user a receives the bounces for
>> user b).

Just for a reminder: Two people using different domains with a changing
smarthost on one computer.

> If you read RFC822 and see the distinction between Sender:
> and From: that isn't really as strange as it would seem.

It does not seem strange at all to me that envelope from gets the

> Sure, it isn't as flexible as the current "solution" (impersonate
> whoever you want) but that is going to be true of *any*
> better solution, alas.


> And I don't think you can get all users
> to sign their e-mail with PGP or use SMTP AUTH exclusively
> overnight. You need something that will work in most cases,
> without end-user changes, on the current Internet.

Agreed, the alternative suggestions who think that forcing anybody to
use authenticated SMTP together with certificate-checked SSL between
SMT-server's totally ignore the complexity of setting up and enforcing
a global "web of trust".

> You need something that will work in most cases,
> without end-user changes, on the current Internet.

I am just not very confident that SPF and similar stuff will work as
well as proposed. I think after a short time spammers will just get
the needed bit smarter, and all we get for going through the pain of
implementing SPF is making abuse work easier.

> This is something that if it breaks, it will most likely be
> for the users who know how to fix it.

I do not know how to fix the szenario listed above. I can only think
of these possibilties, neither of which is a good enough to be
considered a fix.

* Rewrite envelope from two one user and ignore the privacy concerns
  - me getting somebody else's bounce message.

* Throw away flexibility. Select an internet acces provider who
  offers e-mail addrsses, everybody on the computer has to switch to
  a mailbox by this provider.

* Buy a domain and "root server" (i.e. computer with a fixed IP) and
  host the domain and my own smarthost there. Every local user has to
  use an e-mail on my domain.

* Route by sender, it is manual work, and would not work for me, as
  the smarthosts connected to e-mail addresses don't do SMTP AUTH.

                cu andreas

Reply to: