Bill McGonigle wrote:
On Mar 13, 2006, at 18:20, [EMAIL PROTECTED] wrote:
That's just it. It's NOT a valid way to reduce spam. Just like killing
junkies is not a valid way to fight AIDS...
The trouble is the valid ways to reduce spam (like DomainKeys and SPF
records) are very very lightly deployed and the IETF is trying to see to
it that even they don't get accepted. In the meantime any
countermeasure is a hack.
They're actually not ways to reduce spam. There are many, many analyses
available on the web that show exactly how these two systems are not
going to prevent spam. What they may reduce, but only if mail admins are
serious about using "-all" (in the case of SPF), is Joe jobs, where
someone "forges" mail from your domain.
There's absolutely nothing to prevent spammers from using spf with a
+all entry that allows any site to send email for that domain. Also,
when AOL uses ?all, that's no help.
For domain keys, a spammer can easily send the key out to his bots and
have the mail user agent sign all outgoing messages. So, now, they're
signed with a valid key for the sending domain....
What do the above buy you? Very little. You're still going to have to
filter on IP addresses, sending domains, etc. Sure, you could block all
"bad" keys and you could block all mail from sites with spf records that
don't end in -all, but you'd be cutting off a good bit of ham that way,
or you'd still be stuck with blacklists (for the bad keys).
There are also a whole host of other issues involved in using domain
keys and SPF, such as breakage of some very common email practices. They
may be bad habits, but they're things that have been accepted and
expected for years.
You'll notice, if you look, that I have spf version 1 records for my
domains. They end in -all. I set them up in a moment of weakness.
However, when I set them up, I knew they were of limited use and I knew
what problem spf was designed to solve, whether it's pushers knew it or not.
What is actually needed is an entirely new email protocol that cannot be
"abused" and doesn't cost too much on its users. "In the meantime any
countermeasure is a hack."
However, it ain't happenin' any time soon. I'm on another list called
IM2000 where such issues are discussed ad nauseam. The consensus there
is that an entierly new email architecture needs to be built, one that
puts the cost of sending email on the sender, but getting people to
switch to it...."Aye, there's the rub."
use, then you can run a mail server on an alternate port. Lots
don't block 465 (ssmtp) or 587 (alternate smtp). In my case, since
I can never remember
Clever. I'll have to look into that. And then tell all the
spamsters. :)
Fortunately for us most submission ports require SMTP AUTH which is less
useful for spammers. Maybe once all traffic is forced there we'll see
Outlook worms spamming through valid accounts.
Could be, but I've seen a lot of spam coming from poorly written web
form processor programs lately. I've even been playing cat and mouse
with one spammer who has been trying to abuse one of mine. I've got it
locked up now where I know that even if he managed to get a mail
through, I'm the only person in the world that will see it. He keeps
trying, and it's not a completely automated script on one of his bots
that he's running, 'cause its only four or five attempts in a row, a
couple days a week, always with a bcc: to the same couple of aol
accounts. He's trying to see what he needs to put in to get his messages
through. I figure he'll give up in a few days when he finds someone's
webform processor that he can exploit.
Just wait until the virus writers discover this trick!
I don't see any solution in the near term. I don't like some of the
alternatives, either. If PKI becomes required for email, then it becomes
much easier to track who is emailing whom. What little bit of
libertarian that is still breathing within me, doesn't like that.
I'm also thinking that I might as well get rid of the mail form and just
put a mailto link on my site. It's actually safer, and my address is
already in whois, anyway.
Cheers,
Jason
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
