Jon Carnes wrote:
Yep, in my 21st century world of authenticated smtp, folks would setup their email clients so that an account would have a server login for pop/imap *and* have a server login for smtp-auth as well.
Well, I hate to agree with the Magnus, but he's right: smtp-auth is irrelevant for stopping spam. However, authenticating SMTP, which is what you mean, is described well at wikipedia : http://en.wikipedia.org/wiki/E-mail_authentication
Basically, right now, we have IP-based RBLs. If all SMTP traffic were authenticated via SPF/DomainKeys, etc, we could instead have domain-based blacklists, which would raise the barrier to entry to sending email. Spammers would adapt by buying many domains and using distributed botnets to mass-sign messages, but this would be easier to defend against.
Of course, there are always issues to consider: you'd be required to use Reply-To instead of From; signed messages could be invalidated by mail-handling programs that mangle headers; we'd have to deal with signing replay attacks; etc.
Additionally, it has the problem of requiring that everybody adopt and enforce a standard; nobody seems to be able to make this happen. Until mail is simply dropped on the floor unless it is authenticated, spammers can continue to ignore SMTP authentication; or they can authenticate their messages -- with the lack of a centralized blacklist, authenticating spam messages might actually increase delivery rate.
-- Dan -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
