Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
news.admin.net-abuse.email
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion SMTP a better way
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Vernon Schryver  
View profile  
 More options Nov 10 1997, 3:00 am
Newsgroups: news.admin.net-abuse.email
From: v...@calcite.rhyolite.com (Vernon Schryver)
Date: 1997/11/10
Subject: Re: SMTP a better way
Print | View thread | Show original | Report this message | Find messages by this author

In article <EJFrrF....@acc.msmc.edu>, Arthur Emerson III <a...@msmc.edu> wrote:

> ...
>> The so called defect of SMTP that allows spam is the fact that SMTP is
>> usually configured to accept email from strangers.  There are many schemes
>> now that will prevent you from receiving email from anyone you do not know
>> or does not have the recommendation of someone you know.  You can use any
>> one or more than one of those schemes now, and you will receive very little
>> spam, but you will also lose the ability to receive email from strangers.

>You're looking at the problem from a post-delivery aspect instead of a
>transport problem. The real problem with SMTP is that it accepts mail from
>anyone with absolutely no validation of the sender.

That is not a problem with SMTP, but a necessary feature.  If you want
to accept email only from people you know, you already can.  

There is no way that one security domain can trust what any other domain
says about usernames or ID's.  That msmc.edu says that ae3 is not a spammer
is just as believable and interesting to the computers that I watch as
what cyberpromo.com says about root.

>                                                     Back before the PC
>invasion of the Internet, there were these computers called UNIX systems.

Yes, and I've been an operating system hack since before UNIX, since
the 1960's, and hacking UNIX for a big part of the last 30 years.
What's your point?

>They required valid user accounts to use them, and the administrators of
>these systems could easily trace what each and every one of their users
>was up to.

That was never true, except in special cases.  You could never trust any
authentication except that done by your own systems.

>            This was the mindset that SMTP was developed under - the
>system adminstrator was responsible for what their users did, and the
>operating system provided user accountability to help the sysadmin do
>his/her job.

That is still the case, and necessarily always will be the case.  The
people running the system or (now) network are responsible for policing
what their users do.

>Now, every person on the Internet with a PC is their own system
>administrator, and it has fallen on the ISP's to police what these
>sysadmins do. Protocols like SMTP were built on an inherent trust that
>sysadmins would not exploit the weaknesses in SIMPLE Mail Transfer
>Protocol.  From the spam explosion, you can see that trust is now
>impossible.  Any moron with a credit card number and a modem can get
>throwaway connectivity, forge e-mail messages, and vanish into thin air.

I guess you never tried to discover who had been using some random
computer in a university lab to send email, post netnews, use telnet,
or launch worms back in them good ol' day.

>Instead of applying yet more band-aids to SMTP, a replacement needs to be
>developed - and fast.  Some may argue for third-party certificates.  I
>believe that it can be done through requiring each mail hub to validate
>users, and holding the source network responsible for logging the
>activities of it's users.

That is nonsense, albeit often repeated nonsense.  Never mind the
catastrophic scaling problems.  Forget the interest the FBI or just even
plain fascists would have in such hubs.  In real life, your "mail hub"
will be more eager to accept a bogus credit card number and certify an
identity than the current ISPs, because your certifiers would necessarily
charge less than an ISP, and so would be even less able to afford to
investigate bonifides.

The IP address of the previous SMTP hop is just as much of an unforgable
certificate as anything else you could implement.  If you cannot trust
the outfit that is saying that the user of that IP address is not a
spammer, then you could not trust the outfit that is certifying that a
cryptographic key is trustworthy.  The same outfits would probably be
accepting the credit card numbers to issue certificates as to issue IP
addresses or PPP CHAP usernames and secrets.

>                           This will give the power to stop abuse back to
>the network admins, who with the exception of a few rogue sites, don't
>care for the abuse any more than you do.  By having a new protocol, we can
>also eliminate the millions of relay-enabled SMTP servers through
>obsolescence. Network admins can trust the new protocol, and can easily
>black-hole the few rogue servers that will undoubtedly pop up.

>The only problem left is throwaway accounts, and that is not
>insurmountable either.....
> ...

There is a style of design I call "wishful thinking engineering."  It is
starts with something like "pigs can fly if you feed them enough beans"
and develops utopian plans such as like having everyone commute to work
riding on personal pigs, and along the way ignores minor details such as
the consequent rain of the non-gaseous byproducts.

In the case of Internet email, there are just as many ways for ISP's ensure
that the user of a particular IP address is a good guy as for the issuer
of an RSA certificate or PPG public key to ensure that a keyholder is not
also named S.Wallace.

Vernon Schryver    v...@rhyolite.com


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google