On Mon, 06 Jan 2003 02:01:27 EST, Doug said: > There are many comercial email servers that require the people sending email > with their server to log into the server using a valid username and pass > before > doing so. I doubt they are losing any valid emails. All it does is to keep > unauthorized users from using the server without a valid password. The > reason > to require that the sender address in the outgoing email matches the email > address refrenced in the account is to keep people from sending spam from > these email servers and using fraudulant return and/or sender address. > I fail to see how this throws out any babies. perhaps I am missing > something. What you're missing is that I can configure *MY* server so it will only: 1) Accept mail *TO* a local recipient. 2) Allow relaying of mail to a *remote* recipient after doing some sort of authentication that it's one of my users. And in fact, the last I heard, open relays were only 1% or so of the total mailservers out there - so the above is already the usual state of affairs. Note there's no requirement that *inbound* mail be authenticated, which is the basic source of the spam problem. Your mail server will probably accept mail for your userid from anyplace without authentication. Now let's say you *do* start requiring authentication for inbound mail. Let's consider this piece of mail, which is being sent to both you and the IETF list... 1) What userid/password does the IETF mailserver use to authenticate itself to your mail server? Remember in your answer to note that forcing users to manually update a whitelist of mailing lists they are on is a helpdesk nightmare, and hard to scale - our main mailserver has some 80K mailboxes/aliases on it, and I'm on a lot of lists. However, just because *I* am on a list hosted at some site doesn't mean that any other users on my mail server wants to accept mail from that site. However, even if you decide *that* cost is toleralble, there's still: 2) What userid/password does my laptop use to authenticate itself to your mail server? And note that you can't just say "my laptop has to send it to my mail server" - because then you need to get the userid/password pair to my mail server. Remember that your answer has to scale to 40 million .coms, and that it has to work on a sender/recipient pair basis (otherwise, it's like inviting a vampyre in - if they can get one person at your server to OK the mail, then they can commence spamming all your users). Note that answers like the "reply to this message to prove you're not a spammer" schemes are *NOT* a long-term solution - if any of those packages becomes widespread enough to actually impact the spam problem, the spammers will have a little Perl program scanning the bounces and canning the "yes I'm not a spammer" responses. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgp00182.pgp
Description: PGP signature