I believe the answer to your first question is you would send mail using your own mail server not someone else's. Although...I do see unique issues involved in people using mail servers that are not part of their network (hotmail, yahoo...) to send email if they try to authenticate you as part of their network before allowing you to send email. I believe the solution to that problem is that those commercial mail servers (free or premium) would not be able to authenticate you as part of their network before allowing you to send your email. They would then require clients logging into those accounts (with valid user names and passwords) to send email from a valid IP address with no unsecured proxy services running on them (much like many IRC servers are doing) and transmit this IP information along with the email being sent. This would allow for pinpoint identification of the sender's using IP addresses MAC addresses and time stamped logs for the specific purposes of taking legal action against these network abuses. Your second question is a bit harder for me to answer. I believe (I may be incorrect) that there is already a difference between a receiving mail server's transaction with a sending or relaying mail server and a mail client. I would never claim that it is impossible for a malicious user to do anything (I know better). On the other hand if we can achieve authentication before sending email and it becomes a requirement of the system then it should make the actions of a malicious user stand out in the logs of the server allowing for tracking, blocking, and prosecution of those users for the unauthorized access and (mis)use of private network resources. My solution does NOT have a way of completely stopping spam from being sent but perhaps in conjunction with other actions it can stop a majority of spam from being sent. Additionally, my solution makes it easier for end users and administrators to track the actions of spammers and find their virtual locations. I would further suggest that once this information is gathered and verified with the spammers ISP subpoenas, court orders, cease and desist orders, fines under existing laws, and criminal prosecution could do the rest. I am not claiming that this will eliminate spam on it's own. I am claiming that it will make it harder for the offending parties to get away with sending spam in a manner that is not compliant with TOS agreements and the law. This solution would require a concerted effort by the administration comunity as a whole and I think that is where the problem truely is. ----- Original Message ----- From: "Harald Tveit Alvestrand" <harald@alvestrand.no> To: "Doug" <Dougxx2@carolina.rr.com>; <Valdis.Kletnieks@vt.edu> Cc: <ietf@ietf.org> Sent: Monday, January 06, 2003 10:00 AM Subject: Re: namedroppers, continued > > > --On mandag, januar 06, 2003 02:01:27 -0500 Doug <Dougxx2@carolina.rr.com> > wrote: > > >> Your proposal would fix the problem, but end up tossing a large quantity > >> of babies out with the bathwater. The problem is that for the case of > >> a mailing list, you have *4* (at least) things to keep track of: > > > > There are many comercial email servers that require the people sending > > email with their server to log into the server using a valid username and > > pass before > > doing so. I doubt they are losing any valid emails. All it does is to keep > > unauthorized users from using the server without a valid password. The > > reason > > to require that the sender address in the outgoing email matches the email > > address refrenced in the account is to keep people from sending spam from > > these email servers and using fraudulant return and/or sender address. > > I fail to see how this throws out any babies. perhaps I am missing > > something. > > well....think about how mail from someone who is not an user of that system > (like me) can send mail there.... > > how does your system tell the difference between a remote mail server and a > malicious user? > > Harald >