On Fri, 29 Aug 2003, shogunx wrote: > > The better question for the IETF is whether we should do something to > > SMTP to make it less easy to send spoofed mail. > > what, so one couldn't telnet in and send arbitrary mail? include a > reversedns lookup in SMTP? good luck on widespread implementation. Reverse DNS lookups tell one nothing about the legitimacy of the email being sent. This has been hashed over on both namedroppers and DNSOP. I also recently hashed out the Information Theoretic problems with suppressing spam with a group of PhDs from one of my old companies. After a great deal of arguing about the definition of Covert Channel (in particular whether cooperation was required or not), it was determined (to a high degree of confidence--but not to a formal proof) that spam is indeed a covert channel, and therefore subject to the axiom that one cannot prove there are no covert channels. I should note that during the course of research I made to on the topic, which included reading a number of original papers on the subject of Covert Channels, Side Channels, and like concepts, I could find no written proof of this axiom, but neither was it challenged as being untrue. This confirms the intuition that digital signature schemes, and cost schemes and other such suppression schemes cannot succeed. Spam is essentially dependent on the will of the sender, and given viruses, that will can be subverted for many senders no matter what suppression scheme is used. Spam can be detected, and stopped after detection, but it cannot be made impossible to send. The question is really whether SMTP has sufficient identification information to track down an abuser, or infected user. The answer to this question is "yes". Even with an open proxy, the SMTP information will identify the open proxy. The anonymity offered by the open proxy is completely independent of SMTP. However, to identify the abuser, one may need law enforcement authority, or be willing to undertake a civil action at some expense. This is consistent with the PSTN, in which the identify of a user can't generally be determined by another end user, but can usually be determined using law enforcement authority. Indeed, as with the PSTN, some anonymity is appropriate. One would probably not want to allow end users to be able to identify another end user against their will without a court order of some sort or some evidence of a criminal act. --Dean