North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Douglas Otis
  • Date: Sat Feb 05 15:28:37 2005

On Sat, 2005-02-05 at 19:18 +0000, Jørgen Hovland wrote:
> ----- Original Message ----- 
> From: "Edward B. Dreger" <[email protected]>
> > TV> From: Todd Vierling
> >
> > TV> The only way to be sure is via cryptographic signature.  Barring
> > TV> that level
> >
> > False.  You imply that a crypto signature is a perfect guarantee, and
> > that nothing else can provide equal assurance.
> To prevent spyware using your signature you can for example use some
> sort of local signature engine and a fingerprint reader. It 
> isn't possible to steal the private key because only the engine can
> decode it. Emails can only be signed with that signature by the 
> engine, and the engine needs your fingerprint first. But who really
> wants to stick your thumb in the reader for every email you 
> send?

If each provider signed their messages AND included account identifiers
(as used by their access servers), then the providers themselves or some
third-party would have little trouble blackhole listing problematic
systems.  There would be NO danger that something in the customers
system could be stolen.

A blackhole A record of by the provider at the following:


Or if by a third-party, it could be 


This mechanism would also prevent a replay attack on signatures as well
as allow extraction of these problem accounts caused by compromised
systems.  These people would quickly learn they have a problem, if they
use the mail services of the provider.  If they do not, they should be
blocked by the provider outright.  To prevent bounce traffic
unilaterally, BATV would be a better solution.

SPF et al does not allow safe reputation assertions.  A reputation
assertion is the ONLY way this type of abuse can be prevented.  Binding
MAILFROM or the FROM with some IP address will not stop spam.  Within
two minutes, spammers will have adapted, and yet a tremendous expense
and disruption will have taken place for little benefit.