End of the road for SMTP

Post #112,414 by orion 8/1/03 12:19:26 PM Reply	End of the road for SMTP [link\|http://news.com.com/2100-1038_3-5058610.html\|http://news.com.com/...38_3-5058610.html] Deja Vu, didn't we have a discussion like this before here? Developed when the Internet was used almost exclusively by academics, the Simple Mail Transfer Protocol, or SMTP, assumes that you are who you say you are. SMTP makes that assumption because it doesn't suspect that you're sending a Trojan horse virus, that you're making fraudulent pleas for money from the relations of deposed African dictators, or that you're hijacking somebody else's computer to send tens of millions of ads for herbal Viagra. In other words, SMTP trusts too much--and that has spam foes, security mavens and even an original architect of today's e-mail system agitating for an overhaul, if not an outright replacement, of the omnipresent protocol. "I would suggest they just write a new protocol from the beginning," Suzanne Sluizer, a co-author of SMTP's immediate predecessor and a visiting lecturer at the University of New Mexico, said in an interview. But a new protocol means that email clients will have to be rewritten to use that protocol. "Authentication in SMTP is not that hard," Paul Hoffman, director of the Internet Mail Consortium and author of numerous computer-related books, wrote in an e-mail interview. "There is already a protocol for doing it, namely running SMTP over SSL/TLS. And, yes, I wrote it." (The SMTP over SSL/TLS protocol is [link\|http://www.ietf.org/rfc/rfc3207.txt\|available] at the Internet Engineering Task Force's Web site.) The hard part, according to Hoffman and others, is establishing the "trust relationships" required to back up any computer-based authentication scheme--in other words, verifying that a person is who he or she claims to be. Maybe we just need to have authentication in SMTP to lock in the real IP of the sender and any other information it can gather.
Post #112,417 by jake123 8/1/03 1:03:44 PM Reply	Re: End of the road for SMTP Actually, I don't have any problem figuring out which IP address connected to my mail server. The problem is that a lot of time that IP address has little to do with the actual originator of the spam email. Everyone's heard about the new explosion of spam. Everyone's heard of Nimda, Code Red, etc. Very few seem to have connected the dots though... most of these worm/trojans were designed to create spam forwarding bots, in my belief. If you are sending say 10 million emails a day, and you've managed to snare 10 thousand IRC controlled spam forwarding bots via some variant of one of these worms, that means that each of them is sending about one thousand emails a day. Say the average size of said email is 30KB; that means a total throughput of 3 MB. Since the vast majority of these machines are on broadband networks, 3 MB spread out over 24 hours is a tiny trickle of outbound data, hardly noticeable to those who aren't Inet cognoscenti. --\n-------------------------------------------------------------------\n* Jack Troughton jake at consultron.ca \n [link\|http://consultron.ca\|http://consultron.ca] [link\|irc://irc.ecomstation.ca\|irc://irc.ecomstation.ca] \n Kingston Ontario Canada [link\|news://news.consultron.ca\|news://news.consultron.ca] *\n-------------------------------------------------------------------
Post #112,493 by pwhysall 8/2/03 1:51:11 AM Reply	Hah. YAATWTRS Yet Another Article That Wants To Reinvent SMTP. Or, as I like to put it, "Slow news day". SMTP "trusts too much". That's like saying "TCP/IP trusts too much". Someone's not reading the damn acronym. Simple Mail Transport Protocol. Note the words "Simple" and "Transport". SMTP only cares about two things: Are you allowed to connect to this server? and what would you like to send? Security and content filtering is SEP, and rightly so. Well, what do you expect from an outfit called news.com.com? Note for Norm: Email clients wouldn't necessarily have to be rewritten; any new protocol could emulate the old one sufficiently to negate this requirement. Peter [link\|http://www.debian.org\|Shill For Hire] [link\|http://www.kuro5hin.org\|There is no K5 Cabal] [link\|http://guildenstern.dyndns.org\|Blog]

Welcome to IWETHEY!