[funsec] Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)

Dan White dwhite at olp.net
Fri Oct 16 12:04:08 CDT 2009

On 16/10/09 07:56 -0400, Rich Kulawiec wrote:
>If you're relaying spam, then it's [in part] *your* spam.  Everyone involved
>in propagating and supporting abuse has to take a share of the blame:
>the spammer who paid for it, the botnet operator who generated it, the
>user who allowed their system to be hijacked, the network operator
>who transited the traffic, the mail system operator who relayed the message,
>the web site hoster providing services, everyone.  Nobody gets a pass.
>Nobody gets to evade their share of responsibility.

So if I have a customer on Facebook that sends sPaM to another Facebook
user (that happens to be using AOL), do I or AOL get the blame? No, even
though we blindly relayed that message.

>> SMTP needs to go away, and be replaced by something that resembles
>> end-to-end messaging passing, rather than the horrible touchy feely
>> pseudo-chain-of-trust that it is today.
>And even if did, that would do absolutely nothing to solve the problem
>we currently face (i.e. 100M+ zombies): it'd just shift it to another
>protocol.  And while SMTP abuse is one of the more visible external
>symptoms of the underlying security problem, it's by no means the
>only one and probably not even the most important, given that we
>developed quite effective defenses against it years ago.

I'm proposing a little more thinking outside the box here. SMTP does need
to go way, and be replaced by something better: Something that does not
inherently suffer from the problems of SMTP today, but is based on
something with better two-way trust.

If I have a friend that gets caught up in a 100M+ zombie attack, then
I'll just suspend my trust with that friend until he gets his act together.
I'll probably get one SpAm from him, maybe two, before I get the idea.

I should not be concerned about the other 99,999,999 other zombies.

Dan White

More information about the funsec mailing list