[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040129043625.GB1546@SDF.LONESTAR.ORG>
From: petard at freeshell.org (petard)
Subject: Proposal: how to notify owners of compromised PC's
On Wed, Jan 28, 2004 at 09:20:24PM +0100, Thomas Zangl - Mobil wrote:
> As I said before, the ISP _HAS_ to provide an alternative mail relay, open
> for every FROM address the user whishes to use. (If it?s legal or not thats
> another point). If you really need access to YOUR smtp server, it should
> be possible to configure your MTA to listen to an alternative port than
> 25 too. I use this kind of setup for myself as I?m "smtp firewalled" the
> way I?ve described above.
>
You don't understand. My organization (example.com) has its MTAs
configured such that we ONLY accept mail claiming to be FROM example.com
if it is relayed by MSAs which ONLY accept mail from our users, who can
only connect to those using TLS connections which are authenticated
using X.509 certificates. I cannot send mail to someone at example.com
from my example.com address using any other party's server.
It was not *difficult* to configure the various MSAs to listen on
alternate ports as well, nor to open the firewalls such that the clients
could connect there. But it had to clear a change control process which
has some lead time to it.
And I had to waste my time and my admin's time working around my ISP.
> The benefit (in my opinion) would be greater, in my enviroment, then the
> loss of freedom individual users will suffer. In case of static IP?s ISPs might
> be able to offer exceptions.
Unless we fix the clients, the benefit will not be there long term. You
*might* see spam confined to spam-friendly ISPs and therefore more
easily filtered, but you will not see less malware. There are too many
other vectors, and ISPs may not legally be able to virus-check every
message they transmit. (They'd certainly *risk* their common carrier
status by performing this filtering.) We'll just have malware going
through ISP servers, proxies, kazaa, etc. as so much of it already does.
regards,
petard
--
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.
Powered by blists - more mailing lists