Comment Re:Is this suprising? (Score 1) 778
Blocking at the MTA layer is too late.
Say I'm aaron@a.com and I want to send mail to bob@b.com. You say e-mail servers should require me to authenticate, so I authenticate as aaron to a.com, then a.com sends my mail unauthenticated to b.com. This has to be done unauthenticated over SMTP, because a.com doesn't have a username/password at b.com, and SMTP is a stupid protocol. SMTP is also the only protocol used to send mail between servers.
Now say I pwn a windows box with public ip abc.dhcp.isp.com and start sending spam to bob@b.com from spammer@abc.dhcp.isp.com . b.com won't reject me because I'm just as legit as a.com; to b.com, I pwn the domain abc.dhcp.isp.com legitimately.
The only solution at the moment is for ISPs to block the smtp port coming out from their clients.
Say I'm aaron@a.com and I want to send mail to bob@b.com. You say e-mail servers should require me to authenticate, so I authenticate as aaron to a.com, then a.com sends my mail unauthenticated to b.com. This has to be done unauthenticated over SMTP, because a.com doesn't have a username/password at b.com, and SMTP is a stupid protocol. SMTP is also the only protocol used to send mail between servers.
Now say I pwn a windows box with public ip abc.dhcp.isp.com and start sending spam to bob@b.com from spammer@abc.dhcp.isp.com . b.com won't reject me because I'm just as legit as a.com; to b.com, I pwn the domain abc.dhcp.isp.com legitimately.
The only solution at the moment is for ISPs to block the smtp port coming out from their clients.
