In message <451737404.1077054498@[192.168.100.25]>, Alex Bligh writes:
b) The real problem here is that there are TWO problems which interact. It is a specific case of the following general problem: * A desire for any to any end to end connectivity using the protocol concerned => filter free internet * No authentication scheme
Applying filters based on IP address & protocol (whether it's by filtering or RBL) is in effect attempting to do authentication by IP address. We know this is not a good model. People do, however, use it because there currently is no realistic widely deployed alternative available. Those that are currently available (e.g. SPF) are not widely deployed, and in any case are far from perfect. Whilst we have no hammer, people will keep using the screwdriver to drive in nails, and who can blame them?
Apart from the general undesirability of using IP addresses for authentication -- and I've been writing about that for 15 years -- the problem of authentication for anti-spam is ill-defined. In fact, posing it as an authentication problem misses the point entirely. In almost all circumstances, authentication is useful for one of two things: authorization or retribution. But who says you need "authorization" to send email? Authorized by whom? On what criteria? Attempts to define "official" ISPs leads very quickly to the walled garden model -- you have to be part of the club to be able to send mail to its members, but the members themselves have to enforce good behavior by their subscribers. Retribution doesn't work very well, either -- new identities are very easy to come by, and since most spammers are already committing other illegal acts (ranging from the "products" they advertise to the systems and address blocks they hijack) they're not easily dissuaded by laws. Reasoning like this leads me to schemes that involve imposing cost. It may be financial, it may be CPU cycles, it may be any of a number of things. But it can't be identity based, except for recipient-based whitelists, and they have their own disadvantages. --Steve Bellovin, http://www.research.att.com/~smb