To attack spam, we need to attack it at its core, not at some secondary or tertiary side-effect, with a mechanism that also hurt legitimate users.
We, as network operators don't need to attack spam. We need to ignore spam itself and get to work securing the network that enables spammers to do their dirty work.
Unless and until there is broad community consensus that answers that question in concrete and practical terms, then all our efforts are losing and stop-gap.
From recent conversations on the list it appears that the BCPs for email include using the submission protocol for all end-user sending of email. But I would like to see this go a step further and require SMTP AUTH for every single SMTP session on port 25 as well. That means that AOL's mailservers would have to authenticate their sessions on Hotmail's servers before sending email and vice versa. It means that you cannot operate a mailserver without having a bilateral agreement in
I wouldn't go quite so far as that. Yes, broad consensus of the network operator community would help us to secure the architecture of the email system. That's why I have suggested that large email operators should be meeting regularly in a forum where they can discuss and agree upon *BEST PRACTICES*. But it also helps for people to implement best practices in a piecemeal fashion because that provides the real-world operational experience to prove that a particular practice is feasible. place with some set of email peers. It provides a chain of trust through those bilateral agreements that makes it easier to block SPAM and catch spammers. Yes, this probably means that we need to have some DNS related changes so that a domain can publish a list of their email peers and so that MTA software can figure out where to forward a particular email to reach its destination. But none of this is rocket science. And all of it could be accomplished by sitting the major email operators around a table to hash it out. NANOG could help here by devoting the next meeting to the various technical operational email issues and by extending to an additional day for the email operators forum. There is plenty of BCP material that could be presented and even though some of the operators like AOL have presented this in the past, an update would be useful to a lot of us. --Michael Dillon