On Wed, 11 Feb 2004, Alex Bligh wrote:
I think you are missing the point. I have lots of people abusing my port 25. They can abuse this due to the nature of the (current unadorned) SMTP protocol as I have to leave it open and unauthenticated in order to receive mail to users served by my server.
The bulk of the abuse (some people estimate 2/3's) is due to compromised computers. The owner of the computer doesn't know it is doing it. Unfortunately, once the computer is compromised any information on that computer is also compromised, including any SMTP authorization information. SMTP Auth is not the silver bullet to solve the spam problem. As it becomes more widely deployed, it will become less effective. It only appears to work now because SMTP AUTH is still a bit of a niche. Nevertheless SMTP AUTH is already being abused, and I expect complaints about users using plain smtp and smtp auth to eventually be equal. Right now SMTP AUTH is a bit more useful because the mailer can directly identify the compromised subscriber. But I expect this to also be short-lived. Eventually the compromised computers will start passing authentication information. But it seems like people latch on to the "shiny new thing." I think MUA-to-MTA authentication for submission as well as collection is a good thing. Its been developed several times already, and maybe this time it has the right features to catch on. But it will not solve either spam nor abuse.