Right now SMTP AUTH is a bit more useful because the mailer can directly identify the compromised subscriber. But I expect this to also be short-lived. Eventually the compromised computers will start passing authentication information.

SMTP AUTH and 587 might not be silver bullets but they can shift the action into an arena where we can use bigger clubs to beat the spammers. Right now, if someone sends SPAM they are not breaking the law. However, if someone compromises another person's computer, steals their authentication credentials, transfers those credentials to another compromised computer and then sends SPAM, they are clearly breaking the law. They are also doing something that banks, credit card companies and law enforcement agencies are very interested in tracking down, namely the theft and transfer of authentication credentials. And if we get to the point where people can rightly claim that 94.7% of SPAM is the direct result of security flaws in Microsoft operating systems, then there is another big club in the form of the FTC and class action suits that can be applied to the problem. --Michael Dillon