Slashdot Mirror
Postfix's Creator Outlines Spam Solution
SATAN writes "Wietse Venema started out as a physicist, but became interested in the security of the programs he wrote to control his physics experiments. He went on to create several well-known network and security tools, including the Security Administrator's Tool for Analyzing Networks (SATAN) and The Coroner's Toolkit with Dan Farmer. He is also the creator of the popular MTA Postfix and TCP Wrapper.
SecurityFocus chatted up Venema to talk about software security, how to improve the code quality, what solutions we might have to fight spam successfully, the principle of least privilege, and the philosophy behind the design of Postfix. Venema is currently a researcher at IBM's T.J. Watson Research Center."
...once I started reading his replies on the postfix-user mailing list. He's extremely blunt. While many are VERY helpful and detailed, a number are a sentence or two long that, paraphrased, consist of "you're an idiot."
However, he's nothing compared to Victor Duchovni (who works for Morgan Stanley, and is a major poster on the postfix-users list). His signature, and I'm not making this up:
Yeah, you read that right. 11 lines long...and this asshole thinks he's so fucking important, he lectures you about how to thank him so he can delete your acknowledgment/thank you as quickly as possible. He's often more willing to insult than help, and on numerous occasions, comes to the wrong conclusion. Worse still, he often presents his solution with complete authority and confidence, putting the helpless user on a primrose path.
Please help metamoderate.
As a big fan of signed e-mail, I see something like this:
Anything signed by someone I trust, arrives in my inbox. Anything signed but not by someone I trust, goes into a holding box from which I can fish e-mails I want. Anything not signed, or with a corrupted signature is rejected as unacceptable at the MTA level.
Now, anything arriving in my inbox can only be spam if someone I know has a hacked system, which should be rare AND I can contact them to tell them to fix it, because I know who it is from the signature (unlike e-mail viruses that could be practically anyone I know). This means that I know when I get e-mail in my inbox, it's worth me looking at.
Unexpected e-mails are still an issue, and may get lost, but frankly that happens anyway (I get somewhere over 200 spam per day, only a couple of dozen of which make it through enough filters for me to even glance at the subject line).
Filtering could be multi-stage, too; regular inbox for trusted people, a secondary inbox for people who I have been introduced to (for example, by a mailing list), then signed but unrecognised, and then everything else.
From TFA:
I use Exim4 as a pre-processor for a GroupWise system.
This allows me to reject messages during the SMTP connection (no receive and then bounce back) and I have customized the rejection messages to include my phone number. As long as YOUR email admin handles error messages in any sane way, you'll get a phone number to call and talk to the guy who set up the system that rejected your email. I get a call about every other month now.
The real problem is not "aggressive anti-spam/virus measures".
It is that 80%+ of the inbound connections are spam-related. So just about ANY action taken will reduce the amount of spam. But the email admins still need to continually evaluate their processes.