Say I'm aaron@a.com and I want to send mail to bob@b.com. You say e-mail servers should require me to authenticate, so I authenticate as aaron to a.com, then a.com sends my mail unauthenticated to b.com. This has to be done unauthenticated over SMTP, because a.com doesn't have a username/password at b.com, and SMTP is a stupid protocol. SMTP is also the only protocol used to send mail between servers.
Now say I pwn a windows box with public ip abc.dhcp.isp.com and start sending spam to bob@b.com from spammer@abc.dhcp.isp.com . b.com won't reject me because I'm just as legit as a.com; to b.com, I pwn the domain abc.dhcp.isp.com legitimately.
The only solution at the moment is for ISPs to block the smtp port coming out from their clients.
Slashdot Mirror
Blocking at the MTA layer is too late.
Say I'm aaron@a.com and I want to send mail to bob@b.com. You say e-mail servers should require me to authenticate, so I authenticate as aaron to a.com, then a.com sends my mail unauthenticated to b.com. This has to be done unauthenticated over SMTP, because a.com doesn't have a username/password at b.com, and SMTP is a stupid protocol. SMTP is also the only protocol used to send mail between servers.
Now say I pwn a windows box with public ip abc.dhcp.isp.com and start sending spam to bob@b.com from spammer@abc.dhcp.isp.com . b.com won't reject me because I'm just as legit as a.com; to b.com, I pwn the domain abc.dhcp.isp.com legitimately.
The only solution at the moment is for ISPs to block the smtp port coming out from their clients.