[KLUG Members] Spam and Tagged Message Delivery Agent

[Adam Williams]

>>I recently came across a different approach to stopping spam called Tagged
>>Message Delivery Agent (TMDA) http://software.libertine.org/tmda/
>OK, I read this. IMO it's more of the same.... filtration and parsing of 
>e-mail headers (and maybe some other things). 
>>TMDA's Whitelist-centric Strategy   ``Deny everything that is not explicitly
>>allowed''
>Real-Life analogue to this: Crime's bad out there, but thicker doors and
>bigger locks.
>Not an effective strategy...oh, maybe so in the short term. The real answer
>to "Crime's bad out there" is determining the root causes of crime, and 
>solving it. This may vary from (maybe based on your political, ethical, 
>moral, etc. outlook) removing some socio-economic deficiency to throwing
>dem purps in the hooscow, and building more hooscows as needed. I'm sure
>the denizens of this list can think up even more extreme examples.
>What these methods have in common is that they carry the course of events
>to the criminals. I propose to do the same thing with spammers, carry the
>"battle" to them. Huddling behind "thicker doors", better filters and so
>on isn't going to get spammers removed from the net.

And "thicker doors" mentality diminishes the quality-of-life and freedom
of the same people it is meant to protect.  White lists dramatically
reduce the dynamic power of technologies such as e-mail.  I've gotten
wonderful/brilliant/helpful/beautiful messages out of the blue from
people I've never heard of.   And businesses will loose the ability to
hear from that customer they never expected.

>>I would be interested to know if you or anyone else has had any success
>>using this.
>I wouldn't have succes with this, because it runs counter to the way I want
>to use e-mail, and how I visualize the net at its best.

Exactly.

I have build white lists for controlling e-mail to friends dwelling in
even-less-enlightened nations,  because a message of a certain topic
from some dim bulb could land them in hot water.  So I think white lists
have a narrow "correct" use but are in general a gross over reaction to
junk mail / SPAM.

>>It seems to make a lot of sense. Spammers are essentially sending one way
>>mail from someone else's open relay or their sites would quickly be put on
>>the rbl list and automatically blocked (everyone does real time black hole
>>mapping don't they?)
>By removing the spammer from the environment, there is no need to do these
>checks, or run other things (like filters). 
>However, I ran my mailerserver through the paces on the ORDB site you
>offered the group, and that's a Good Thing. I'm not saying that just 
>because my server passed (polishing fingernails on shirt, inspects
>more EXCELLENT work, smirks modestly), but because it's an effective 
>way of denying spammers of a resource. If all mail server admins (a
>fairly well-qualifed target) simply ran the tests and modified their
>configurations so that they passed, it would probably help somewhat.

And most modern configs are pretty tight by default,  these days getting
sendmail *TO* relay is the chore.  The process of aging will over time
make matters more difficult for SPAMers as these older servers are
retired, die off, tossed into the next county by tornadoes, etc...

>>So, with TMDA you simply create a whitelist of trusted people from existing
>>email addresses, then the first time someone not on the list sends you an
>>email, they get an automatic reply from your SMTP server saying something
>>like "Hi, if you were really trying to email me....
>This might be OK for some business-to-business environments, but it is 
>simply not acceptable in general. I really want anyone on the internet
>to be able to reach me by e-mail. I think that having to send an extra 
>e-mail message is going to have a chilling effect on that.

Exactly.

>Also, where is this "list"? If it's on their server, what privacy issues 
>are raised? is it secure enough? If it's hosted on one of the machines on
>my LAN, how can it be connected to other methods of reading e-mail?

These are pretty easy to implement using LDAP maps (I go over this in my
LDAP presentation).  So accessibility of the lists isn't too much of a
problem,  but maintaining them becomes a pain.  Pretty soon your
*permitting* several hundred e-mail addresses.  You get people with
fairly dynamic addresses once you get a pool of that size.  Overall...
"Ick!" from an admin standpoint.

>>I haven't tried it yet because I will have to make a compelling case to
>>management for the "Deny everything" stance before I can put it in place.
>I can see the applicability of this in some business environments, but 
>many of us need to be a more open about our e-mail.
>And, TMDA or not, the spammers are still going to be there, outside those
>ever-thinkening doors, unless someone goes out and deals with the problem,
>directly.

The best defense is a good offense.