To attack spam, we need to attack it at its core, not at some secondary
tertiary side-effect, with a mechanism that also hurt legitimate users.
We, as network operators don't need to attack spam. We need
to ignore spam itself and get to work securing the network
that enables spammers to do their dirty work.
Unless and until there is broad community consensus that answers that
question in concrete and practical terms, then all our efforts are
losing and stop-gap.
I wouldn't go quite so far as that. Yes, broad consensus of
the network operator community would help us to secure the
architecture of the email system. That's why I have suggested
that large email operators should be meeting regularly in a
forum where they can discuss and agree upon *BEST PRACTICES*.
But it also helps for people to implement best practices in
a piecemeal fashion because that provides the real-world
operational experience to prove that a particular practice
From recent conversations on the list it appears that the
BCPs for email include using the submission protocol for
all end-user sending of email. But I would like to see this
go a step further and require SMTP AUTH for every single
SMTP session on port 25 as well. That means that AOL's mailservers
would have to authenticate their sessions on Hotmail's servers
before sending email and vice versa. It means that you cannot
operate a mailserver without having a bilateral agreement in
place with some set of email peers. It provides a chain of
trust through those bilateral agreements that makes it easier
to block SPAM and catch spammers.
Yes, this probably means that we need to have some DNS
related changes so that a domain can publish a list of
their email peers and so that MTA software can figure out
where to forward a particular email to reach its destination.
But none of this is rocket science. And all of it could be
accomplished by sitting the major email operators around
a table to hash it out. NANOG could help here by devoting
the next meeting to the various technical operational email
issues and by extending to an additional day for the email
operators forum. There is plenty of BCP material that could
be presented and even though some of the operators like AOL
have presented this in the past, an update would be useful
to a lot of us.