The Blog of Harald

“Joel on Software”:http://www.joelonsoftware.com/ → “Internet Security: Too Broke to Fix?”:http://security.ziffdavis.com/article2/0,3973,1036052,00.asp

Larry Seltzer wants to replace SMTP with something that has authentication and resource limits. Well, SMTP already has authentication, and many MTAs already have resource limits…

Many people discover SMTP’s authentication when they try to send e-mail while travelling; their ISPs don’t let them. SMTP can already use TLS with certificates, SASL, or POP-before-SMTP, and many ISPs are starting to require one or more. My _hobby_ server supports all three, so it can’t be hard. I haven’t seen anyone do resource limits out-of-the-box yet, but that’s because it doesn’t really solve anything; spammers will always be able to hide inside “legitimate” usage profiles.

The problem is not the protocol, or the mythical “Internet”; it’s poorly administered computers. People who don’t think twice about _properly_ managing and securing a PBX will turn around and install, then neglect, crappy SMTP gateways. In my e-mail logs, the worst offenders for poorly administered servers are non-technical companies (law firms, insurance companies, banks :-). Most of the spam I receive comes through open relays on corporate networks, and through relays on home computers (where Microsoft installs insecure software direct from CD :-).

If we introduce a new protocol, spammers will find new ways to abuse it. Criminals are constantly finding new ways to abuse corporate PBXes, and cell phones, and calling cards. The solution is for people to stop treating the Internet as a toy, and start maintaining their servers properly. Sadly, that’s not likely to happen, and so we’re left with reactionary technology like realtime blackhole lists and desktop spam filtering software.