[NoCat] mitigating SPAM using nocat

Rob Flickenger rob at nocat.net
Mon, 8 Sep 2003 13:55:26 -0700 

On Monday, September 8, 2003, at 01:11  PM, Tom Warfield wrote:

> Punish everyone else because of the spammers :(  bad move!

I guess I don't see it as punishment.  Legitimate users can still send 
email to their heart's content.  They just can't do it without first 
proving who they are.  I think that's a perfectly acceptable trade-off 
for public access.  If you want insecure protocols, go buy your own 
access.

> But I would see you setting up something to where outbound is only 
> allowed
> using your email server.  Then you can see what is going on and ban 
> those
> who are being idiots.

Do you really think you can catch spam in real time?  To automate it, 
would you run Spam Assassin or some other fancy filtering mechanism?  
What about false positives?  What about spam that it misses?  Or would 
you just limit the number of messages a person can send in a particular 
time period, and hope that they're being nice?

This whole mess is neatly sidestepped by forcing users to authenticate 
themselves to their own mail servers somewhere else on the Internet.

> The VPN isnt the answer.

Why not?  It's easy to do, and when properly done, it protects *all* of 
your traffic, even from other hostile wireless users.  And rogue 
gateways that copy your private data on the way past.

> The thing to remember here is you are here to serv the customer 
> (paying or not)
> and if you dont serv them then you wont have them.

Hey, if they don't like free, easy, and responsible, they can take it 
somewhere else.  =)

>> Besides, they can't send email directly from a node anyway, unless
>> their SMTP server is set up for open relay (in which case they work 
>> for
>> spammers as it is.)  They could send mail if you gave them your ISP's
>> mail server, but you probably don't want to do that.  I think blocking
>> it altogether is the easiest way.
>
> this is not true...not true at all.  You can open a relay via
> authentication.  If you are using linux and postfix/sendmail/and the 
> many
> others I would check out pop-before-smtp or something similar.

Eeew!  Clear text passwords to open relays?  Use SSL.  Or SSH.  It's 
really not that hard!  I look forward to the day when POP finally dies 
the death it so richly deserves.

(As Brian pointed out earlier, I completely failed to acknowledge that 
users can send spam by connecting directly, as an SMTP server does.  I 
sure don't want to try to keep track of people trying to do that.)

Actually, speaking of proxy servers, I get four or five users every day 
that use POP in the clear from my node.  I'd love to see a POP proxy 
server that accepts any username and password, and delivers a message 
that tells the user what an idiot they are for using insecure protocols.

Now that I'm officially off topic, I'll bring it back home: What does 
any of this have to do with NoCatAuth?  Isn't this best handled by 
separate software anyway?

--Rob