While looking through The Lost Olive, I found this paper dealing with someone who found himself relaying spam through a web exploit. In a nutshell, someone didn’t read up on CGI Security in a photo web log, and a user found that people were exploiting the hole to send out spam emails.
First of all, the paper details some excellent troubleshooting, starting off with “something seems odd”, and getting down to sniffing networks and looking at processes. If nothing else, the paper is worth reading for that reason.
More importantly, it shows that spammers are using more complicated vectors than the traditional open relays, and that blacklists aren’t going to help. (It also shows that if you’re going to run any sort of server on the Internet, even for fun, take responsibility for it!)
I’ve read potential solutions, from a sender-pays strategy, to an all-out whitelist. I still believe that anything that limits the open nature of the Internet isn’t good.
I’m trying to think of a system based on trust, such as PGP’s Web of Trust. Most of the email that you get is from someone you know, or at least within a couple of degrees of freedom, right? I’m also thinking that for scaling purposes, and technological reasons, it should be done on the MTA level rather than the user level.
That’s about it for now. An email just arrived, someone named “NICOLA.BARIBEAU” apparently had a great time this weekend, I’d better give it my full attention.