StupidScript - 5:16 pm on Apr 7, 2006 (gmt 0)

With the exception of Habeas (which is a cool idea, but has gone down the wrong roads a few times .. but it's still cool), the current crop of programs all depend on a "valid" message coming from a "trusted" server.

So:

1) Example.com is validated by any/all of the services.
This means that mail originating from a "valid" user at that domain will be "trusted".

2) Spammer sends mail through "mail.example.com" as "jane" (a known valid, roaming user)
What happens to that mail? Let's see ... valid user, trusted domain ... bingo!

As far as they can tell, the SPF/PTR records are cool, the domain is in the receiving whitelist and the sending server sure didn't complain that "jane" was using it to send a message.

Solutions on the sending end, like SMTPAuth or some other use-name-and-password-for-every-send method, seem to be the most likely to actually work consistently.

Anybody want to take a shot at how we can educate every email-using individual to log in and give their password for each message they want to send? Heck, it's hard enough getting users to CHECK their messages regularly, let alone force them to use some cryptic procedure to get their mail out.