120 sats \ 2 replies \ @Caleb 4 Jan
SMTP isn’t authenticated. It was invented simpler, more trusting times. The author of this post seems to think it’s part of the exploit that you can send email as anyone, but this is normal. I used to send emails from bill@microsoft.com to impress people 20 years ago. It’s harder now with spam filtering and half assed protections that have been bolted on.
This “exploit” is about adding smtp commands at the end of an email and getting them executed to bypass some protections like DKIM. Some vendors aren’t even going to fix it and say it’s intended behavior. This might make certain targeted phishing attacks seem slightly more authentic if the mail server is configured to allow this.
In an related note, Almost all emails sent are spam. Can easily be fixed with proof of work so I’m curious why that hasn’t been adopted. If your cpu has to spend 1 second of work to send an email, it’s nothing, but if you’re a spammer sending millions, it adds up.
reply
Hashcash was proposed for email spam protection, and Microsoft was trying this in the early 00s with the Penny Black project.
The problem with proof of work is that it’s hard to adjust difficulty without a feedback mechanism, Bitcoin solves this with 2016 block epochs.
Email and SMTP don’t have such mechanism, how do I know that spam farm just bought 500 new mail asic miners? does every mail front end now need to buy miners? Grandma using Eudora? If it’s CPU only, how do we agree to a given mining algo. SMTP is merely a protocol, it is not consensus. There is no consensus in mail beyond the very basics in handling — there is no lock step mechanism like Satoshi clients.
Most email today is sent from a handful of providers who can centrally filter and control spam.
reply
100℅ agree with that. Feels like we have collectively surrendered SMTP to the ad tech professional spammers.
reply