[Asrg] Re: SPF Abused by Spammers
<>On Fri, 10 Sep 2004, Markus Stumpf wrote:
I don't mean to defend authentication as a means of spam reduction, as I
don't think in the end it will be helpful. But I don't think proponents
are stupid, it does have possibilities and might contribute to the
solution. It rather depends on what institutions develope in response.
Will reasonably large whitelists become available? I don't know.
There is a considerable amount of momentum and money behind both
commercial and open reputation services now in development. The current
market leader is IronPort's Bonded Sender, which boasts adoption by tens
of thousands of receiving domains and hundreds of senders. Participation
in the program involves a detailed mail sending practices investigation
against abuse (more symbolic than anything else - this is not a way to
"pay for complaints" - bad senders are not allowed to stay in the
program). Being bonded results in your mail being sent directly to the
inbox (for the most part) and in the future will be a factor that causes
images or links in the email to be displayed normally when other
non-bonded messages will have their images and links munged by deafult.
Habeas has had their whitelist for quite some time and rumor has it that
with new management and direction we can expect new options from them in
the future. Goodmail has announced plans for a "postage" style model but
has not launched the service yet. Cloudmark and MailFrontier and others
have recently announced reputation services and newsletter registration
services. Projects such as GOSSIP have sprung up from the open-source
community. And there are a number of other projects in the works that
have not been announced yet.
In my opinion, we are about to see a paradigm shift in mail filtering -
from trying desperately to identify all the fraudulent mail and bad
senders to spending much less time and energy keeping track of the good
senders (who aren't trying to hide in the first place and will step
forward to certify their practices and be held accountable). Reliable,
well-maintained whitelists with detailed certification processes and
transparent dispute resolution procedures will bring a much-needed
dependability back to email deliverability.
This isn't an all or nothing approach. To start, having a good
reputation will result in your mail going to the inbox and a bad one to
the spam folder. Senders with no reputation will still be subject to all
the spam filtering techniques that they are today. Over time, as more
and more mail senders are authenticated and develop reputations, mail
receivers will be able to "turn up the crank" on spam filtering for mail
arriving in any volume or apply greylisting to senders without a known
reputation. That's immediately useful because it allows legitimate mail
with a good reputation to be reliably delivered (even in bulk) but makes
it very hard to deliver any mail in bulk without a good reputation. I
won't go into the zombie situation here, but I think that will be
largely addressed by sender authentication and outbound port blocking.
If and when we reach a critical mass with sender authentication and
widespread reputation, receivers will be able to take it a step further
and subject non-authenticated mail to extreme spam filtering (or even
outright rejection) and quarantine mail from senders with no reputation.
I really don't think domain hopping will get you anywhere in the short
term or the long term. In the short term, it will just be one more tool
in identifying bad senders more quickly (no worse than without
authentication). In the long term, it could become a way to reject a
large quantity of suspect mail with a lower false positive rate than we
Founder & CEO
Asrg mailing list