On Thu, 2005-01-06 at 10:54 +0000, Tony Finch wrote:
For better or worse the email authentication means of solving the spam
problem is owned by SPF/Sender-ID framework for the next couple of years. I
beleive that in time signatures will superceed the IP based authentication
approach but that will take some time.
SPF can't be used to reject email because its error rate is too high. A
decent MASS implementation will easily get a lower error rate. Heuristics
can help, for example given a message with a broken signature, you might
accept it if it has List- header fields, otherwise reject.
Of course neither SPF nor MASS is a "means of solving the spam problem"
without an accreditation/reputation system, and no-one is working on a
system that will integrate with either of them. Until that happens these
systems are just noise unless they can provide reliable rejection
A reputation system needs to be sure to identify the accountable
entities in addition to reporting the results. Only CSV and MASS offer
the potential to broadly authenticate named entities involved in the
message. CSV authenticates the administrator of the last system and
MASS may be able to authenticate the administrator of the first. CSV is
lightweight and can protect the network resources. MASS provides a
level of integrity beyond the last system. Only when there is assurance
of an accountable entity will a reputation system function. One can not
hold an entity accountable for having authorized transport of mail
alone. The low integrity of the mail system would make that a fools
quest. Authentication of the accountable entity is vital. Provide
authentication and the rest becomes inevitable.