On Thu, Jan 22, 2004 at 03:42:57PM -0500, Meng Weng Wong wrote:
| On Thu, Jan 22, 2004 at 02:28:33PM -0600, Phil Howard wrote:
| | I'm not going to trust a spammer to tell me to look at DMA to find out
| | he's a good guy.
|
| You're missing the point. The spammer will tell you he's listed with
| the DMA. That's the accreditation step.
|
| You will then say, pah, I don't trust anything the DMA says. That's the
| reputation step.
|
| Reputation can be provided by antispam vendors like Brightmail.
|
| So there's a four-entity system:
|
| sender
| - sends the message.
|
| accreditor
| - paid by sender to make assertion about the sender.
| - assertion can be verified by recipient
|
| ------------------------ this is the line in the sand
----------------------------
|
| recipient
| - gets the mail from the sender.
|
| reputation service
| - tells the recipient what it thinks of the sender, of the assertions
| made by the sender, and of the accreditation service itself.
|
| it's like seconds in a duel.
|
| There's actually a five-entity system because behind the sender is the
| author, but we can get to that in a separate message.
|
| |
| | But a mechanism that allows the spammers to fake it is useless. If the
| | spammer tells you where to look things up, that's no good. I need to be
| | able to look things up from where *I* specify, not where the spammer says
| | to.
| |
|
| If a spammer fakes it, the accreditation service won't verify.
|
| If the accreditation service is bogus, your reputation service will know that.
|
| The spammer is not telling you how to make your reputation decision.
|
| Only you can tell yourself where to make a reputation decision.
|
| The sender is putting their cards on the table for you to help you make
| that decision.
So why does the accreditation information need to be in the SPF string?
Why not add it to SMTP or RFC822 or even fudge it in the address itself.
But as long as the accreditation _can_ simply be ignored without having
to take the abort default in SPF, I guess it won't really hurt if it is
present. But that shouldn't be that much data. A domain name is all
you need. If you're going to ask your reputation source, that can include
the rest of the accreditation access data (like what URL to use).
| | You still have to implement the logic behind the data for it to be of any
| | use. Unvetted extensibility is a bad idea.
|
| I agree, but in this case I think we can get away with it, because the
| line in the sand means that by default a receiver doesn't trust anything
| said by the sender, and only begins believing things that can be
| verified by an accreditation service that the receiver does trust.
And what if the reputation source identifies not accreditators, but the
actual senders directly?
--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡