At 12:23 PM -0500 3/10/03, Jason Hihn wrote:
The outgoing mail server will have to see what addresses
account(_at_)yahoo(_dot_)com
did send to that haven't been verified ("authenticated") yet. If it gets a
request from an account that was not sent to, then it sends an 'account does
not exist' message. This will cause the spoofed message to be rejected,
while not allowing the existence of an account to be determined by a
malicious entity.
This assumes a pretty complex infrastructure mapping between all
possible sending servers and receiving servers for the same domain.
And until everyone has updated their mail servers, the false positive
rate is going to be huge, so you don't dare block on it.
So once again you have a system which nobody has an incentive to move
to until it's been deployed by the majority of users.
Let me propose a rule for proposals.
No proposal without an explanation of the incentives for the senders
and receivers to adopt the system at three stages: 10%, 50% and 90%
deployed. And at each stage, explain what actions the spammers are
being forced to take.
I would argue that a system that offers no benefits until you've
passed the 50% point is never going to be adopted.
On the other hand. A system which is virtually guaranteed to fail at
the 90% point (challenge/response, possibly content filters) can
demonstrably shown to have early adopters because, while it may fail
when scaled, it works now.
Let's try and leverage those social forces. (My anthro advisor would
be proud :-)
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg