From: "Tom Thomson" <tthomson(_at_)neosinteractive(_dot_)com>
...
I think that is wrong, because I think most people use Netscape, Outlook,
or Outlook express. ...
Sure they have the capability. But it's an unusable nightmmare, maybe
usable for you or for me or for most asrg list members, but usable by the
average email punter (the one who may fall for the spammer's scam)? - No
way.
That seems to be another way of making the good point that "if
authentication is a good defense against spam, then why aren't even
its advocates using it all these years after it was first advocated"?
...
principal from the chain of signatures in a certificate chain. Rejecting
mail with a clearly forged certificate and rejecting mail with a clearly
forged Received From header are not much different. Currently no-one does
either.
That is mistaken. I've recent seen public statements from people
apparently not given to lies saying that their large scale filtering
includes checks for obviously forged Received headers. Years ago, it
was common to reject mail with certain common bogus Received headers.
Do you remember the bogus timezone?
...
Just for my own information, could you let me know which approach I
prefer?
A combination of DCC plus arbitrary blacklisting based on apparent
unverified source address, if
http://www.rhyolite.com/anti-spam/freemail.html is a reliable indication.
That is only part of what I do for my own mail. If you bother to read
the words in those pages, you'll probably see I don't think that
can work for all situations.
Now that many free providers implement rate limiting (I wish go.com would
implement it too - I get too much spam with authentic go.com email
addresses), it must be clear that the blacklisting them is not going to
block much spam if the source is verified - looks as if verification would
reduce rejection of non-spam at any site following rhyolite's advice.
What I assume you to mean by "verification" would reject almost as
much legitimate mail with free provider addresses as simply rejecting
all mail with free provider senders without such "verification." A
large fraction of legitimate mail with free provider envelope or header
From values is sent from IP addresses unrelated to the free provider.
Free providers tend to receive far more legitimate mail than they
send. This is because many people send from their ISPs but receive
at free providers for various reasons including using temporary
addresses to avoid spam. Many free provider users could not use free
provider MSAs if they wanted to because of port 25 filtering by their
dialup or other ISPs.
(It's
noticeable that your site is careful to talk about "spam claiming to be from
them", apparently accepting the position that some spam is designed to
conceal its source, a point that you have consistently argued against on
this list).
That misrepresents my position. I have said that contrary to common,
false, naive or self-serving claims, most (but not all) spam sender
information cannot honestly be said to be "forged." I think most spam
carries envelope and header From values that the spammer leigitately
owns or owned recently enough to not be guilty of "forgery." In
addition, because almost all spam is about advertising, very few
spammers are shy about critical aspects of their identities.
.... With such legislation, source identification that would stand up in
court would be rather useful - that's why I think some form of
authentication is needed to back up the legislation. Reliable detection of
fake source/path information could also provide a good filter mechanism to
supplement those which already exist.
We don't need any changes for "source identification." The source
that matters is the organization whose name, products, or services
are advertised by spam. As demonstrated with the TCPA at least in
the U.S., you need only convince a court a "spamvertised" organization
was not "joe jobbed." See also the Flowers.com court case in
http://www.mids.org/mn/803/spamset.html or
http://www.google.com/search?q=%22Flowers.%2Bcom%22+spam. The IP
address used to originate spam is like the telephone number of the
fax machine that sends unsolicited fax advertisements. If you have
that telephone number, you can also go after its owner, but your
primary legal target is the advertised outfit.
Authentication as a cure for spam has always been and always will be
snake oil. Like most snake oil, it does its nominal target no harm.
Unlike most snake oil, it does some real good in areas unrelated to
spam. Like most snake oil, it is flogged by the uninformed or credulous
people who haven't checked it out and by somewhat fewer who lack scruples.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg