gep2(_at_)terabites(_dot_)com wrote:
I've been arguing PRECISELY this point for several years,
and Wong (et al) still forge blindly ahead with SPF
That would be at most two years if you'd count RMX as the
concept, and SPF as its realization.
I could go back and find my archived posts on the issue, but ultimately it
matters little. In Internet terms, anyhow, it's been quite a while.
SPF and other such schemes SIMPLY DO NOT WORK because they
DO NOT SOLVE THE PROBLEM. They only force worms to use
"real" return addresses and "approved" servers, but that
accomplishes very, very little.
That's a contradiction. First you say SPF doesn't solve "THE
PROBLEM", and then you say that SPF exactly does what it's
supposed to do. Apparently your definition of "THE PROBLEM"
has nothing to do with SPF.
Or, alternatively, the problem SPF "solves" is NOT the spam problem, nor is it
the worm problem. It doesn't even mean that E-mail comes legitimately from a
trusted person with an authenticated return address. It (arguably) ensures
that
the machine that sent the mail can be identified as such; but as long as
authenticated machines can be infected and recruited to send "authenticated"
worm/spam messages, SPF and similar schemes do very little to prevent such
things... you're still running along after a constantly moving target, trying
to
lock the barn door (and there are MILLIONS of them, and new ones being created
all the time) after the horse has escaped. And then you have the issue, too,
of
undoing the DAMAGE that SPF has done, not only to "recommission" the victim's
E-mail integrity, but also fixing the many legitimate systems that SPF breaks.
And your "solution" is to get rid of MIME multipart resp. text/html, and
mails
bigger than 12 KB.
No, not at all.
The point of the permissions list is that small(ish) plain text messages
(without attachments) are QUITE SUFFICIENT for UNEXPECTED initial contact
messages from UNFAMILIAR senders.
Once the contact has been made, and the recipient trusts the sender, *if* there
is going to be an extended correspondence, then the recipient can enable ONLY
JUST the type of bulkier/riskier content that they agree that the sender wants
and needs to send, and which the recipient trusts the sender not to abuse.
It's
really a matter of not just WHO the sender is, to THIS recipient, but what mail
from them is "expected" to look like. Mail coming "from" that sender but which
doesn't look as it normally does (e.g. suddenly it's got Java, or .CPL or .SCR
attachments, or decryption, or obscured URLs, or ActiveX or whatever) is BY
DEFINITION suspect BECAUSE it doesn't look like what the recipient expects to
receive from that sender. It doesn't fit the pattern. (Other mail from the
same sender probably DOES look "right" and thus will continue to sail right
through, as it should).
Your recipe won't help me against hundreds of bounces...
"bounces" containing viruses or worms (for example) WOULD be identified and
blocked if they didn't fit the default criteria from that (probably unknown)
sender.
..and other crap like challenges caused by forged addresses unfortunately.
It would block what it blocks, and that's set (and changed when necessary) by
the recipient. It would virtually eliminate E-mail as a vector for the
transmission of worms and viruses. It would make major inroads against
phishing
attacks in E-mail by making it harder to spoof URLs. With widespread adoption,
it would reduce the sheer byte volume of unsolicited spam by forcing spammers
to
mail it as plain text of limited size, as HTML-burdened spam is generally 3-5x
bigger than a plain text equivalent. It doesn't break vanity domains, doesn't
break "atypical" send paths (e.g. the cruise ship Internet cafe or the hotel
business center or the Internet cafe) and doesn't break mailing lists or other
forwarding.
Better yet, it is implementable on an individual system basis, provides
IMMEDIATE benefits to those using it, requires no worldwide consensus or
sweeping changes. Win-win.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg