[ broken quoting repaired]
At 4:27 PM -0700 4/12/05, George Ou wrote:
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of Bill
Cole
Sent: Tuesday, April 12, 2005 3:26 PM
To: asrg(_at_)ietf(_dot_)org
Subject: RE: [Asrg] article: port 25 blocking
SPF '-all' publishing and enforcement has not proven feasible for domains
of any significant scale and/or user diversity. Without all domains
publishing '-all' record along with a large fraction of receiving systems
being willing to enforce those records, SPF use cannot reduce the utility of
port 25 blocking.
From the way you make it sound, it sounds like we will NEVER have any kind
of domain level authentication and the "from:" address will remain on the
honor system.
Yes and no. There already IS domain-level authentication for those
who want and need it and have taken the time to set it up with
domains they want to maintain reliable authentication with.
Domain-level authentication that is really trustworthy and fully
enforceable (i.e. both passing and failing are treated as
definitively meaning something) with all domains is never going to
happen. SPF has been a good demo of why it can't work. I say that as
someone who was enthusiastic and evangelistic 5 years ago about the
core concept that evolved into SPF. I was wrong. SPF and its kin are
not completely worthless, but they won't ever be a full solution to
spam.
Yahoo's DomainKeys stands a chance of being useful domain
authentication that is not onerous to set up and has different (and
less ugly) break points than SPF, but it also is not going to ever be
truly global and enforceable. Even if it were, domain authentication
is not the same thing as authorization, and it is already common for
spammers to use 'throwaway' domains in enough volume that they've
made blacklisting by authoritative nameserver a usable tactic.
Since it appears that there is no consensus for any one's
solution be it SPF enforcement or port 25 blocking, you might be right about
that so the future remains bleak.
Not at all. The present is reasonably good and the future is fairly
bright. The exceptions to that are for people who want a single magic
bullet for spam control, and particularly for people who want that
magic bullet to be their own patented idea. It is possible right now
to achieve 95% spam rejection before DATA in SMTP and 99% rejection
overall, with less than 0.01% false positives. The constraints in
which that can be done are not economically feasible for large ISP's
and might not even be possible for their sorts of very large and very
diverse mail domains.
Looking at the problem as one addressed by SPF *or* port 25 blocking
*or* some other approach is a hopeless approach. SPF and port 25
blocking both can help solve certain problems related to spam, but
neither is anywhere near a full solution. There is a huge set of
tactics and tools out there right now that can be applied carefully,
selectively, and *jointly* in different situations to achieve very
good results. The 'spam problem' is not that no one knows how to
avoid spam, but rather that too few people are willing to devote the
needed resources to avoiding it and making sure they don't contribute
to it. SPF helps on one side by letting some domains publish hints of
mixed value as to the validity of mail claiming to be them. Port 25
blocking of dynamically assigned address space aids on another front
by reducing the population of useful spam zombies.
Beyond that, any proposal that requires everyone to make changes on the
same schedule or else the first movers will break their systems badly, is
simply never going to happen at all on any schedule. SPF as the FUSSP
requires behavior that is self-harming unless everyone else does it at the
same time.
If we could get the top 50 domains to start "punishing" non-SPF compliant
with delays and a gradual migration to a hard fail in unison, would that not
prompt other domains to become SPF compliant?
Yes, and if we could get pigs to grow wings and wear saddles, we
could have leaner pork, less traffic congestion, and a lot of free
fertilizer from the sky for everyone.
Even global adoption of SPF with hard failure does not solve the
problem addressed by port 25 blocking. The trick of setting up
perfectly valid domains with records that seem to say that abused
zombie machines on dynamically assigned addresses are perfectly valid
mail servers for that domain is about 2 years old. A zombie can
easily have a valid SPF record for the domain it sends as.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg