On August 13, 2005 at 16:56, Michael Thomas wrote:
If then only bad actors we were concerned about were phishers then I'd
agree. When we include spammers in the set of bad actors then the
situation becomes less clear. Making it slightly more difficult for
current bad actors to spam might well make spam considerably more
attractive for a much larger group of bad actors who don't mind
authenticating their spam.
I'm sorry, but I do not see how this follows at all. Spammers are
completely at liberty to identify themselves today. They don't
have to forge their addresses, so why don't they join the fun
today?
Because it is easier, and cheaper, not to.
The goal of authenticating messages is to increase the cost on
*specific methods* of spamming to either make it prohibitive, less
effective, and/or mitigate the damage caused (e.g. damage to reputation
of identity being forged).
At the same time, the method for authenticating messages should not
open up new methods for spammers to exploit.
Phishing is the "hot" thing now, but much of spam are not phishing
expeditions, so providing identity (usually with throw-away domains)
is no big deal.
With an authentication system in place, a phisher has to setup the
infrastructure to support authentication (an increased cost), while at
the same time, avoiding responsibility (e.g. using throw-away domains).
Direct forgery may not be allowed, but they may still have success with
"look-a-likes" (e.g. paypal.com vs paypa1.com).
Therefore, the increases in costs due to authentication may not be very
effective, but the cost savings in protecting legitimate identities
(with look-a-like attacks a possible acceptable, and unavoidable
risk) may be worth the effort as long new methods of exploits are
not created.
--ewh
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim