ietf-mailsig
[Top] [All Lists]

RE: Good enough?

2005-01-06 03:55:09

For better or worse the email authentication means of solving the spam
problem is owned by SPF/Sender-ID framework for the next couple of years. I
beleive that in time signatures will superceed the IP based authentication
approach but that will take some time.

SPF can't be used to reject email because its error rate is too high. A
decent MASS implementation will easily get a lower error rate. Heuristics
can help, for example given a message with a broken signature, you might
accept it if it has List- header fields, otherwise reject.

Of course neither SPF nor MASS is a "means of solving the spam problem"
without an accreditation/reputation system, and no-one is working on a
system that will integrate with either of them. Until that happens these
systems are just noise unless they can provide reliable rejection
criteria.

The critical pain point that must be addressed near term is impersonation
spam phishing.

I want every legitimate message that comes from a trusted, trustworthy
source to play a role in educating the end user to expect authentication.

Yes, that would probably help.

However I have doubts about the ability of users to be educated by little
icons - after all they are so keen to get fooled that they'll unpack an
unsolicited password-protected zip file to do so.

And I doubt the effectiveness of this idea if less than 10% of the email a
user sees is legitimate. Solving the problem in the user interface is too
late.

My bank isn't using email for customer communication; instead they've
built messaging into their web banking system.

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
PORTPATRICK: STRONG OR GALE FORCE WEST OR SOUTHWEST WINDS, BACKING SOUTH OR
SOUTHEAST FOR A TIME LATE SUNDAY INTO MONDAY, INCREASING SEVERE GALE FORCE AT
TIMES, PERHAPS STORM FORCE AT FIRST IN FASTNET AND LUNDY AND LATER IN SHANNON,
ROCKALL, AND MALIN.


<Prev in Thread] Current Thread [Next in Thread>