ietf-mxcomp
[Top] [All Lists]

Re: Sender identification is not the answer

2004-06-24 16:32:02

Thanks, Roy, for your comments.

The problem is that if we outlaw forging mail, then we won't be able
to forge mail anymore (this was put somewhat more succinctly by
someone else, but I can't remember the quote).

I understand the general sentiment here, but anonymity is useful to a great
many people, including people who live in countries in which their
governments will use such "well identified" messages against them.  In the
U.S., the Patriot Act already gives greater reason to suspect someone,
monitor them, search their premises, records and emails, and the need for a
court order has been greatly diminished.

People like to provide tips of suspected activities, blow the whistle on
others, etc., and they don't want to be so identified.  We'll lose the
simplicity of the "pay phone" for making an anonymous call.

Besides, as I said, if people WANT such a well authenticated system, they
could purchase one today from various vendors who offer just such systems.
There's no reason to break email for everyone else.  Email is pretty old,
and the spam problem is only recent because businesses have adopted this
free technology and now want the rest of us to convert to their whims and
needs.

Also, some people just like to participate in discussions like this one
without having to identify themselves further.  In fact, this list is rather
funny because it sends out messages "on behalf of others," yet if the mail
gurus at gnomon.org.uk decided that you could only send through their
servers, then you wouldn't even be able to participate in this discussion.
I'm using a computer.org account from IEEE, and the same problem would arise
from them.

With any MARID/LMAP scheme, your business has a choice.  It can
restrict mail to being sent from its servers, or it can allow mail to
be sent from any server.

No-one is forcing your business to publish a policy that says its mail
only comes from its servers; MARID/LMAP gives your business the
_choice_ of publishing such a policy.  If it chooses to do so, then
recipients of mail claiming to be from your business can evaluate that
mail against the policy.

That sounds fine, but that's like having a "moment of silence" in Muslim
schools attended by Christians and athiests, and then expecting those who
don't want to pray to somehow now comply when others around them look on in
disapproval.  Clearly, the result will be that major ISPs will block email
coming from non-authenticated systems, thus making email less useful to
those who don't join the club.

My company will never say that you can send email using their emails from
anywhere -- should they adopt SPF or the like -- because it would imply they
endorse spammers.  But they also won't take the time to list each employee's
home ISP.  Besides, most ISPs are blocking this already, so it's not about
sender authentication, it's about blocking emails being sent using addresses
they don't approve of.  The rush to stop spam is stopping legitimate
business communications.

This seems to me to be more about upping the arms race as the spammers react
to these new proposals by hijacking users accounts (and falsely making it
seem like the "zombie" victim has authenticated himself and thus will likely
be more legally liable for those spams even though he was just a victim), or
they will hijack DNS.  Why do we want to keep on tacking on small things
that never address the real problem?

Spam can be stopped simply by educating users not to buy things from
spammers.  Businesses can move off of free email and grow up and pay for
quality services that aren't tainted by spammers, so people no longer expect
to receive anything of value through email marketing efforts (you would be
suspicious of your bank contacting you over a walkie-talkie, ham radio or CB
radio, right?).  Legal folks could actually start tracking down spammers by
buying the products and following the money and then arresting them (it's
already illegal).

Heck, we don't have to identify ourselves to mail a letter, why should we
have to just to send an email?

David