----- Original Message -----
From: "David Wall" <d(_dot_)wall(_at_)computer(_dot_)org>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>; "Meng Weng Wong"
<mengwong(_at_)dumbo(_dot_)pobox(_dot_)com>
Cc: "MARID" <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Friday, June 25, 2004 12:07 AM
Subject: Re: Sender identification is not the answer
Sender ID conflicts with many of the US ECPA provisions. There doesn't
seem to be much thought put into to see if it passes the legal muster.
SenderID is not a reliable concept and it promotes the obstruction of
mail
delivery and it promotes local policies to be applied at the wrong
part of the mail operation. It promote post acceptance Local Policies
rejections ideas for any discriminatory whims beyond spam. Where do you
think "local policies" evolved from anyway? Not because it was a "neat"
idea. It all began with te 1986 US ECPA provisions to help address mail
delivery obstruction, mail tampering and privacy issues. I'm not just
blurting this out. It has many legal issues.
Sorry the other poster didn't respect your insights just because While
I'm
not sure about your anger towards Microsoft (I do share my disapproval,
though, since Outlook turned innocent email data into executable content
without anybody's permission and started the virus revolution that has
help
drive the spam deluge, along with other helpful things like hiding "known
file extensions" so once scary filenames look innocuous: i.e.
hello.html.exe
would be displayed as hello.html since the '.exe' was a known extension!).
[Note: I don't have an anger towards Microsoft. There engineering decisions
makes me scratch my head but we are a Windows shop with one of the top
Windows applications for it. What I want for them to do the right thing
especially in an important area like this that will effect the entire
world.]
Unfortunately, the ECPA has no doubt been gutted by the Patriot Act I & II
provisions, but the idea is right. At this point, these systems are
saying
that they will accept/reject email sent by others to people, but neither
the
sender nor the recipient has any say. That is a violation of ECPA, and of
course many spam filters at ISPs have violated the law for some time.
Right, the entire history of mail hosting and gateways and transports, which
I have part of since the 80s, the growth of Porn, the introduction of alias
logins (DIsplay Name) and then even futher relaxation with complete
anonymity was all items that I was directly part of one way or another. Our
software designs are are molded by the laws. To this day, our mail hosting
product does not support true anonymous logins, alias yes, but not
anonymous. It was the migtration and integration of SMTP, POP3 and NNTP
into our backend that created all the current security issues we have. But
we continue to make sure the laws are followed. A good example is how POP3
introduced the mail snooping/previewing mail concept into mail systems were
mail previewing was a only a sysop privilege. It took a lot of debates
with customers before we finally pressured to change violate the mail
integrity. Users now had a way of saying "Hey, I never got that expiration
notice!" Mail Recipients were not broken, etc. It was all finally worked
out, but it illustrates just one item over the years with mail designs I
have been involved with to see the effects of designs.
Yes, excellent reminder about the Patriot Acts. It further strengthen the
dangerous precedence that is being promoted with SenderID. The Patriot Act
now allows labeling an unsolicited sender as a "Terrorist" or the claim the
sender is destroying private property as a legal way to circumvent US ECPA.
SenderID promotes POST SMTP validation with ideas promoting local policies
to obstruct the mail delivery process. All a sysop needs to claim is that
the sender was deemed as destroying property or had terrorist behavior.
What I am afraid, is that SenderID system, especially when added to
passthru/routed system, will begin to get into this unreliable 2822
validation game and destroy mail for any discriminatory reason. "A Spam from
a Republican, Accept. A spam from a Democrat. Reject" Sure, silly
example. Lets go ahead and open up this Pandora Box and watch what happens.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com