The basic premise behind's Dean position as to why SPF is a
waste of time, is that we don't have a UBE problem, but
rather a problem with viruses.
I would beg to differ and suggest we have a problem with
fraudulent email, UBE volumes and viruses.
Published filtering company statistics seem to suggest on a
volume basis:
* Roughly 20 - 30% of email is wanted and 70 - 80% is
unwanted bulk email.
As to fraudulent email, the same statistics suggest:
* Compliance with the CAN SPAM Act of 2003 by filtered UBE
is around 1 - 2% of total volume.
This suggests there is an overall volume problem and a
significant problem with fraudlent email.
At the same time, reports also suggest of the unwanted bulk
email, roughly 70 - 80% is coming from infected networks
and computers.
Other reports suggest to deal with spam filters, spammers
have significantly cranked up volumes resulting in a
literal tidal wave of spam.
Further, we know from a recent study by Arial Software of
over 1,600 major online publications, there is no
corelation between compliance and spam volumes.
This study found that while over 50% of all major online
publications were not in compliance with various
requirements of the Act, less than .03% of online
publishers sent email after a subscriber opted out.
As to solving the virus problem, Dean suggests we need to
put people in jail. However, he goes on to imply unless
"lots of money is involved," the Feds won't do anything.
This is a gratitous swipe at law enforcement officials. The
vast majority of whom, from investigators to prosecutors
take their duties and responsibilities quite seriously.
As to the whole question of testing and implementation,
Sendmail recently issued a white paper which is a useful
read on their view of what is likely to transpire.
https://www.sendmail.com/smi/web_reg/sender_auth_whitepaper.jsp
At page 4 of the white paper, Sendmail notes in part:
"Timelines and Recommendations ...
"Phase 0 – Testing: The current focus is to try these
authentication systems [Sender ID and DomainKeys] with real
mail on real systems to determine if the approaches
proposed are robust enough to survive in the current
infrastructure.
This process needs the participation of large and small
sites alike, as the goal is to exercise the many different
paths that a message might take and see how the
authentication information for those messages might break."
On the question of implementation, Sendmail suggests early
adoption will reach critical mass by end of 2004, with an
unofficial "flag day" by sometime in the last half of 2005,
signalling "the end of the old unaccountable email system."
The report also notes "AOL already verifies incoming
messages for authentication and gives those that pass
privileged processing."
Since the issuance of this report, Microsoft announced it
will begin the same processs using Sender ID as of October
1, 2004.
One quick comment.
* The present step is to carry out "robust testing."
* As Sender ID and SUBMITTER remain experimental proposals,
it would be prudent for this WG to request outside review
of these proposals by a panel of graybeards on an expedited
basis.
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.729 / Virus Database: 484 - Release Date: 27/07/2004