On Mon, 2 Aug 2004, John Glube wrote:
The basic premise behind's Dean position as to why SPF is a
waste of time, is that we don't have a UBE problem, but
rather a problem with viruses.
I would beg to differ and suggest we have a problem with
fraudulent email, UBE volumes and viruses.
Published filtering company statistics seem to suggest on a
volume basis:
* Roughly 20 - 30% of email is wanted and 70 - 80% is
unwanted bulk email.
As to fraudulent email, the same statistics suggest:
* Compliance with the CAN SPAM Act of 2003 by filtered UBE
is around 1 - 2% of total volume.
This suggests there is an overall volume problem and a
significant problem with fraudlent email.
How do you define "fraudulent email"? I define it as mail attempting to
defraud the reader of money.
In a somewhat unscientific experiment, I replied to 20 Nigerian scams as
soon as they came in with a nonchalant "How can I help?" expecting a reply
to direct me to reveal a bank account number or some other information.
Only one recieved a response, and that was from a person who said their
address had been forged. Even the apparently frauds often aren't really
frauds. Certainly there are frauds, but not as many as it might appear
from the contents of the messages.
At the same time, reports also suggest of the unwanted bulk
email, roughly 70 - 80% is coming from infected networks
and computers.
All networks are infected. It is just a matter of degree. Some are worse
than others. This suggests that there are some incorrect assumptions
about whether networks are infected.
Other reports suggest to deal with spam filters, spammers
have significantly cranked up volumes resulting in a
literal tidal wave of spam.
I've seen this "suggested" since 1994. In truth, I've only seen this on
usenet news, when the spammers war with the cancel bots. The users see
thousands of messages. But this is as much the fault of the radical
antispammers running the cancel bots as it is the spammers reposting their
messages.
Further, the single highest volume spams advertise Viagra. However, I have
tried to purchase viagra from a number of these spams, on the premise that
Viagra is a presription drug and I don't have a prescription and the
seller probably doesn't have a license. Thats also a federal felony, no
different from dealing cocaine or heroin. While some have led to websites,
none have led to sales or even contacts from salesmen or even fraudulent
credit card charges. These are mostly fakes. (I say 'mostly' because
perhaps there is some example I didn't find)
Further, we know from a recent study by Arial Software of
over 1,600 major online publications, there is no
corelation between compliance and spam volumes.
Do you have a pointer at this study? My own experience is that very
little spam is genuinely commercial or even genuinely fraudulent--in the
sense that someone is really trying to scam money--even the obviously
fraudulent nigerian scams aren't responded to, and are really just
joe-jobs. So I haven't seen, nor would I expect any correlation between
compliance and volume.
Though I'm not sure what you mean by a "correlation between compliance and
spam volumes". Do you mean that compliant emailers send more or less
volume? Do you mean that total volume is unaffected by compliance? Please
explain this.
This study found that while over 50% of all major online
publications were not in compliance with various
requirements of the Act, less than .03% of online
publishers sent email after a subscriber opted out.
I'll have to read that. In January, the FTC reported that 90 something
percent of the commercial bulk emailers were partially compliant and 57%
were fully compliant.
As to solving the virus problem, Dean suggests we need to
put people in jail. However, he goes on to imply unless
"lots of money is involved," the Feds won't do anything.
This is a gratitous swipe at law enforcement officials. The
vast majority of whom, from investigators to prosecutors
take their duties and responsibilities quite seriously.
Nonsense. This is just the way it is. The feds will tell you (they told
me) that if there aren't significant financial loses, they won't
prosecute. The FBI is understaffed the way it is. Public interest and
funding set the priorities. There is no "swipe" in stating what the
prosecution and investigation priorities are. But speaking of "gratuitous
swipes" ....
As to the whole question of testing and implementation,
Sendmail recently issued a white paper which is a useful
read on their view of what is likely to transpire.
https://www.sendmail.com/smi/web_reg/sender_auth_whitepaper.jsp
At page 4 of the white paper, Sendmail notes in part:
"Timelines and Recommendations ...
"Phase 0 ? Testing: The current focus is to try these
authentication systems [Sender ID and DomainKeys] with real
mail on real systems to determine if the approaches
proposed are robust enough to survive in the current
infrastructure.
This process needs the participation of large and small
sites alike, as the goal is to exercise the many different
paths that a message might take and see how the
authentication information for those messages might break."
On the question of implementation, Sendmail suggests early
adoption will reach critical mass by end of 2004, with an
unofficial "flag day" by sometime in the last half of 2005,
signalling "the end of the old unaccountable email system."
The report also notes "AOL already verifies incoming
messages for authentication and gives those that pass
privileged processing."
And has this proved beneficial to AOL users? Will it still be beneficial
after abusers adapt to it?
Since the issuance of this report, Microsoft announced it
will begin the same processs using Sender ID as of October
1, 2004.
October 1 is 59 days away.
One quick comment.
* The present step is to carry out "robust testing."
* As Sender ID and SUBMITTER remain experimental proposals,
it would be prudent for this WG to request outside review
of these proposals by a panel of graybeards on an expedited
basis.
No doubt, a good idea.
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.729 / Virus Database: 484 - Release Date: 27/07/2004