On Mon, 2 Aug 2004, John Glube wrote:
But all this does not matter.
The main issue John is disputing above seems to be whether junk mail
mostly comes from virus infected machines (as I suspect) or whether it
comes from commercial emailers breaking the law (as I think John thinks).
This is basically a quibble. In either case, the abuser is violating the
law in some way, and that has a couple implications:
1) They won't be concerned with breaking other laws of similar severity,
such as spoofing DNS, theft of user credentials, etc.
2) The solution is to have the law enforced.
3) The solution is not technical. We already have the best
authentication and accountability we can obtain in the tuple of IP address
and time of use. This tuple is sufficient for law enforcement to identify
the virus infected machine (if that is the problem) or the commercial
emailer (if that is the problem)
At present, the proposal is sender accountability, which
includes authentication, accreditation and reputation.
I don't see how reputation has anything to do with SPF. The domain owner
simply puts in an SPF txt record. Entities of bad reputation can easily
create SPF records.
The authentication and accountability aspects of SPF are illusory and are
not achievable in the SPF proposal as it stands, nor can DNS be used to
achieve these goals. This subject has been discussed at length on the
DNSOP and DNSEXT lists, and it is generally agreed that DNS cannot be the
basis of authentication.
Having found that its goals aren't achievable, it seems that the Working
Group is obligated to report this finding. Failing to report honestly on
research is inappropriate.
Dean Anderson
Av8 Internet, Inc