On Fri, 2004-08-13 at 13:57, Douglas Otis wrote:
On Thu, 2004-08-12 at 20:43, Mark Shewmaker wrote:
Or they'll go out of business.
There is a high cost for spam where much of this is seen by the network
provider. Taking away tools to curtail this abuse is not a good
solution and can drive providers out of business.
What tools to curtail abuse am I taking away?
If a business loses money because their customers realize that they
can't trust that mail claiming to be most recently (re)sent into the
mail by them really was, then whether that distrust built up because
they didn't publish spf records or whether it built up because people
realized that the spf records they did publish could not be
trusted--either way their customers will leave.
How is that taking away tools to curtail abuse?
Sorry--if my reputation system makes me give a poor reputation to
someone because they're using a shared MTA that allows cross-customer
forgeries, then my reputation system is doing it's job.
Explain that in court.
I describe my thoughts on how I figure out what I trust and don't trust,
and your response is that I'll have to explain it in court.
And you still don't understand why I call this a thought crime?
The provider guarding against abuse does not
examine or change the content of the mail, they look for protocol
generated errors.
Well, I for one won't trust mail from mail servers run with such a
mindset as compared with mail from mail servers that have what is in my
opinion a more enlightened mindset.
I can't imagine that in 5 years people would continue to find such
behavior as you claim as fact to be acceptable. I expect that mail
servers that don't validate the content of outgoing email (protecting
against cross-customer forgeries among other things) will tend to cause
such mails and their purported sending domains to be rated poorly, (when
the domain gives pass results to mail from those servers.)
If someone else can spoof trustworthy(_at_)trustworthy(_dot_)com, then I
hope my
reputation systems will assign a poor reputation to the trustworthy.com
domain, because any claims of anyone to be from there aren't, well,
trustworthy.
The question should be, do you blame the mail system allowing mail to
share MTA servers as designed, or do you blame repudiation services for
not considering such cases.
The problem is that trustworthy.com told me I could trust an untrustable
MTA.
Trustworthy.com could go to a more trustworthy MSP, or they could try to
convince their MSP to disallow cross-customer forgeries.
The fact that trustworthy(_at_)trustworthy(_dot_)com tells me to trust that
a
message really comes from him if it comes through a specific IP still
doesn't mean I should trust such claims if I know that that specific IP
itself isn't trustworthy.
Mail providers MUST NOT use Sender-ID when they can not ensure a
ONE-TO-ONE relationship between Domain and Server. The draft should
make this warning very clear, but it does not.
I see no problem with a zillion domains having a single server as an
outbound MTA if that single server doesn't allow cross-customer
forgeries.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com