At 2:39 PM on Thursday, August 19, 2004 "Roy Badami" said:
<snip>
Your argument basically boils down to saying I should never reject any
SMTP transaction because it might result in backscatter. I don't buy
it. Backscatter is a problem; let's fix it (but not here).
<snip>
No, it does not.
I was pointing out that:
1) Sender-ID makes the backscatter problem worse,
2) SPF can in many cases make it better, but never worse.
AFAICT, no one has a proven universal solution to offer.
What can be done, and is now being done in this anti-forgery activity, is to
deploy a sequence of relatively simple schemes which gradually chip away at
parts of the problem, forcing the bad guys to change their behaviour in ways
which makes it progressively more difficult / more expensive for them to act,
and easier for them and their works to be identified and dealt with.
What we have to ensure, however, is that these simple schemes do not have
unintended, avoidable side-effects, or at least that, if they do, there is a
proper, engineering evaluation of the overall cost-benefit before deciding to
deploy them.
It occurs to me that this process is rather like that which public health
experts must go through when deciding on programs of public immunisation. A
vaccine which gives benefit / protection to the many may have the side-effect of
causing vaccine-damage to a minority.
This current debate is about an undesirable side-effect of Sender_ID, and one
which is avoidable if the essence of SPF is added to the 'vaccine' at the same
time.
Ethically, which do you do:
- Rush out a single-strain vaccine with a known adverse side-effect, or
- Spend another three or four weeks mixing a 'cocktail' which
avoids that side-effect?
I think that is the choice facing this working group.
Chris