On Fri, 3 Sep 2004, Matt Sergeant wrote:
On 2 Sep 2004, at 23:06, Rand Wacker wrote:
As I said before, there is a large majority of mail that goes from
large commercial sites (or consumer ISPs) merely one hop to another
large commercial ISP, so the From: header will be successfully
authenticated.
You're talking about the positive evaluation proposition of Sender-ID -
that the From address is authenticated. Yet both Cyphertrust and
SpamAssassin's stats show that the spammers are more on top of this
than the legit mailers.
*NO*. I am talking about using authentication status as the basis for a
new set of checks such as whitelisting. I have been saying since the
beginning that spammers would authenticate their outbound mail in hipes
that someone would make the brain-dead assumption that "authenticated" ==
"wanted".
This indicates to me that we need to be looking towards the negative
evaluation proposition (i.e. the value in rejecting mail) that Sender-ID
and/or SPF gives us, rather than hoping that a Sender-ID approved mail
actually provides us with any benefits.
Sender ID approved mail provides you with the benefit in that it is
authenticating a well-comprehended user address, the From: header. This
is something that's easy for users and admins to comprehend and whitelist.
Whitelisting of the envelope is more complex and won't be understood by a
large portion of users out there.
Everyone on this list has also admitted that *no* IP-based scheme can
authenticate more than one hop prior to when you receive a message, and we
all seem to agree that the right long term approach is a crypto-based
solution. Sender ID gives you a nearer-term benefit for large
business-to-ISP or large ISP-to-ISP mail delivery, where you /can/
authenticate the from header (stuff that goes through forwarding hops be
damned seems to be the consensus of anyone pushing *any* IP-based
solution).
Sender ID also has a more graceful workaround for the forwarding hops that
want to become compliant. SRS has some severe technical failings, so
much so that source routing was completely abandoned 15 to 20 years ago as
unworkable.
Everyone knows that there are limitations to what Sender ID can do, but it
brings a good enough benefit to a large enough percentage of mail that it
is worth moving forward with (as long as the licensing issues can be
worked out). SPF solves a different problem and brings a whole host of
other technical issues to the table.
-Rand