On Fri, 3 Sep 2004, Hallam-Baker, Phillip wrote:
Even if we end up with spammers using disposable domains it will
mean a major switching cost for every message variant. In effect
the use of hash busters will be completely negated.
Saying that Sender ID will not work because of the throaway domain
problem is like saying that it is pointless putting locks on your
doors because a burglar can break a window. In the real world breaking
windows creates noise and leads to burglars being caught.
There is no point in putting a lock on a free-standing doorframe when the
burglar can simply walk around the door. And that is the situation we
face. Spammers can still forge email, even without disposable domains.
They can forge email from the domain (any domain) serviced by their ISP.
There are infinitely many user addresses to the left of the @ sign. Since
there no walls, there is no point in having doors with locks.
If the abuser just doesn't want to give an email address they use, they
can forge an address at their ISPs domain. Or they can use a disposable
address. One still has to contact the ISP with the IP address and time of
use of the abuser. Same as one would without sender-id/SPF/RMX.
If the abuser is interested in harrassing a particular email address (a
joe job), they can just forge email to their ISP's relay. That relay will
then bounce the message to the target. The target then has to contact
each ISP to report the abuse. But they had to do that before
sender-id/SPF/RMX. The problem is the same.
At great expense, you've accomplished nothing.
--Dean