ietf-mxcomp
[Top] [All Lists]

RE: DEPLOY: not at the University of Cambridge

2004-09-10 07:07:13

[ Please make sure your attributions are present and correct, and
  that you limit your lines to a sane number of characters. For a
  mailing list used to discuss technical matters relating to email,
  I'm amazed at the lack of consideration shown by the posters. Is it
  September again already? ]

On Fri, 2004-09-10 at 21:25 +0800, AccuSpam wrote:
<...fanf2 wrote:...>
That's pretty worthless. What we need is a method of identifying
forgeries, not a method of identifying legitimate email.

Disagree.  I think the PASS case will end up being much more important
for anti-spam end game, than the other result cases. 

I think both are correct. I think the PASS result will end up being much
more widely used in practice than the FAIL result, as Shelby claims. For
example, I would consider bypassing SMTP verification callouts for
sender addresses when there is an SPF/Sender-ID 'PASS' result, yet I
would never consider actually rejecting mail due to a 'FAIL' result.

However I agree with Tony that this renders the whole thing pretty
worthless.

We already have ways to rate the trustworthiness of IP addresses.

We're introducing all this breakage, requiring hosts to 'upgrade' to
join the Brave New World by performing SRS or some abuse of Resent-*
headers which is inconsistent with RFC2822, and what do we achieve at
the end of it? We get spammers publishing their own records quicker than
legitimate users do, proving that the only thing we've achieved at the
end of it all is to 'reduce' it to... almost precisely the same problem
-- only now we get to rate the trustworthiness of _domains_ rather than
IP addresses.

If we really want to check domains instead of IP addresses, and to limit
the 'permitted' mail servers for outgoing mail, surely we'd just do
better to mandate the use of TLS and check the sender's certificate
against our 'trust' database? 

Oh yeah... the world hasn't actually noticed ESMTP yet, and there are
still mail hosts out there which aren't TLS-capable.... and yet you
think they're going to notice whatever changes SPF/Sender-ID require of
them?

You're living in a dream world.

-- 
dwmw2