On Mon, 13 Sep 2004 11:43:44 -0400 (EDT), Dean Anderson
<dean(_at_)av8(_dot_)com> wrote:
On Mon, 13 Sep 2004, Peter Bowyer wrote:
Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
On Sun, 12 Sep 2004, Peter Bowyer wrote:
But AOL won't have spammers on their whitelist. The only domains for
which an SPF Pass means less filtering are those which are
pre-whitelisted. And SPF will ensure that mail which appears to be
from those domains isn't forged.
This is a false assumption. Any domain that is whitelisted will
attract spammers to that domain. There is no domain or ISP that can
claim not to have spammers ever.
They don't whitelist ISP domains - only responsible bulk email senders.
People whose mail you want your users to receive.
Yes, such as MSN.
If they have whitelisted MSN, it will be because they want to receive
mail which is verifiably from MSN. It's not a choice I would make
myself, but their network - their rules. SPF has helped them with the
verification.
This "trust" is a false assumption. MSN doesn't know whether a particular
message is spam, until it gets a complaint. It doesn't know whether a
computer is virus infected until it gets a complaint. It can't certify
that it doesn't have spammers or virus infections or worms or etc. No one
can.
True - but that's the basis of all reputation mechanisms - there's no
absolute authority to refer to, you decide whose opinion you trust. If
AOL trusts MSN, that's their business.
If MSN and AOL make that assertion, and that assertion is accepted by
others, this fact alone will make MSN a target for spammers, viruses,
worms, etc. This is why reduced filtering promotes more spam.
But AOL's whitelist is for their own consumption, not for others to
rely on. I wouldn't choose to trust AOL's view of what mail to trust
for a whole variety of reasons. To be fair, I don't believe they're
suggesting that anyone should - its reason for existence is to help
AOL themselves to accept email from sources they themselves trust.
What process they go through to establish that trust is their business
- might be a respected validation service, might be a suitcase full of
used notes - that's up to them.
>
Well, you're entitled to your view, but your appreciation of the facts in
the case of AOL is clearly inaccurate. And please remember that SPF is an
authentication framework, not an anti-spam tool.
Likewise, you're entitled to your view, and we may have to agree to
disagree. But besides your false assumptions of trust, you don't seem to
appreciate the fact that DNS cannot be used for an authentication
framework because it is so trivially and easilly spoofed. We learned the
vulnerability way, way back with the Morris worm and the BSD R-command
exploits.
Yes, I agree there - but DNS spoofing is sufficiently rare and hard
for the average email forger to do that a mechanism relying on DNS
will have a tiny probability of being subject to forgery in the real
world.
Peter