On Mon, 13 Sep 2004, Peter Bowyer wrote:
On Mon, 13 Sep 2004 11:43:44 -0400 (EDT), Dean Anderson
<dean(_at_)av8(_dot_)com> wrote:
On Mon, 13 Sep 2004, Peter Bowyer wrote:
Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
On Sun, 12 Sep 2004, Peter Bowyer wrote:
But AOL won't have spammers on their whitelist. The only domains for
which an SPF Pass means less filtering are those which are
pre-whitelisted. And SPF will ensure that mail which appears to be
from those domains isn't forged.
This is a false assumption. Any domain that is whitelisted will
attract spammers to that domain. There is no domain or ISP that can
claim not to have spammers ever.
They don't whitelist ISP domains - only responsible bulk email senders.
People whose mail you want your users to receive.
Yes, such as MSN.
If they have whitelisted MSN, it will be because they want to receive
mail which is verifiably from MSN. It's not a choice I would make
myself, but their network - their rules. SPF has helped them with the
verification.
SPF didn't "verify" anything. SPF just helped AOL paint a target on MSN
for spammers and virus writers. Not that I feel sorry for MSN, if they
were dumb enough to go along with that. And of course, the "trust" would
probably be mutual, so MSN paints a similar target on AOL for spammers and
viruses. Mutual self anihilation, I guess. Maybe self-immolation.
This "trust" is a false assumption. MSN doesn't know whether a particular
message is spam, until it gets a complaint. It doesn't know whether a
computer is virus infected until it gets a complaint. It can't certify
that it doesn't have spammers or virus infections or worms or etc. No one
can.
True - but that's the basis of all reputation mechanisms - there's no
absolute authority to refer to, you decide whose opinion you trust. If
AOL trusts MSN, that's their business.
I agree. Reputation and trust can't be based on false assumptions. You
can't accept promises that you know the other party can't keep, even if
they really wanted to. That's true for just about everything, not just
spam. Trust implies honesty: Honesty about whether you can perform the
promise. If you know you can't perform, yet you promise, you are
dishonest. How can you possibly trust someone who is dishonest?
Yes, I agree there - but DNS spoofing is sufficiently rare and hard
for the average email forger to do that a mechanism relying on DNS
will have a tiny probability of being subject to forgery in the real
world.
It is rare only because no one trusts DNS, and r-commands have all been
turned off. There is nothing to exploit, so there is no point to DNS
spoofing. However, it is trivial, and it is easily done by the average
forger, if they were motivated to spoof DNS.
DNS spoofing of SPF records can result in the ability to send spam, and
the ability to deny service. Both bad things. One may be worse than the
other.
--Dean