On Sat, Dec 17, 2016 at 06:38:07PM -0800, Dave Crocker wrote:
there is a broad-based belief in that community that aggressive
requirements for author authentication will alleviate many abuse problems.
There was a roughly equivalent belief that requirements for
domain authentication would do the same thing:
"Spam as a technical problem is solved by SPF."
That belief was wrong. So is this one. Even if DMARC (and ARC,
and whatever else comes along) work perfectly, without all the
myriad problems we're currently discussing, the impact on abuse will
be negligible. For example, since we're talking about Yahoo and its
latest massive security breach: I get spam -- all day, every day --
in my spamtraps from Yahoo, and yes it really is from them. It flows
nonstop, as it has for many years, because they simply don't care to
make it stop. So it doesn't matter if it's authenticated as really from
them, and further authenticated as really from a particular user account:
this is accurate but useless information because they won't do anything
with it.
Dealing with abuse doesn't require any of these technologies. It requires
organizational committment to running a well-staffed, well-qualified
abuse desk that responds to EVERY abuse report promptly, efficiently,
and accurately, and which is empowered to take the actions necessary to
make the abuse stop. Yahoo is miserably bad at this, and they're not
the only one.
So let's not kid ourselves that these operations are sincerely trying
to do something meaningful about abuse. They're not. They've told us
by their actions, for well over a decade, that they simply don't care
about the abuse they emit/support/facilitate.
---rsk