spf-discuss
[Top] [All Lists]

RE: Maybe simple question

2003-12-16 19:59:48
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Greg 
Connor
Sent: December 16, 2003 6:22 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Maybe simple question


I think I wasn't communicating clearly.  I will try a more 
concise approach.

Well, I think we're talking about the same thing now, at least... 

--"Vivien M." <vivienm(_at_)dyndns(_dot_)org> wrote:


These users are getting screwed over by bad IT.  NOT! by SPF. 
 IT should 
either "Do SPF Correctly" or "Not Do SPF".  In my opinion.

SPF is not a flawed tool just because some people might end 
up using it 
wrong.

Many get screwed over by bad IT... And in a large organization, there's
nothing much one can do about it. 

Now, since some work-at-home staff still uses
dialup, the large majority of students with POP3 setups 
graduated (and  
most new students use webmail), why should the IT department invest  
largeish amounts of money in an SMTP AUTH (or VPN, or 
whatever) for the  
small amount of people left out by this? It's EASIER and CHEAPER to 
tell  them "Just use  http://mail.blah.edu/ instead" - and 
THAT is what 
I have a problem with.


Then you have a problem with the IT department not caring 
about its users.

Yes, I do... And I have a problem with an antispam method turning into a way
to make such an IT department able to screw over people more. 

I don't believe you have proved that "SPF requires additional 
expenditure 
to support".  They *could* tell pop3 users who choose not to 
use dialup or 
webmail to screw off, and that would save money.

But seriously, if they allow pop3 from other networks, why do 
you think 
they wouldn't allow smtp auth from other networks?  There are 
free tools to 
do it.

Free _tools_, yes... But what about the hardware it runs on? The bandwidth
it uses? The staff members' time to set it up? If you're a cash-starved
.edu, those are important things.

But again, IT will ultimately choose to use SPF or not, to 
provide smtp 
auth or not, to allow other isp's to send on their behalf or 
not, or to 
care about their users or not.  In my opinion this is STILL 
not a flaw in 
SPF.  SPF is for those domains that *choose* to limit their 
senders, not 
publishing is still a viable option.

Okay, so you're claiming that SPF should not be universal? If you are, then
that's fine - the impression I got was that this was an effort to WIDELY
deploy this technology as quickly as possible. That's what I have a problem
with - that people should not rush to deploy this in some misguided hope
that it is a painless, magical fix-all. It is not. That said, for my
personal domain from which mail will only come from me and through one SMTP
server or two, SPF could be a very good thing. I worry, though, about its
potential for collateral damage in large organizations.

Second example I gave earlier, and will restate now: you 
have a family 
with a 5 email account plan from joeisp.net. Let's say Mary 
Doe goes 
off to college, and wants to keep using her 
marydoe(_at_)joeisp(_dot_)net address 
that her friends from home know. The family is still paying 
for that 
account - currently, most ISPs (there are the occasional 
exceptions) 
would let her POP3 that mail from the campus network, but won't let 
her send to it. So she sets the SMTP server to the 
college's server, 
and can send her mail to her friends. With SPF, she can't 
do that - so 
she has to use whatever joeisp.net wants to provide to 
off-net users. 
If joeisp.net is smart, that would be an additional cost service - 
webmail, SMTP AUTH, whatever... So suddenly, to use her joeisp.net 
account from college, Mary (or her parents, who are joeisp.net's 
customer) must pay joeisp.net extra money.


If you assume the (hypothetical and probably unlikely) case 
where an ISP 
publishes SPF info and fails to provide smtp auth, then you 
are already 
assuming the ISP doesn't care about the user.  If you further 
assume that 
they will charge *money* to use the Special smtp auth server, you are 
stacking the deck in favor of "this ISP is crappy".  (Also to 
note, it 
looks like Mary got permission to use the campus relay 
without getting a 
campus email address?  That seems fishy.)

You and I have different experiences with large residential broadband-type
ISPs, it seems :) 

In my geographic area, at least, those ISPs care about their customers as
much as a sweat shop owner cares about his illegal immigrant employees. Good
luck getting any type of personalized service - all you get is the friendly
outsourced call center when you have a problem, and an address to send your
bill payment (actually, that's a figure of speech - they'll just debit your
credit card). And if you want to walk, well, let's just say this describes
the two big players that most people are aware of. 

Also, what kind of SMTP servers do you use? MOST servers out there, at least
the ones that I'm aware of, along with their admins follow the "send through
the local SMTP server" part of the "relay-for-your-local-IPs-only,
accept-for-your-local-recipients-only" model. I've helped at least two or
three people in Mary's situation - the campus SMTP server will relay the
mail (no doubt because their admins operate under the previously-described
paradigm), and in months of doing this, the IT department hasn't called them
up and said "why the hell are you sending spoofed mail through our SMTP
server without telling us?" If they did not want such use, it would be
hideously easy for them to prohibit it or to hunt down violators - the fact
that they have not done so implies that they follow their part of the "send
through the local SMTP server" bargain by letting their local users send
mail. 

Rare are the situations like the cable company my dad uses, where you do
need SMTP AUTH to send, and which will allow relaying from anywhere with
your SMTP AUTH. Why is their setup like this? A) They set it up very
recently when @Home died, and B) They dared to anger a lot of people with
some of the SMTP AUTH requirements (though they backed down on it). Their
relay, too, will add your username, so if my dad sends mail from
dad(_at_)employer(_dot_)edu, the headers will also say that he used 
dad(_at_)cableco(_dot_)net to
log into the cable co's SMTP server. 

That, though, is not the common setup. 

One of us is misestimating the pervasiveness of the model that was
implemented in the days when open relays were closed. Obviously, you think
that most places have SMTP AUTH deployed and won't relay mail with addresses
from non-local domains. I think that most people (some large ISPs aside)
operate on the principle that they should relay mail for anything in their
IP block and nothing else. We both can't be right, and we both can't be
wrong, either. 

Anyway, none of this proves that SPF is bad.  You probably 
don't believe 
SPF is bad or you wouldn't be on the list right? :)

How I got on the list is a somewhat interesting story, but as I've mentioned
before, I'm speaking as a private individual only, so I'm not going to get
into that. 


[snip]
effort, or decline to participate in SPF.  Same with ISP's.

Aha, so you are saying declining SPF participation is a perfectly reasonable
response. As I said above, the impression I got was that the aim of this
project was that, EVENTUALLY, everyone should have SPF records. If
universality is no longer an aim of this project, then my objection is
quasi-moot.

Let me try and turn this around and ask you some questions.

Do you think SPF if implemented as described will do more 
harm than good?

If SPF is impulsively deployed, I think so... If SPF is deployed first by
small setups (eg: my personal domain), and large organizations go through a
reasonable bureaucratic process to think the consequences of enabling SPF
through, then I don't see a harm to SPF. If, however, your GOAL is to have
SPF everywhere in, say, 3-6 months, and you intend on starting some
publicity campaign to getting the little DNS admin to think "oooh, we should
enable this, it's easy, it won't break anything, and we can avoid spammers
spoofing us" and just quietly add the SPF records, then I get worried. 

It's all about what you want to do with mail from non-SPF places: I got the
impression from Meng's posts at the beginning that, in the long run, mail
from non-SPF-publishing domains should be bounced. THAT's what I have a
problem with. 

Do you think the needs of the powerless users being oppressed 
by a bad IT 
or bad ISP should outweigh the needs of other domain owners 
that need tools 
to use against spammers?

I have long said (in other forums where I occasionally speak up, and to my
friends) that I don't believe spam is a problem that can be solved through
technology. My fear is that, in the process of fighting spammers, virus/worm
authors, and other issues, computing and the Internet will turn into a
glorified TV set top box. You're already seeing Microsoft promote the
questionable "Palladium" Trusted Computing model, which I'll admit to know
too little to comment except that people seem to be getting the impression
that it would allow the computer to refuse to run any apps that aren't
approved by MS. Next you have SPF, which has the interesting side effect
(given an admin with unfriendly intentions) of limiting choice in how one
goes about sending email. 

That's what worries me. Spammers are inventive, they'll find a way around
[quasi]-universal SPF (if SPF isn't widespread, just spoof non-SPF
domains... which will pressure those to adopt SPF, of course) just like they
have with every other technological roadblock we've thrown their way in the
past however many years. But meanwhile, the technology's potential
decreases, etc. 

I have long believed that the folly of the IT/technology/computing/etc
industry is to believe that just as technology creates problems, it ought to
solve those problems. If spam were knives and inboxes were human bodies,
efforts like SPF would be trying to make a knife able to detect human flesh
and dull its blade upon contact with it. (And, of course, this system would
prevent people from eating one type of meat, but not eating beef anymore
would be a small price to pay for no risk of death through stabbing) I
happen to think that putting murderers in jail for a very long time is a
much better way to decrease homicide rates than to make knives that can't
stab people, and I think that an all-expenses-paid vacation to Club Fed for
10 years for some key high-output spammers would probably lead to a more
drastic reduction in spam level than partial SPF implementation.
Every other industry, except the IT industry (and here I say IT in a broad
sense), leaves it to governments to deal with the abuses of their products,
and also leaves it to government to make them design products less
vulnerable to abuse that harms others. Those industries have also perfected
the art of convincing government policymakers that anyone-but-them is
responsible for the harmful use of their products. The IT industry fears
having non-IT types start regulating their technology, and wants to
self-govern. That, I think, is a strategy that has NOT worked in the case of
spammers for the past eight or nine years, and I don't think throwing more
technology onto the pile is going to solve the problem. The day the antispam
community (and those who spend millions on dealing with the consequences of
spam) will adopt tactics from the Hilary Rosen and Jack Valenti Guide To
Manipulating Political Institutions is the day that spammers will start
running in fear. (Disclaimer: yes, the RIAA's success at stopping piracy
hasn't been great, but there are a LOT more music swappers than there are
spammers.. and few spammers are cute 12 year old kids) And just in case you
don't believe me, and unlike me, live south of the US-Canada border (north,
sadly, the anti-junk-fax law is not as effective), just think about how few
junk faxes you get compared to how much spam you and your filters get. 

The volume of spam I get has tripled in the past six months... And is
probably 10X/day what I got back in the days when everyone and their best
friend ran an open relay. At the time, closing the relays (and getting ISPs
to unplug big corporate spam outfits like Spamford Wallace's Cyber
Promotions) was the way to stop spam. Those things have happened, and I get
10X more spam... And the better filters get, the better spammers become at
avoiding them. When SpamAssassin was set up for my personal account a while
back, maybe 1 piece of spam escaped - now it's 4/day. Soon it'll be 10, and
the filters will need tweaking, and here we go again. SPF just seems like
another temporary way to stop the flood of spam (or, specifically, spoofed
spam), and it may be quite effective at that, but it won't solve the spam
problem in the long run.

Do you have some constructive suggestions as to how SPF could 
be changed to 
accomodate the situations you described here better?

The question, I think, is whether universality is the goal or not. That's my
real concern. If organizations aren't pressured to hastily publish SPF, then
I don't see a problem... not one that the spec can fix, anyways. My concerns
with SPF have to do with the HUMANS setting it up in a particular
organization (humans whom I obviously view in a more negative light than
many others on this list), not with the technology itself - in capable,
honest, well-thinking hands, SPF as it stands is a perfectly good piece of
technology (though I would have preferred it not use TXT records, but I
won't start THAT fight all over again). But then again, a knife in the hands
of a cook is a perfectly harmless and beneficial thing, but the same knife
in the hands of a serial killer is not... and that, I think, is a good
analogy to describe my position.

Vivien

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>