-----Original Message-----
From: Dr. Ernst Molitor [mailto:molitor(_at_)uni-bonn(_dot_)de]
[snip]
Right now, I'm free to use each and any of a couple of email addresses I
have, and send messages through servers that use one of a few ways of
authentication (AUTH with DIGEST-MD5 or TLS with authentification by
certificates).
And you'll be able to do that in the future. No problem.
With spf, I'd be out of luck since I'm using a DSL dialup line quite
often, and have different IP numbers all the time. I have no authority
over the DNS server for the boxes I run at my place of work, so I
couldn't possibly have spf records installed for the (large...) IP space
allocated to my DSL provider. If I could talk the DNS people into
If you are using your university's server with authentication - that's
great. SPF- aware MTAs will see the message coming from your university
MTA, which is in the SPF record for your university domain. You're set.
installing such records, all the bad guys using the same provider could
use our servers to forward spam mails. To make a long story short: Your
spf system would impose major restrictions on my use of e-mail and still
could be circumvented.
You don't need that, since you use authenticated SMTP with the university
servers. Your ADSL connection will not pose any problem.
What about Johnny Spammer - why shouldn't he buy a class C network, set
up a DNS service complete with spf records, and a couple of MTAs, and go
for his ugly business?
No /24 net in the world would help Johnny, because SPF is a white-list
and not a black-list. He still can't joe-job you, because the university's
SPF record restrict mail with the university's domain to the university's
servers. When you use authenticated SMTP, your mail comes from one of
those. Johnny Spammer doesn't have your password, hence he can't
authenticate to the university's servers like you do. He's screwed.
Remember, SPF doesn't prevent spam, it prevents domain forgeries.
Johnny can still buy a domain (~5$) and set up a DNS server with valid SPF
records for his domain. Johnny will soon discover that one of the email
addresses he has sent his spam to was a spam-trap, which automatically
adds the domain to the list of spam-originators in the reputation
database. He's screwed again.
As far as I can see, Johnny Spammer earns profits from his mailings. He
will not stop spamming if he can buy around the measures taken against
this activity with a comparatively small amount of money, will he?
Regrettably, that's what I thought about after reading your "let the
market decide" comment.
5$ per domain, and they go out like that(finger-snap SFX here)?
Suddenly, JS realizes that sending spam costs more than he may earn
from it. He can either veer to the criminal domain (taking over people's
computers with internet worms, hack an authenticated SMTP server) or go
out of business.
Woe to Johnny, because most likely he will go the way of the dodo.
Hey come on. In a previous message on this discussion list, I read a
suggestion to "evolve" mailing lists into IMAP servers - why not remove
the tires from a car and add helicopter blades: This will definitely
allow you to forget traffic jams in rush-hours - but what you end up
with is no longer a car ;-)
Take a look at http://www.gmane.org for a cool example of mailing-lists
turned NNTP. Hey, these are ideas you are critical about. Try to be more
to the point. If I could send my car to the shop and have chopper blades
installed for $50, I'd do it tomorrow, and I don't care if you decide
to call it a chopper.
SMTP were broken if it had been designed to be spam-safe - but take it
as a fact: it hasn't. Saying SMTP is broken because it is not safe
against spam mails is equivalent to noting that cars are broken since
you can end up in an ugly traffic congestion if you use them.
....and that's why you build highways, make some roads one-way, use
traffic lights to regulate the direction cars go into the junction from.
That's what SPF has done. True, you can't drive through a red light like
you used to before the traffic light wasn't there, but you pay this price
every day.
The "NOSPAM" notation, in contrast to the spf proposal, does not impose
any restrictions on current emailing procedures. Its efficiency in
stopping spam may be low, but remember: the costs it imposes on email
users are nil.
That's just it. The efficiency in stopping spam is low. Do you want to
maintain the sanctity of SMTP - fine, but how is this going to solve
the problem? This SPF thing is a reaction to a specific problem: Domain
forgeries. Mr. Weng took the time and effort because he wants to solve
this problem. Not because he's interested in not-restricting-current-
emailing-procedures in the name of keeping the internet just the way it
was. Kudos.
-- Arik
**********************************************************************
This email and attachments have been scanned for
potential proprietary or sensitive information leakage.
PortAuthority(TM) Server
Keeping Information Inside
Vidius, Inc.
www.vidius.com
**********************************************************************
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com