Re: Lawsuits, angry business users, and SPF stupidity.

On Tue, Jan 13, 2004 at 10:56:29PM +1100, Chris Drake wrote:

| I hate spam, but just like 99% of all other business email users, I
| can *never* afford to loose even as much as *one* email - EVER.

Even if getting that mail will cost you hundreds of thousands of dollars
in computer and network resources just to receive it?

The spam problem is about resource abuse.  And dealing with it takes
yet more resources.  The idea is that there is a tradeoff; hopefully the
resources put in to correct problems is less than the resources recovered
by these solutions.  Some things work and some don't.  And what works for
some doesn't work for others and visa-versa.


| I strongly object to you guys forcing my ISP to trash my incoming
| email without my permission.  I VERY strongly object to you guys
| forcing my recipients ISP to trash my incoming emails without my
| permission.

Show me the evidence that I have ever forced your ISP to do anything!
Show me the evidence that I have ever forced your recipients' ISPs to
do anything!


| What advice are you giving to people implementing SPF as to their
| legal risk when they trash legitimate customer emails?

What advice are you giving to people who, because the decide not to deal
with the spam problem effectively, end up losing customer mail because
of the network abuses taking place, or end up delivering that mail late?

What advice are you giving to people who find that they have to double
the number of mail servers they are running just to keep up with the mail
flow in spite of all the abuses?

What advice are you giving to people who find they have to explain higher
costs to their customers, and lower dividends and valuation to their
investors?


| In case you didn't already know - it's also a criminal offence in most
| countries to intercept emails.  What legal advice are you giving to
| ISPs about their criminal risk?

What interception are you talking about?

The ability to refuse email that cannot show that it is authorized to be
sent has been part of email systems since their inception.  Are you trying
to say that refusing any email is a crime?  That's absolutely and totally
stupid.

It is not a crime, and never has been a crime, to refuse to accept something
when you have reason to believe that it has insufficient evidence of its
validity and/or authorization.  Analogies abound, but I will not waste the
bandwidth showing things to the blind.


| As publishers of software and standards which perform criminal+illegal
| activities, and immoral purpose (erasing emails without sender or
| recipient consent), what do you believe your own legal risk to be?

Your assumption is false to begin with, so the remainder of your statement
is irrelevant.


| Finally, I run a (pay only, non-spam) personal remailler service which
| legitimately maintains the real senders address (and due to MDN/DSN
| standards, must maintain it in the envelope as well as other areas).
| You SPF idea has the potential to (A) Destroy my legitimate business,
| along with everyone else who operates anything similar, and (B) Puts
| me at legal risk due to my customer emails not reaching their intended
| recipients due to your SPF foolishness.  Should I ever get sued, I will
| be forced to try and recover costs from someplace - either the
| recipient ISP, or the SPF software authors (the latter being the most
| likely, since the ISP will hide behind that excuse or risk criminal
| prosecution as well).

Your customers are people who set up email addresses at your service and
ask for the mail to be sent to them.  How you send that to them is between
you and them.  But if your customer refuses the mail from you, that is a
problem between you and them ONLY.  If your customer has this problem
between their ISP has refused it, then that is a problem between your
customer and their ISP (with you as a third party).  If their ISP chooses
not to accept email where the sender address fails to match the sending
server, but the customer wants such mail, then the customer is the one
who needs to find a different ISP (there will no doubt be plenty of them
available if there is a market demand for this).

A.

Your business will not be destroyed.  Instead, you need to adapt to a
changing technical landscape, just as much as you have to adapt to changing
markets when that happens.  The world is not stagnant in any aspect such as
technical, economic, or market.  Are you the "agile company" that can find
new business opportunities when things change, or are you just going to be
a whiner because things don't go your way.

I suggest that why you do is study the inevitable changes and find way to
make money.  I've already thought of several ideas.  If you are any good
at business, you'll do the same.

B.

If your customer, or their ISP, refuses your mail, why do you think it puts
YOU at risk.  If THEY are the ones to decide to refuse it, then it is their
own damned fault.  If they want to receive anything and everything from you
despite SPF, they can do this.  They can choose to not use SPF at all.  Or
they can still use SPF and list your mail servers are sources to skip SPF
and accept all mail.

If your customer's ISP refuses the mail, why do you think you would be to
blame?  I'd think the first the customer would blame (and whine to) would
be their own ISP.  Maybe you should explain it to them.


| And while I'm on the topic - what is the point of SPF??? - connecting
| to the senders MX server and VRFY: or RCPT TO: should solve most
| problems, and if you want to implement sender authentication, a new
| SMTP request could be written, like "SPAM?: <sender> <recipient>" when
| the senders MX server verifies whether or not that sender recently
| sent any email to that recipient. TaDa - all problems solved, and no
| collateral damage.

Obviously you you have not thought through the problem at all.  Quite
many providers, especially the larger ones, either have separate servers
for incoming and outgoing mail, or hide their customer data, either to
protect privacy or simply due to queueing strategies, or have simply
turned off the capability.  These cases represent more than 50% of email
users.  You suggestion has been dismissed as feasible years ago when
some of these ideas were hatched.

SPF can be a form of such verification, if the domain owner specifies it.
There is a mechanism called "exists" in which an SPF compliant MTA will
send another query to a specified domain name pattern which can include
the sender email address as well as the client IP it comes from.  This is
in fact an option way to do what you suggest, via a mechanism that can be
design to do exactly that.


| Of course - the best idea is a digital signature system built into
| clients with revocation for spammers - but I notice that you carefully
| avoid mentioning anything that has the prospect of working better than
| SPF in your links. Tch tch tch.

Digital signatures will massively break email, unless it is deployed on
a very gradual scale.  While it can be one of the best solutions to the
problem, it will take years to get it in place and working to the point
where it can begin stopping spam.  That will require hundreds of millions
of people to get these signatures before email can be feasibly refused
on the basis of lack of one.  In the mean time spammers rage on.

And even with digital signatures, spammers will find ways to get new certs
for every hour of every spam run.  So despite the fact that a fully deployed
digital signature system could work better than even SPF, it is still many
many years away, and doesn't have all its own problems solved.


| What the internet REALLY needs is an "I am not a spammer" system so
| that me and the businesses I correspond with can buy a 100% guarantee
| that our email will never be trashed by the crazy anti-spam rules that
| you and everyone else is busy dreaming up all the time (and yeah -
| with revocation so spammers can't abuse it).

There's your business opportunity waiting to make you rich.  Go set that
scheme up, if you think it will work.  But keep in mind that some have
already tried it, such as Habeas.  While they seem to have good intent,
they are currently not doing very well because spammers are saying "I am
not a spammer", and doing so in massive scale from jurisdictions out of
reach of Habeas.  It currently looks like a failure to me.

Remember that spammers are doing everything they can to make their junk
look exactly like legitimate mail, including forging it as being from
people you know, and being sent from their machine as well.

-- 
-----------------------------------------------------------------------------
| Phil Howard KA9WGN       | http://linuxhomepage.com/      http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/   http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡