The subject of accreditation came up (Re: how blacklisting will work in the
future, etc.)
My first thought is that SPF is an authorization system, not an
accreditation system, so I wouldn't want to see SPF grow more creeping
features to support things other than "Is this IP authorized to send from
this address". Adding widgets that sound cool but don't say "Is this
message permitted by this domain policy" run the risk of bloating the spec
and blurring the message. SPF != FUSSP so let's stick to what we are good
at.
However, on the subject of whitelists, the conversation reminded me of
something else I wrote... I recently sent this to SPAM-L but it occurs to
me that it might be of interest here too.
Spammers can buy thousands of domains and use them to send spam.
Currently, getting a new domain is quick and easy, and the contact
information entered can be made up and wrong. It is very hard to correlate
domains with other domains owned by the same entity.
BUT suppose the domain registrars had a way of relating many, many records
(such as domain registrations) with some unique piece of information that's
hard to fake. One such idea is "Address verification"...
Let's say a domain owner buys a domain name from registrar, and that the
Registrar offers a service called "Address verification". This works one
of three ways:
1. The registrar charges domain owner's card, and at the same time asks the
CC verification system if the address he has on file is an "authorized
shipping address" for that cardholder. Address is considered verified.
(Optional courtesy note sent to this address, no response needed, but red
flags go up if mail is returned or the real cardholder calls to report it
wasn't him)
2. If shipping address doesn't match CC, or payment was by check or
something, send postal mail to domain owner at his address on file
containing his "permanent password" or "verification code". Once this code
is used at the web site, address is considered verified.
3. If customer prefers not to receive postal mail and doesn't give a
matching shipping address, mark the domain as "Address unverified".
DNS registrars could choose to offer "Address Verification" as a free
service that is optional (and publish the info by either adding a
"Verified" message in their WHOIS record, or positive answers for e.g.
"example.com.addr-verified.godaddy.com")
Or, this could be part of DNS Registrar's anti-fraud policy; for example,
your domain is considered "temporary" for two weeks until you receive our
confirmation through postal mail, after which it can be put on hold. This
works best if registrar makes the domain start working right away, but
publishes it as "unverified" in WHOIS or something, so people doing
filtering can flag this domain as "new, not verified".
In order to be effective, I don't think the "verified" address has to be
the same as what's in WHOIS. BUT, the real kicker is this: 1. If you are
terminated for spamming, other domains registered using the same mailing
address are also red-flagged, placed on hold, whatever, depending on
whether you have zero-tolerance or not. 2. The postal address may not be
given out to just anyone who asks, but it *must* be given out in the case
of subpoena to the dns registrar from law enforcement.
If done correctly it could give registrars the ability to strongly
correlate a hard physical address (even a PO box) which is a limited
commodity, against lots of domain names registered under lots of different
contact info. That means the emails, phone numbers, and other bullshti
that is found in WHOIS can try to scatter the message and conceal real
identity, but there is someone somewhere (the registrar) who knows the real
info and can cause cascading failure of other seemingly-unrelated domains
used by the same spammer.
(And no fair sending to 123 Main St. Suite FC034A9D - if the zip-plus-4
matches then the addresses should be flagged as "possibly similar")
Now the real question is, is there any registrar out there with a shiny
white hat that might actually do this?
Peace,
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡