On Fri, 13 Feb 2004, Hendrik wrote:
there are three comments posted to the RISKS list that i find worth
considering in terms of both the political and the technical aspects of the
development of anti-spam measures.
Thankyou for posting this. I'm going to reply with my external, unofficial
viewpoint, and I hope that the official viewpoint will follow.
Have the issues been addressed that were mentioned in the post archived at
www.interesting-people.org/archives/interesting-people/200401/msg00037.html ?
I like the "open source" approach to developing SPF, but i wonder where and
how communication has failed/is failing if there is such a division between
SPF developers and certain people who to me would seem to be natural allies.
This is puzzling, because from my viewpoint, most of the issues proposed
seem to be non-harmful, or in some cases non-extant.
Those three comments can be found at the following locations, and by
looking there for the strings shown below the URLs:
ftp://ftp.sri.com/risks/risks-23.16
Date: Mon, 19 Jan 2004 10:11:35 -0000
Subject: Defeating phishing scams
This seemed to me to be a fairly encouraging mail. It refers to SPF as a
part-solution, which it is. It prevents senders from routing the bounces
back to someone else. It isn't meant to prevent phishing or even spam. Nor
will it.
ftp://ftp.sri.com/risks/risks-23.18
Date: Wed, 4 Feb 2004 14:25:33 +0000
Subject: Opposition to SPF (Re: Rose, RISKS-23.16)
I suspect that there may be some real concerns behind this mail, but I
hope I don't offend anyone too much when I say that I considered the mail
itself to be almost entirely contentless. It's almost a flag-raising
event. However, it does link to the very important mail mentioned above,
which I will describe last.
Date: Wed, 04 Feb 2004 03:28:47 +0100
Subject: Actually, SPF makes things worse (Re: Rose, RISKS-23.16)
This is written in the absence of SRS. It does, however, describe the most
likely future business model for spammers, and we should take good note of
it and consider the consequences. It pretty much relies on people having
vulnerable PCs around.
It also makes me want to confirm that SPF does in fact check the client ID
using DNS both ways, since anyone with control of reverse DNS... (you know
this hack).
And for the last mail:
www.interesting-people.org/archives/interesting-people/200401/msg00037.html ?
I was going to say, "He's replying to it as if it's supposed to be a
solution to spam, which it isn't", but then I read Meng Wong's
introduction, which describes SPF as a solution to spam, which it isn't.
It destroys a large part of the joe job business model. That's all, and
that is what must be communicated clearly. From that perspective, some of
the comments in this mail are justified, and the by-line of SPF needs a
careful update.
The other concerns in this mail look valid, and should be addressed.
Naturally, the issues towards the end about uptake seem to be rapidly
addressed, and the last about individual users should force further uptake
of SASL (which I know our organisation, for one, does not yet implement,
and grimaces at the mention, knowing that they should).
Personally, and unofficially, I intend to make time in the next few days
to go over all of our materials including all the C code.
And now we return you to your scheduled programmes.
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/