On Wed, Feb 25, 2004 at 05:43:15PM +0100, Ernesto Baschny wrote:
|
| Meng, could you write up a comparison table between Caller-ID and SPF? I
| have seen plenty of similarities and some crucial differences. You could
| also weight the (dis)advantages of each difference.
|
I am doing a comparison table between all the antispam technologies I
know of. I'm about a third of the way through and hope to finish it by
the end of this week.
Meanwhile here's a condensed version of the analysis.
The important factors are:
- what is it selling?
- can it make good on its promises?
- what is the implementation cost?
- what is the deployment cost for the sender?
- what is the deployment cost for the receiver?
- what fraction of the internet needs to play along?
- what do the end-user humans have to do?
-------
if we somewhat arbitrarily segment the internet into the following eight
sectors, this is the cost grid: (view in a monospaced font)
DomainKeys Caller-ID SPF
sender humans all have to configure their MUAs to do SMTP AUTH when they roam
sender MUAs - - -
sender MTAs upgrade - -
sender ISPs publish,configure publish publish
forwarders - upgrade upgrade
receiver MTAs (upgrade) (upgrade) upgrade
receiver MUAs (upgrade) upgrade* -
receiver humans - examine -
(upgrade) means the spoof detection could be performed by the MTA or,
failing that, by the MUA.
*: Caller-ID requires all receiver MUAs to display the responsible
sender: "from Sender: on behalf of From:". Right now Outlook does
this just fine. Everybody else has to change.
The fewer sectors a solution touches, the easier it will be to deploy.
Some are eager to adopt and others are reluctant. For example, I assume
sender ISPs and receiver MTAs generally want to add antispam features.
I assume that humans are lazy and don't want to have to do anything.
Some sectors are smaller than others. Forwarding, for instance, breaks
down into three sectors. In the commercial space probably there are
fewer than 500 people who need to be convinced. In the ISP space and in
the home Linux hobbyist space, we are working on SRS patches so they can
just upgrade their MTAs. Is Microsoft going to provide Caller-ID header
prepending patches to Qmail?
Now let's look at what each proposal is offering the prospective buyer.
What is domainkeys selling? If the message is signed, and it claims to
be from ebay.com, you can trust that it really is from ebay.com. If the
message is not signed, and it claims to be from ebay.com, you don't know
if it's really from ebay.com or not, unless you know a priori that
ebay.com always signs. The a priori comes from either Caller-ID or SPF.
What is Caller-ID selling? If the message passes spoof checks, and if
you're using Outlook or another client that displays "from X on behalf
of Y", and if you take the time to examine that displayed information
and confirm the distinction between "from ebay.com" and not just "on
behalf of ebay.com", then you can trust that it really is from ebay. If
the message fails spoof checks, it is silently deleted or rejected in
SMTP after ".". But how many people can appreciate this distinction?
Those who don't will get a false sense of security, like driving with a
seatbelt that hasn't fully clicked into its socket. Is it wise for the
MTA to do the testing at all? It might let through a "Sender: spammer /
From: ebay.com", and an MUA that does not display the responsible sender
would happily display it. Imagine the backlash when that stuff
continues to flow. Buyers will complain about false advertising.
What is SPF selling? Protection for the return-path so we can fight
joe-jobbing, plus compatibility with DK because DK needs a policy
document to operate properly, plus compatibility with accreditation
schemes. We are explicitly NOT claiming to protect the headers, and so
we DO NOT claim to be able to stop "Sender: spammer / From: ebay.com".
We tell people that if they want that feature they should buy the DK
extension pack to go with SPF.
The corporations that Microsoft and Yahoo talk to with are concerned
about phishing. Everybody else is concerned about joe-jobs and worms.
But because managers at Microsoft and Yahoo listen more to managers at
eBay and Citibank than to Linux sysadmins and ordinary end users, they
discount the need for joe-job protection.