----- Original Message -----
From: "Ryan Malayter" <rmalayter(_at_)bai(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, May 27, 2004 1:11 PM
Subject: RE: [spf-discuss] The New SPF: overall outline - CAUTION GNU RE
[spf(_at_)metro(_dot_)cx]
and forge anyway, given that the spammer pays microsoft
enough $$$ (see hotmail, where
one can, as a spammer, pay microsoft to get whitelisted in
their spam checkers).
This is patently false. You just skimmed that headline on Slashdot,
didn't you?
Microsoft is using IronPort's bonded sender program. A company puts up a
cash bond with IronPort saying "I will not spam". The amount is set by
IronPort based on past behavior, reputation, etc. If the sender spams,
the bond money is forfeited *to IronPort*. No money goes to Microsoft at
all. You cannot "pay to spam".
Expect a lively traffic in alt.2600 and other cracking groups in such
registered spam-for-free keys. I do *not* agree that bonding this material
is sufficient: the fraud spammers simply will not care if they defraud some
poor company who've legitimately posted the bond and get their key stolen,
or they will pay underemployed geeks and perhaps even non-profits to
purchase keys for them. Given a general improvement in mail filtering from
the use of SPF and such validation keys, the spam-for-free keys will be even
more valuable.
Microsoft is whitelisting those bonded senders in Hotmail, presumably
because MS thinks there should be an option in place for responisble
email marketers, newsletter providers, and organizations that want to be
sure every message gets through. (I do not necessarily agree with this
model, but Hotmail is MS's turf, so they can do what they want).
As they say on slashdot: RTFA before you post.
-Ryan-
Please also think about the history of spam. Spammers lie: there's no reason
to think they won't defraud holders of these keys, or the key authority.