-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 03 June 2004 02:47 pm, Shevek wrote:
On Thu, 3 Jun 2004, Dustin D. Trammell wrote:
Especially if 'someguy(_at_)phisher(_dot_)com' looks legitimately
associated to
the emulated entity, something like:
From: dtrammell(_at_)FNB-CustomerService(_dot_)com on behalf of
Operations(_at_)FirstNationalBank(_dot_)com
Then the user should be fired with prejudice, and probably for gross
misconduct.
No, fraud of this kind is far more serious. It should result in heavy fines,
and imprisonment. It's akin to me calling you and saying, "Hi, I'm from
First National Bank and we'd like to update our customer information. What
is your SSN and bank account number?" The Nigerian scam, pharmacy emails,
pyramid schemes, porn offerings, and other kinds of emails are just as
serious. We can't fool ourselves into pretending they're not just because
we see thousands of them each day. We don't tolerate this on our phone
system or in snail mail. We won't tolerate it in email.
In this particular example, someone or some organization of people need to
get fined heavily and be sent to prison. Their ties to terrorist,
"cracker", or criminal rings need to be investigated. The law enforcement
agencies need the tools to track these people down, build a case against
them, and execute justice.
SPF is the beginning of the solution to this and other email problems
because it provides accountability.
The first step is: Did a server that FND-CS.com purports to be a valid
server send a fraudulent email? If SPF passes, then FND-CS.com told us that
that server is a valid email server for their domain. That means they take
responsibility for whatever comes out as if it was hosted in their own
bedroom. They are the ones that published the SPF record, and they can't
claim that anyone did it for them as they have sole control of their DNS
records. In a court of law or public opinion, publishing incorrect SPF
records will not be an excuse.
The second step is to track down who the real people behind FND-CS.com are.
This is no problem because people are required to provide personal and
valid contact information to get a domain name.
The end result is that either the people behind FNB-CS.com or Mr.
dramwell(_at_)FNB-CS(_dot_)com himself are going to be accountable for their
fraud
scheme. SPF in this case won't prevent the fraud, but it will leave a trail
that can be followed.
This is the #1 reason why SPF is being adopted at Amazon. We need
accountability in the email system, just like we have accountability in IP
addresses and domain names.
- --
Jonathan M. Gardner
Mass Mail System Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAwL6QBFeYcclU5Q0RAqDTAJwIRUXj8jazCS17f9kSaWY8EJE1LQCcDP+J
CTrcF1dAJfhyrDHWmSCGSqE=
=fBSo
-----END PGP SIGNATURE-----