This post is in response to the comments
of both Lars and Seth concerning defining Spam.
On the issue of a Spam definition, Spam can
cover more than merely unsolicited bulk email.
Unfortunately, Spam has become an elastic term,
so that one person's spam may be another
person's valuable communication.
(I note in passing that the CAN SPAM Act of 2003
does not define Spam.)
The newSpf is a sender authentication protocol,
designed to focus on the problems of stopping
spoofing and phishing.
It is probably better to stay away from trying to
define Spam, but rather focus on stopping abusive
behaviour, since this is the objective of
implementing a sender authentication protocol.
In this regard, there are four documents, I would
reference:
Netiquette Guidelines
http://www.ietf.org/rfc/rfc1855.txt
Don't Spew
http://www.ietf.org/rfc/rfc2635.txt
How to Advertise Responsibly Using E-Mail and
Newsgroups http://www.ietf.org/rfc/rfc3098.txt
Unsolicited Bulk Email, Definitions and Problems
http://www.imc.org/ube-def.html
(I presume many are already familiar with these
documents.)
One of the issues with the Spam definition found
at http://www.spamhaus.org/definition.html
Is that SpamHaus calls for a closed loop
verification process for solicited bulk emailings.
This is fine, but in a world where domain holders
have published an SPF record, I am not certain
whether this standard is required. Also, this is
a higher standard than outlined in rfc3098.
However, there is another problem. The moment we start
talking about UBE, verified opt-in, confirmed
opt-in or unconfirmed opt-in, various interest
groups will pop up.
These interest groups may oppose the
implementation of the newSPF on the basis it
restricts their behaviour, even though we
all know UBE is abusive.
Some of these interest groups have significant
political and financial clout. For example:
The Global Business Dialogue On Electronic
Commerce http://www.gbde.org/
Which published a Spam report in November, 1993
http://www.gbde.org/spam.html
It may be better, to ensure rapid and widespread
implementation of the newSPF to leave these
issues to a different arena.
Please don't misunderstand my comments. Ideally,
one wants all Internet access services to state:
Want to transmit email to or from our domain? You
cannot use our services to send UBE and you need
to be sender authenticated.
This would be the easiest and quickest way to
stop abusive behaviour, providing Internet access
services honour the commitment.
However, if the people supporting SPF enter this
debate, one may move from having the newSPF
easily accepted and implemented and enter into an
entirely different debate, including issues of
sender reputation and accreditation.
For example, what happens if someone who has
published a text record does send UBE?
How do you determine whether the person has or
has not sent UBE?
What objective standard do you settle upon?
Verified opt-in as advocated by SpamHaus and
others or confirmed opt-in as advocated by the
IETF?
What process is implemented to allow the sender
to defend his, her or its interests against
complaints?
Do you blacklist before or after the sender has
had a chance to respond?
Who makes decisions?
I am not saying all these issues can't be sorted
through. They need to be sorted through.
The question is whether people want to get
involved in this debate, while at the same time
sorting through the various implementation
issues, especially with the FTC throwing its
weight behind sender authentication.
Yes, I appreciate, respect and agree with the
sentiment of not wanting one big company to deal
with issues of reputation and accreditation.
However one proceeds, there is a need for settled
standards which have widespread backing and a
requirement for significant oversight to ensure a
fair and open process.
To date these standards don't exist. One place to
start may be to build on the work done by the
Eprivacy Group, which has developed the Trusted
Email Open Standard:
http://www.eprivacygroup.net/teos/
Changing the subject, earlier mention has been
made of SPF having its first birthday on June 10,
2004.
I just want to chime in and say I am grateful to
Meng Wong and all the other people who have
worked on SPF over the past year in getting it to
the stage were wide spread acceptance and
implementation is becoming a realistic
possibility.
John Glube
Toronto, Canada
Who Pays And How To Survive The Email Transition
http://www.learnsteps4profit.com/emwp.html
FTC Calls For Implementation of Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.701 / Virus Database: 458 - Release Date: 07/06/2004