spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: overall paradigm shift in email, plus rambling philosophical discussion

2004-06-21 12:20:39
from [John Glube] [Permanent Link] 
From: Meng Weng Wong
Sent: June 20, 2004 1:16 PM
Subject: [spf-discuss] overall paradigm shift in email, plus
rambling philosophical discussion

Some comments on philosophy.

As a sender, I support the development, adoption
and implementation of a uniform standard for
sender authentication.

Why? Because the 'Net is no longer a village, but
as you point out it has grown into a big city.
Just as we need to have locks on our doors to
protect ourselves from thieves, so to we need to
take steps to 'secure' email.

I also appreciate that with sender authentication
comes sender reputation, use of black lists and
filters. Although these issues are related to
sender authentication, I am of the view if we
attempt to solve all problems at once, we may
well end up solving none.

             ..............

(As an aside there is a myriad of issues
surrounding all of these questions. Sender
reputation models are now just starting to be
implemented, but already we can see issues
concerning accountability and transparency.

There has been an ongoing debate between
responsible senders and commercial black list
operators surrounding the meaning of solicited.
This is shown by the perspective on the one hand
of the need for verified consent (or as some call
it - double opt-in) and the view point (despite
an RFC setting out best practice) that
unconfirmed opt-in and implied consent based on a
pre-existing business relationship is sufficient. 

At least in the US, the Federal government has
weighed in on the debate and established the
criteria of "affirmative consent." Despite the
views of a number of groups, this precludes the
concept of implied consent at least when sending
commercial email. Time will tell whether the FTC
views "affirmative consent" as including the need
for verified opt-in. 

The issue of filters is a separate kettle of
fish. One of the more pressing issues is whether
there is a need for recipients to be responsive
when false positives are drawn to the recipient's
attention.)

             ..............        

That having been said, just as recipients are
asking senders to account for their behaviour, so
recipients must also account for their behaviour. 

Now, I can hear the howls of protest coming from
those who believe:

* I have no obligation to establish an Internet
which allows people to make a living; and,

* I don't care if I block some solicited email as
long as we stop all spam.

This position is premised in part on the view
that technical measures can be established which
will eradicate spam.

This is a false premise. Why? Sending spam is a
form of abusive behaviour. Society will never
eradicate abusive behaviour. It is why we have
established various ways of controlling behaviour
so that individuals channel their efforts in a
responsible manner, while at the same time
setting up systems to deal with those who abuse.

The effectiveness of these systems is always open
to debate. My point? We must come to appreciate
the situation on the 'Net is no different.

For every step we take to control spam, some
operators will seek ways to avoid these solutions
and continue on with their abusive behaviour.

Does this mean we can never bring the problem
under control? No. It simply means the best we
can achieve through a combination of technical
measures, education and rigorous law enforcement
is to reduce the level of abusive behaviour so
that responsible actors can go about their
business without fear of being constantly mugged,
robbed and plundered.

These positions are also premised on the view
point there is no need for mutual
responsibility and accountability between
responsible actors in society.

How do we deal with the problem:

* Establish a system were there is mutual
responsibility and accountability between senders
and recipients. 

* On the technical side this means as a first
step senders have to become authenticated. 

* I suggest the process for senders needs to be
made as easy as realistically possible,
recognizing that the vast majority of people who
will need to become sender authenticated are not
literate in what is required to publish an
authentication record. 

If we don't set up a system which educates
people, so that individuals can take control of
their situation and at least easily create their
own sender record, we will end up with huge
bottle necks during the implementation process.

(I make these comments in response to feedback
from people I have sent to the SPF site to
publish an SPF record for their domain (s).)

* It also means recipients should use methods of
authentication which rely on one unified standard
for generating the needed data, (as recently
outlined by you and presently being refined with
the helpful input of many on this list.)

* We want to impose requirements which don't
jeopardize responsible business operations.

(This is self evident and why so much effort is
going into developing a system which minimizes
the need for change.)

* Recipients should be honest in informing
senders why a particular message was not accepted.

Some folks will say, but this will help spammers.
Yes, I appreciate it may. But in dealing with the
problem, we need to uphold and support the
responsible actors on both sides.

Or to put it in engineering terms, just as we ask
senders to exercise 'quality control,' so to we
should ask recipients to exercise 'quality
control.'

Although I would like to see a situation develop
where all recipients adopt the acceptance mode
for delivery over the rejection mode, (as
Jonathan suggests) I am not certain we can
realistically enforce this requirement as the
choice of delivery mode is up to the recipient. 

Having said this, I agree with Jonathan's comment
catching the bad guys is almost always going to
be reactive. Although I am not certain on this
point, I gather that the acceptance mode enhances
the ability of law enforcement to catch and
punish the bad actors, (by creating data which
can then be sent on to the appropriate party). If
my understanding is correct, people may want to
consider stating this to reinforce the
desirability of recipients utilizing the
acceptance mode.

Underlying all these comments is the simple
position, if we want to reinforce and support the
validity of email, then we must work towards a
model which ensures mutual respect and
accountability between responsible actors. 

This is not saying spammers have rights. This is
not saying people should go around suing people.
This is simply saying for any society to work,
and the 'Net is a society, the need for mutual
respect and accountability between responsible
actors is a natural underpinning of an orderly
society.

This is why I applaud the even handed approach
you and others are taking while working through
the myriad of complex issues surrounding sender
authentication.

John Glube 
Toronto, Canada

The FTC Calls For One Standard For Sender
Authentication
http://www.learnsteps4profit.com/dne.html

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.708 / Virus Database: 464 - Release Date: 18/06/2004
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Length of txt records, wayne
Next by Date:  Re: Length of txt records, Roy Badami
Previous by Thread:  Re: [SPAM][93%]overall paradigm shift in email, plus rambling philosophical discussion, Jonathan Gardner
Next by Thread:  RE: overall paradigm shift in email, plus rambling philosophical discussion, Seth Goodman
Indexes:  [Date] [Thread] [Top] [All Lists]