spf-discuss
[Top] [All Lists]

Re: SPF is not usable as legal measure against spammers.

2004-07-13 16:40:35
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 13 July 2004 02:19 pm, Andrew G. Tereschenko wrote:
SPF is not usable as legal measure against spammers. DomainKeys are
probably yes. Routers hacked by spammers scenario.


Your post is all over the board, but I'll try to consolidate and address 
your points. You really should try to collect your thoughts and post 
intelligently.

(1) Suing spammers
Your Point:
Spammers cannot be sued to recover damages.

My point:
There are really two problems here in whether or not spammers can be sued to 
recover damages. First, can the spammer be identified? Second, is spamming 
an activity for which he can be sued?

The identification part is the problem. Given an email, I need to be able to 
get a responsible party. Right now, I only have the IP address of the 
sending party, and I have to work from there. I would contact the owner of 
the IP address block and ask them for the name of the person responsible 
for the computer at that IP address. It turns out, the overwhelming 
majority of spam is sent through compromised hosts. Therefore, the true 
spammer cannot be identified.

With SPF, someone has to claim responsibility for the email. When an email 
is sent using the domain name of an SPF publisher, you can compare the 
server sending the mail and the published sending policy of the sender. If 
it doesn't match, then the message is obviously forged and can be 
discarded. If it does match, then the owner of the domain has said that 
email coming from that server is email coming from him. He has claimed 
responsibility.

This is like a branch of a bank. The branch represents the bank because the 
bank claims responsibility for it. The things the branch are the 
responsibility of the bank. If you slip and fall in the lobby of a branch 
because they left vegetable oil on the floor, that is the bank's and the 
branch's responsibility.

The second part is up to the people and the courts to determine.

(2) Proving that I spammed people
Your Point:

It's impossible to tell it was me that spammed them.

My Point:
Let's say Amazon publishes SPF. Then Amazon proceeds to spam people from its 
authorized servers. People get upset with Amazon. Amazon's reputation 
suffers. Very well. This is what is expected. Amazon deserves it.

Let's say Amazon published SPF, and then one of its outbound email servers 
gets compromised. Amazon doesn't realize this for several days and millions 
of emails are sent as if they originated from Amazon. People get upset with 
Amazon. Amazon says "It's not my fault! We were hacked!"

That isn't going to fly anymore. Amazon is responsible for Amazon's 
computers. If we get hacked, then our reputation suffers. No one will give 
us slack just because we were victims of a bunch of hackers. We won't 
expect it.

Even thought Amazon isn't technically the party responsible for the spam, 
Amazon is still responsible for it and will be held accountable for it. We 
really are responsible for it, just like someone that allows rats to nest 
in their house is responsible for the damage the rats cause to neighbors. 

Now, in a court of law, Amazon would have to prove that they did everything 
in their power to secure their computers if they wanted to escape 
responsibility. Otherwise, there would be no excuse. That's the way things 
really work. In reality, if we get hacked and let a few hours of spam get 
through, but quickly correct the problem, then we will probably get a pass.

(3) SPF an Authentication Mechanism
Your Point:
SPF is not an authentication mechanism.

My Point:
If it isn't an authentication mechanism, then what is it?

Authentication is a process of determining authorization via the 
presentation and examination of credentials. The credentials that SPF uses 
are:

 - Published SPF records for the domain (and other referenced SPF records)
 - The purported domain in MAIL FROM 2821 and sometimes EHLO / HELO.
 - The IP address, host name, etc... of the sending MTA.

Based on this information, the SPF algorithm determines whether or not the 
sending MTA is authorized to send email for the domain.

What else would you call this besides authentication?

- -- 
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA9HLzBFeYcclU5Q0RAlQLAJ9+/qfzxFiwT5O7gSi5J+tm0nQjNwCg4A55
8XdcDLBwsIkc/M1VE2B/6Dg=
=tHXc
-----END PGP SIGNATURE-----