-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 13 July 2004 02:19 pm, Andrew G. Tereschenko wrote:
SPF is not usable as legal measure against spammers. DomainKeys are
probably yes. Routers hacked by spammers scenario.
Your post is all over the board, but I'll try to consolidate and address
your points. You really should try to collect your thoughts and post
intelligently.
(1) Suing spammers
Your Point:
Spammers cannot be sued to recover damages.
My point:
There are really two problems here in whether or not spammers can be sued to
recover damages. First, can the spammer be identified? Second, is spamming
an activity for which he can be sued?
The identification part is the problem. Given an email, I need to be able to
get a responsible party. Right now, I only have the IP address of the
sending party, and I have to work from there. I would contact the owner of
the IP address block and ask them for the name of the person responsible
for the computer at that IP address. It turns out, the overwhelming
majority of spam is sent through compromised hosts. Therefore, the true
spammer cannot be identified.
With SPF, someone has to claim responsibility for the email. When an email
is sent using the domain name of an SPF publisher, you can compare the
server sending the mail and the published sending policy of the sender. If
it doesn't match, then the message is obviously forged and can be
discarded. If it does match, then the owner of the domain has said that
email coming from that server is email coming from him. He has claimed
responsibility.
This is like a branch of a bank. The branch represents the bank because the
bank claims responsibility for it. The things the branch are the
responsibility of the bank. If you slip and fall in the lobby of a branch
because they left vegetable oil on the floor, that is the bank's and the
branch's responsibility.
The second part is up to the people and the courts to determine.
(2) Proving that I spammed people
Your Point:
It's impossible to tell it was me that spammed them.
My Point:
Let's say Amazon publishes SPF. Then Amazon proceeds to spam people from its
authorized servers. People get upset with Amazon. Amazon's reputation
suffers. Very well. This is what is expected. Amazon deserves it.
Let's say Amazon published SPF, and then one of its outbound email servers
gets compromised. Amazon doesn't realize this for several days and millions
of emails are sent as if they originated from Amazon. People get upset with
Amazon. Amazon says "It's not my fault! We were hacked!"
That isn't going to fly anymore. Amazon is responsible for Amazon's
computers. If we get hacked, then our reputation suffers. No one will give
us slack just because we were victims of a bunch of hackers. We won't
expect it.
Even thought Amazon isn't technically the party responsible for the spam,
Amazon is still responsible for it and will be held accountable for it. We
really are responsible for it, just like someone that allows rats to nest
in their house is responsible for the damage the rats cause to neighbors.
Now, in a court of law, Amazon would have to prove that they did everything
in their power to secure their computers if they wanted to escape
responsibility. Otherwise, there would be no excuse. That's the way things
really work. In reality, if we get hacked and let a few hours of spam get
through, but quickly correct the problem, then we will probably get a pass.
(3) SPF an Authentication Mechanism
Your Point:
SPF is not an authentication mechanism.
My Point:
If it isn't an authentication mechanism, then what is it?
Authentication is a process of determining authorization via the
presentation and examination of credentials. The credentials that SPF uses
are:
- Published SPF records for the domain (and other referenced SPF records)
- The purported domain in MAIL FROM 2821 and sometimes EHLO / HELO.
- The IP address, host name, etc... of the sending MTA.
Based on this information, the SPF algorithm determines whether or not the
sending MTA is authorized to send email for the domain.
What else would you call this besides authentication?
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA9HLzBFeYcclU5Q0RAlQLAJ9+/qfzxFiwT5O7gSi5J+tm0nQjNwCg4A55
8XdcDLBwsIkc/M1VE2B/6Dg=
=tHXc
-----END PGP SIGNATURE-----