From: Andrew G. Tereschenko
Sent: July 13, 2004 5:19 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] SPF is not usable as legal measure against
spammers.
You suggest SPF is not usable as a legal measure
against "spammers."
SPF is designed to prevent email fraud or forgery
and compel emailers to take a measure of
responsibility for email sent using their domain.
It is designed to force emailers who wish their
email to be delivered out in the open.
The emailer must publish a sender policy and
can't use forged header information.
(When I use the statement 'forged header
information' this means header information
designed to prevent law enforcement from
determining the identity of the emailer.)
Whether the specific email is delivered or
legally actionable depends upon a number of
factors including the recipient's policies and
local law.
Let's presume three situations:
* An emailer's mail server's security is
compromised and start's spewing UBE into the
system.
Who is responsible? Does the emailer bear any
responsibility?
Edward Felton had an interesting discussion
concerning this question in May on his blog,
Freedom to Tinker. The first entry is here:
http://www.freedom-to-tinker.com/archives/000603.html
There is quite a lengthy discussion on the topic
over three blog entries and a series of comments.
Suffice it to say responsibility is not dependent
upon authentication.
(Dr. Felton is one of the computer scientists who
consulted for the Federal Trade Commission in
preparing its report on the feasibility of a do
not email registry.)
* A spammer begins to spoof an emailer's domain.
The emailer has published an SPF record. The
unsolicited bulk email is not delivered because
authentication fails.
How does any authentication system help identify
a spammer who uses open relays and so forth in an
attempt to remain anonymous and deliver UBE? It
does not. Rather it prevents delivery.
* A spammer using a throw away domain with a
published SPF record transmits unsolicited
commercial email in bulk into the system without
using false headers.
Is the transmitting of the UBCE actionable in and
of itself? That depends upon local law.
Does the legal situation change with Domain Keys?
No.
The value of SPF is that it compels the spammer
to identify herself if she wants the UBCE to have
a shot at it being delivered.
In turn, if transmitting the particular message
in the form of UBCE violates local law, this
makes it much easier for the receiver to bring a
civil suit or local law enforcement to track down
and prosecute the miscreant.
For example if the message has a deceptive
subject line, is not properly labeled, or does
not include a valid mail address this would be a
violation of the US Federal law regulating the
transmission of commercial email as a deceptive
trade practice.
Of course this presumes recipients don't simply
reject the message without keeping a copy of the
message and don't file a complaint with the
authorities.
The FTC in its recent report on the feasibility
of a national do not email registry concludes the
implementation of sender authentication would aid
law enforcement of existing laws.
"It should be noted that these private market
proposals [SPF, Caller ID and Domain Keys] do not
authenticate the identity of the person sending
an email. In other words, if a message claimed to
be from abc(_at_)ftc(_dot_)gov, the private market proposals
would authenticate that the message came from the
domain “ftc.gov,” but would not authenticate that
the message came from the particular email
address “abc” at this domain.
Nonetheless, domain-level authentication would
confound spammers’ ability to engage in spoofing
and to send messages via open relays and open
proxies, enable ISPs to deploy more effective
filters, and provide law enforcement with an
improved ability to track down and prosecute
spammers."
(The insertion in brackets is mine. See pages 12
to 13 of the report.)
The Commission in reaching this conclusion
references SPF in its report as one of the
proposed authentication systems.
Bottom line? I would suggest SPF can be a
valuable legal tool to aid authorities in dealing
with spammers.
Trusting these comments are of some value.
John Glube
Toronto, Canada
The FTC calls for one sender authentication
standard
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.718 / Virus Database: 474 - Release Date: 09/07/2004