From: Andrew G. Tereschenko
Sent: July 13, 2004 10:43 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF is not usable as legal measure
against spammers. DomainKeys are probably yes. Routers hacked by
spammers scenario.
A couple of comments:
* You suggest DomainKeys is a better solution in aiding law
enforcement than SPF pointing out some potential ways
spammers can walk around SPF.
You go on to suggest since SPF is merely a bridge, it being
felt by some the implementation of "crypto is the long-term
solution," you ask in essence:
"why waste resources and instead move directly to a
permanent solution."
This is a separate question and pre-supposes a number of
items.
* The email culture has changed from an open to a closed
system requiring sender authentication. We seem to be
moving in this direction.
* Design, development and implementation.
It seems a consensus decision has been made to first move
forward with SPF as this will be easier to implement, get
this up and running, while working on DomainKeys.
* Local laws require prior consent and with the use of
DomainKeys this makes enforcement of an opt-in law
realistic.
This is the proof issue. Recipient claims UCE. Sender lies
and says recipient consented. Authorities have to prove
recipient gave prior consent. Will DomainKeys make proof of
prior consent under the EU directive any easier?
* There should be one uniform standard. This is the
position taken by the Federal Trade Commission.
http://www.learnsteps4profit.com/dne.html
On this point it is interesting to note the view expressed
by Sendmail:
"It is Sendmail's belief that email authentication will end
up with multiple widely-supported authentication schemes
(similar to personal identification such as passports and
drivers licenses). To this end it is in everyone's best
interest to identify the most suitable solutions for
different needs and encourage broad adoption of a handful
of the most evolved tools."
http://sendmail.net/#pilot-overview
The Anti-Spam Technology Alliance policy paper issued by
the Big 6 shortly after release of the FTC report reflects
this perspective.
http://corp.aol.com/press/ASTA_Statement_of_Intent.pdf
* The silver bullet. As the author for the DomainKeys draft
protocol acknowledges:
"It is not a magic bullet for spam, nor is it an
authorization system, a reputation system, a certification
system, or a trust system."
http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-
00.txt
DomainKeys may well be the best long term solution to
provide the required under pinning.
But, as noted above the present consensus seems to be there
is a need to take an immediate step to move the ball down
field and SPF appears to be the vehicle for this purpose.
As to the throw away domain work around by spammers, you
suggest:
"a) Throwaway domains will not be real throwaways - they
will be multipurpose. Real and valuable portals supported
using network/freelance people will send you spam."
To an extent this goes on now. It requires the need for
user vigilance, although users will be deceived. This leads
to the need for more than merely sender authentication
which has been identified.
"b) Or hackers will hack portal ISP routers (not a MTA) to
send spam and as byproduct destroy portal reputation. There
will not be clear line between spammer and legit company."
This is a security and enforcement issue, even with
DomainKeys as hackers will endeavour to hack into a system
and access the private keys.
John
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.718 / Virus Database: 474 - Release Date: 09/07/2004