spf-discuss
[Top] [All Lists]

Re: *****SPAM***** Re: SPF is not usable as legal measure against spammers.

2004-07-14 08:09:22

----- Original Message ----- 
From: "Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, July 13, 2004 7:40 PM
Subject: *****SPAM***** Re: [spf-discuss] SPF is not usable as legal measure
against spammers.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 13 July 2004 02:19 pm, Andrew G. Tereschenko wrote:
SPF is not usable as legal measure against spammers. DomainKeys are
probably yes. Routers hacked by spammers scenario.


Your post is all over the board, but I'll try to consolidate and address
your points. You really should try to collect your thoughts and post
intelligently.

(1) Suing spammers
Your Point:
Spammers cannot be sued to recover damages.

My point:
There are really two problems here in whether or not spammers can be sued
to
recover damages. First, can the spammer be identified? Second, is spamming
an activity for which he can be sued?

The identification part is the problem. Given an email, I need to be able
to
get a responsible party. Right now, I only have the IP address of the
sending party, and I have to work from there. I would contact the owner of
the IP address block and ask them for the name of the person responsible
for the computer at that IP address. It turns out, the overwhelming
majority of spam is sent through compromised hosts. Therefore, the true
spammer cannot be identified.

I'm sorry, this belief is mistaken, although it's not an unusual belief. Any
attempt to actually enforce the few badly written laws against spamming
activities faces an incredible logistical burden of multi-state law
enforcement, slothful or reluctant law enforcement, many fo the laws being
written so badly as to be blatantly unconstitutional, the burden of
gathering proof from reluctant ISP's unwilling to risk their common carrier
status, legal support for the spammers from the DMCA which fears losing much
of its customer base, and the newly enacted federal burdens of the CAN-SPAM
act which gives spammers several outs which have to be closed off in court
proceedings, which forbids private lawsuits, which blocks more restrictive
state laws from effect, and which has rather high thresholds of damage.

Forget it. It ain't gonna happen except possibly for the most egregious of
spammers actually taking down major ISP's, just as happened with
Cyberpromo.com years ago. Please look into the history of that case to
understand the legal burdens that anti-spam lawsuits, and the games the
spammers will play to avoid any prosecution.

With SPF, someone has to claim responsibility for the email. When an email
is sent using the domain name of an SPF publisher, you can compare the
server sending the mail and the published sending policy of the sender. If
it doesn't match, then the message is obviously forged and can be
discarded. If it does match, then the owner of the domain has said that
email coming from that server is email coming from him. He has claimed
responsibility.

Watch it here. Most ISP's try to claim "common carrier" protections exactly
to avoid this "responsibility", and this is a very legitimate thing for them
to do to avoid having to censor email. Try the "postmark" model instead,
where it is marked as "sent from a certain place" instead of "dropped in
your slot by your neighborhood kook".

Authentication != responsibility.

The second part is up to the people and the courts to determine.

(2) Proving that I spammed people
Your Point:

It's impossible to tell it was me that spammed them.

It's usually trivial from the SMTP server logs. *THIS IS NOT THE PROBLEM SPF
ADDRESSES*. Stop pretending that it is, because you'll muddy the waters and
get people arguing about the wrong thing.


(3) SPF an Authentication Mechanism
Your Point:
SPF is not an authentication mechanism.

My Point:
If it isn't an authentication mechanism, then what is it?

It's a lightweight outgoing SMTP policy mechanism in the hands of the domain
owners, relying on existing and robust infrastructure for its mechanisms.

It's still possible to lie about exactly who you are, which is why it's not
a full-blown authentication mechanism. Don't try to deal with it as such.