Is SPF serving the best interests of the end-user?
2004-07-21 16:11:25
In place today, we have a limited form of authentication for email.
A receiving mail server ordinarily performs a TCP handshake with the
sending mail server.
The IP address of the sender can be used as a credential to accept,
reject, and discard email.
RBLs and similar constructs, use this credential today. I think this
helps stem some mail for some people, but it hasn't been entirely
effective, hence this list.
SPF, and other concepts like it, seem to be increasing the difficulty a
sender will have to send unsolicited email to an end-user.
Furthermore, it seems to be providing a protocol which defines the ways
in which the difficulty is increased.
If there is anything easier than a well-defined protocol to exploit,
socially, and programatically, I can't think of it right now.
SPF and other burden-the-sender concepts, are making somebody's job
more challenging and rewarding. If, more likely when, SPF is
exploited, somebody will have really accomplished something, and that
somebody, unpopular as he may be, will feel pretty darn good, and
hard-working, trying-to-do-the-right-thing somebodies will feel pretty
darn bad.
I think most system/network security folks understand and accept that
they're in a "can't win" scenario: despite their very best efforts,
they may be hacked, through no fault of their own.
There has been a lot of effort put into making it difficult and arduous
for unsolicited senders to send mail. I don't think this direction
will result in any appreciable change in spam what-so-ever.
The following sounds very absurd indeed. Once you get over that
feeling, give it your best shot at considering.
Has anybody looked into putting effort into making it more difficult
for the average user to receive mail?
Yes, I'm suggesting that if a user wants to participate in the great
big real-world email system, spam-free, that the end-user be given an
open-ended, reasonable-to-use framework that suggests, if not compels
him to put effort into defining an individual method of letting his
contacts authenticate themselves for him. Much like real life.
If I want to enable someone to converse with me in real life, I have to
provide my party a phone number, and an address, or an email address.
Before I provide that party such important, personal access, I would
decide on entirely personal values whether it was prudent.
I would give my boss my home cell phone number, but a vendor my desk
phone only.
If my bank were to call me with news of consequence, I would have them
properly identify themselves.
In fact, if every email recipient made the way to get an email through
to them somewhat unique, even if trivial for an ordinary human to do,
wouldn't spammers decide that it just wasn't worth sending 100
different emails 100 different ways? Wouldn't making the ability to
spam boring, instead of challenging, do most to discourage it?
Does an end user give a golly gosh darn what authentication scheme
their ISP uses, if they still get what they believe to be spam? Will
they stop complaining about unsolicited email when the receive it,
authenticated or not?
There seems to be a conception that a receiver of email should not be
burdened; that it's not fair that the recipient should have to suffer
because there are those who would exploit the fact that for the most
part, anybody who can figure out an email address can send unwanted
communication to someone who will read it and possibly care. Well,
what if we were suddenly to get over this arbitrary lack of boundary?
As a mail service provider, we might think of ourselves as police. As
a mail recipient, we might think of ourselves as a home owner. As a
spammer, we might think of ourselves as messiahs with a message to
sell. Due to culture, legacy, stigma, whatever, home owners believe
that they should not lock their doors, for someone might need to get in
at all hours of the day. It's not a law, for there aren't many laws in
this particular place. So the messiahs decide that they have something
that's really important to say: More important than personal privacy,
or the unwritten rule of not entering without knocking. So they do
enter, and sell, and spout, and bother. Now, we as home-owners, for
whatever reason, do not wish to take control of our privacy, and lock
our doors. So we report the incident to the police. The police wish
that the home owners would not get so upset about this intrusion; what
did they expect? However, the police act in the best interests of the
home-owners, and as such, try to bring the problem under control.
Unfortunately, these messiahs have this very large horde of viagra, and
they multiply like crazy. Laws are enacted, but they're difficult to
enforce.
What should the police do in this case? Keep making stricter laws, or
move towards getting the home-owners to be responsible for their own
privacy?
Hopefully, I'm not coming off as a curmudgeon.
Good luck,
Nevin
|
|