spf-discuss
[Top] [All Lists]

Is SPF serving the best interests of the end-user?

2004-07-21 16:11:25
In place today, we have a limited form of authentication for email.

A receiving mail server ordinarily performs a TCP handshake with the sending mail server.

The IP address of the sender can be used as a credential to accept, reject, and discard email.

RBLs and similar constructs, use this credential today. I think this helps stem some mail for some people, but it hasn't been entirely effective, hence this list.

SPF, and other concepts like it, seem to be increasing the difficulty a sender will have to send unsolicited email to an end-user.

Furthermore, it seems to be providing a protocol which defines the ways in which the difficulty is increased.

If there is anything easier than a well-defined protocol to exploit, socially, and programatically, I can't think of it right now.

SPF and other burden-the-sender concepts, are making somebody's job more challenging and rewarding. If, more likely when, SPF is exploited, somebody will have really accomplished something, and that somebody, unpopular as he may be, will feel pretty darn good, and hard-working, trying-to-do-the-right-thing somebodies will feel pretty darn bad.

I think most system/network security folks understand and accept that they're in a "can't win" scenario: despite their very best efforts, they may be hacked, through no fault of their own.

There has been a lot of effort put into making it difficult and arduous for unsolicited senders to send mail. I don't think this direction will result in any appreciable change in spam what-so-ever.

The following sounds very absurd indeed. Once you get over that feeling, give it your best shot at considering.

Has anybody looked into putting effort into making it more difficult for the average user to receive mail?

Yes, I'm suggesting that if a user wants to participate in the great big real-world email system, spam-free, that the end-user be given an open-ended, reasonable-to-use framework that suggests, if not compels him to put effort into defining an individual method of letting his contacts authenticate themselves for him. Much like real life.

If I want to enable someone to converse with me in real life, I have to provide my party a phone number, and an address, or an email address. Before I provide that party such important, personal access, I would decide on entirely personal values whether it was prudent.

I would give my boss my home cell phone number, but a vendor my desk phone only.

If my bank were to call me with news of consequence, I would have them properly identify themselves.

In fact, if every email recipient made the way to get an email through to them somewhat unique, even if trivial for an ordinary human to do, wouldn't spammers decide that it just wasn't worth sending 100 different emails 100 different ways? Wouldn't making the ability to spam boring, instead of challenging, do most to discourage it?

Does an end user give a golly gosh darn what authentication scheme their ISP uses, if they still get what they believe to be spam? Will they stop complaining about unsolicited email when the receive it, authenticated or not?

There seems to be a conception that a receiver of email should not be burdened; that it's not fair that the recipient should have to suffer because there are those who would exploit the fact that for the most part, anybody who can figure out an email address can send unwanted communication to someone who will read it and possibly care. Well, what if we were suddenly to get over this arbitrary lack of boundary?

As a mail service provider, we might think of ourselves as police. As a mail recipient, we might think of ourselves as a home owner. As a spammer, we might think of ourselves as messiahs with a message to sell. Due to culture, legacy, stigma, whatever, home owners believe that they should not lock their doors, for someone might need to get in at all hours of the day. It's not a law, for there aren't many laws in this particular place. So the messiahs decide that they have something that's really important to say: More important than personal privacy, or the unwritten rule of not entering without knocking. So they do enter, and sell, and spout, and bother. Now, we as home-owners, for whatever reason, do not wish to take control of our privacy, and lock our doors. So we report the incident to the police. The police wish that the home owners would not get so upset about this intrusion; what did they expect? However, the police act in the best interests of the home-owners, and as such, try to bring the problem under control. Unfortunately, these messiahs have this very large horde of viagra, and they multiply like crazy. Laws are enacted, but they're difficult to enforce.

What should the police do in this case? Keep making stricter laws, or move towards getting the home-owners to be responsible for their own privacy?


Hopefully, I'm not coming off as a curmudgeon.

Good luck,

        Nevin