Re: Is SPF serving the best interests of the end-user?

I'm sorry, I don't know where an apartment building came into my 
analogy, nor can I determine what flaw you're pointing out in my 
analogy.,
I think it might be a desire to protect me with building policies, 
which is why I have a choice of buildings to live in, in case I don't 
like your building's policy.
I didn't say anything about locking doors being useless at all.  I 
think I encouraged it.
I think I implied that banning messiahs wasn't going to help, if 
home-owners did not lock their doors.
Does this make sense?

        Nevin




On Jul 21, 2004, at 4:33 PM, <terry(_at_)greatgulfhomes(_dot_)com> wrote:

> Interesting analogy, but flawed.  Rather then comparing email clients 
> to a homeowner, better to
> compare them to an apartment owner, and the lock on the building door 
> is the mail server running
> SPF.  True, each person can lock their apartment door, at their 
> discression.  But the building door
> still needs to be locked so there is some level of secureness with the 
> common premises of the
> building.
>
> I don't see how locking the building will make spam worse, so what's 
> to lose trying?
> And you don't offer any viable alternatives to locking the building 
> door, you just say locking it is
> useless, and we should rely purely on the apartment door locks.
>
> (Could it be there are spammers on this list...  :)
>
> Terry Fielder
> Manager Software Development and Deployment
> Great Gulf Homes / Ashton Woods Homes
> terry(_at_)greatgulfhomes(_dot_)com
> Fax: (416) 441-9085
>
>
> > -----Original Message-----
> > From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > [mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of 
> > spf(_at_)nevster(_dot_)net
> > Sent: Wednesday, July 21, 2004 7:11 PM
> > To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > Cc: Nevin Williams
> > Subject: [spf-discuss] Is SPF serving the best interests of the
> > end-user?
> >
> >
> > In place today, we have a limited form of authentication for email.
> >
> > A receiving mail server ordinarily performs a TCP handshake with the
> > sending mail server.
> >
> > The IP address of the sender can be used as a credential to accept,
> > reject, and discard email.
> >
> > RBLs and similar constructs, use this credential today.  I think this
> > helps stem some mail for some people, but it hasn't been entirely
> > effective, hence this list.
> >
> > SPF, and other concepts like it, seem to be increasing the
> > difficulty a
> > sender will have to send unsolicited email to an end-user.
> >
> > Furthermore, it seems to be providing a protocol which
> > defines the ways
> > in which the difficulty is increased.
> >
> > If there is anything easier than a well-defined protocol to exploit,
> > socially, and programatically, I can't think of it right now.
> >
> > SPF and other burden-the-sender concepts, are making somebody's job
> > more challenging and rewarding.  If, more likely when, SPF is
> > exploited, somebody will have really accomplished something, and that
> > somebody, unpopular as he may be, will feel pretty darn good, and
> > hard-working, trying-to-do-the-right-thing somebodies will
> > feel pretty
> > darn bad.
> >
> > I think most system/network security folks understand and accept that
> > they're in a  "can't win" scenario:  despite their very best efforts,
> > they may be hacked, through no fault of their own.
> >
> > There has been a lot of effort put into making it difficult
> > and arduous
> > for unsolicited senders to send mail.  I don't think this direction
> > will result in any appreciable change in spam what-so-ever.
> >
> > The following sounds very absurd indeed.  Once you get over that
> > feeling, give it your best shot at considering.
> >
> > Has anybody looked into putting effort into making it more difficult
> > for the average user to receive mail?
> >
> > Yes, I'm suggesting that if a user wants to participate in the great
> > big real-world email system, spam-free, that the end-user be given an
> > open-ended, reasonable-to-use framework that suggests, if not compels
> > him to put effort into defining an individual method of letting his
> > contacts authenticate themselves for him.  Much like real life.
> >
> > If I want to enable someone to converse with me in real life,
> > I have to
> > provide my party a phone number, and an address, or an email
> > address.
> > Before I provide that party such important, personal access, I would
> > decide on entirely personal values whether it was prudent.
> >
> > I would give my boss my home cell phone number, but a vendor my desk
> > phone only.
> >
> > If my bank were to call me with news of consequence, I would
> > have them
> > properly identify themselves.
> >
> > In fact, if every email recipient made the way to get an
> > email through
> > to them somewhat unique, even if trivial for an ordinary human to do,
> > wouldn't spammers decide that it just wasn't worth sending 100
> > different emails 100 different ways?  Wouldn't making the ability to
> > spam boring, instead of challenging, do most to discourage it?
> >
> > Does an end user give a golly gosh darn what authentication scheme
> > their ISP uses, if they still get what they believe to be spam?  Will
> > they stop complaining about unsolicited email when the receive it,
> > authenticated or not?
> >
> > There seems to be a conception that a receiver of email should not be
> > burdened; that it's not fair that the recipient should have to suffer
> > because there are those who would exploit the fact that for the most
> > part, anybody who can figure out an email address can send unwanted
> > communication to someone who will read it and possibly care.  Well,
> > what if we were suddenly to get over this arbitrary lack of boundary?
> >
> > As a mail service provider, we might think of ourselves as
> > police.  As
> > a mail recipient, we might think of ourselves as a home owner.  As a
> > spammer, we might think of ourselves as messiahs with a message to
> > sell.  Due to culture, legacy, stigma, whatever, home owners believe
> > that they should not lock their doors, for someone might need
> > to get in
> > at all hours of the day.  It's not a law, for there aren't
> > many laws in
> > this particular place.  So the messiahs decide that they have
> > something
> > that's really important to say:  More important than personal
> > privacy,
> > or the unwritten rule of not entering without knocking.  So they do
> > enter, and sell, and spout, and bother.  Now, we as home-owners, for
> > whatever reason, do not wish to take control of our privacy, and lock
> > our doors.  So we report the incident to the police.  The police wish
> > that the home owners would not get so upset about this
> > intrusion; what
> > did they expect?  However, the police act in the best
> > interests of the
> > home-owners, and as such, try to bring the problem under control.
> > Unfortunately, these messiahs have this very large horde of
> > viagra, and
> > they multiply like crazy.   Laws are enacted, but they're
> > difficult to
> > enforce.
> >
> > What should the police do in this case?   Keep making
> > stricter laws, or
> > move towards getting the home-owners to be responsible for their own
> > privacy?
> >
> >
> > Hopefully, I'm not coming off as a curmudgeon.
> >
> > Good luck,
> >
> >         Nevin
> >
> >
> >
> >
> > -------
> > Sender Policy Framework: http://spf.pobox.com/
> > Archives at http://archives.listbox.com/spf-discuss/current/
> > Send us money!  http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily
> > deactivate your subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com