Re: Is SPF serving the best interests of the end-user?2004-07-21 17:04:31A receiving mail server ordinarily performs a TCP handshake with the sending mail server. duh, SMTP is TCP The IP address of the sender can be used as a credential to accept, reject, and discard email. IP based security is weak, sucks. SMTP, etc. protocol security is better for secure mail relay mail submission. SPF, and other concepts like it, seem to be increasing the difficulty a sender will have to send unsolicited email to an end-user. mail abuse is based the 1) being able to hide, to forge someone else's identity, and 2) email is cheap. SPF is a embryonic attempt to reduce forgery. Furthermore, it seems to be providing a protocol which defines the ways in which the difficulty is increased. SPF is useless as a credential for accepting/rejecting until it reaches a somewhat distant critical mass. If there is anything easier than a well-defined protocol to exploit, socially, and programatically, I can't think of it right now. SPF is much more complicated, and is STILL evolving, to understand and setup than the ancient DNS and SMTP settings that are already available, free, and severely under-utilized as "credentials". So, what are the chances of SPF being a success when the simpler, quicker foundations of other DNS and SMTP settings are not universally adopted? I think most system/network security folks understand and accept that they're in a "can't win" scenario: despite their very best efforts, they may be hacked, through no fault of their own. where is he going? are these just a bunch of random paragraphs strung together? There has been a lot of effort put into making it difficult and arduous for unsolicited senders to send mail. I don't think this direction will result in any appreciable change in spam what-so-ever. If the ASTA members, who suffer horribly from billions of abuse msgs, would announce 90-day warning period, then start rejecting all mail: 1. if sending IP has no PTR record AND its matching A record. 2. if helo hostname is unknown in DNS (no A and/or MX record). 3. if SMTP hostname unknown in DNS (no A and/or MX record) Required to implement: new infrastructure: none delay: none (and we give you 90 days to shape up) cost: $0.00 new DNS records (eg, TXT for SPF): none J U S T D O I T Force the above first, and then come talk to me about SPF and friends. Has anybody looked into putting effort into making it more difficult for the average user to receive mail? The user has to authenticate to access his mail. ended, reasonable-to-use framework that suggests, if not compels him to put effort into defining an individual method of letting his contacts authenticate themselves for him. Much like real life. uh oh, sounds like somebody's dreaming up an entirely new (c/r or whitelist) protocol with an hot chances of a snowball in hell. If I want to enable someone to converse with me in real life, I have to provide my party a phone number, and an address, or an email address. no, you don't. all of those items are splattered all over the planet in millions of legit and illegit databases. ie, the horse is out of barn. Quit wasting your time banging shut the doors. Before I provide that party such important, personal access, I would decide on entirely personal values whether it was prudent. How could you possibly think that the above info is yours exclusively to provide? If my bank were to call me with news of consequence, I would have them properly identify themselves. banks sell your data all the time. In fact, if every email recipient made the way to get an email through to them somewhat unique, even if trivial for an ordinary human to do, wouldn't spammers decide that it just wasn't worth sending 100 different emails 100 different ways? no, because sending spam is so infinitesimally cheap. There seems to be a conception that a receiver of email should not be burdened The recipient is a mail abuse victim, why make him "pay" for whatever it is you're driving at? As a mail service provider, we might think of ourselves as police. bad analogy. try vigilante Hopefully, I'm not coming off as a curmudgeon. You're coming off as much less than half-baked. Blue-sky, greenfield brainstorming is useless. Len _____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
|
|
||||||||||||||||