Re: Is SPF serving the best interests of the end-user?

On Jul 21, 2004, at 4:48 PM, <terry(_at_)greatgulfhomes(_dot_)com> wrote:

> Put the implied point still holds:  Blocking at the server DOES 
> matter, even if your MUA's implement
> protection.  Every layer matters.  Not having layers is, literally, 
> like putting all your eggs in
> one basket.
I don't think I expressed an intention to exclude SPF or schemes like 
it.  While I have made no concerted personal effort to find flaws in 
the authentication schema itself, for it's not my goal to stomp on 
people's hard work, I am simply trying to point to an area where there 
only seems to be a limited amount of work... In making the recipient 
responsible for how accessible they are.
        Nevin






> Terry Fielder
> Manager Software Development and Deployment
> Great Gulf Homes / Ashton Woods Homes
> terry(_at_)greatgulfhomes(_dot_)com
> Fax: (416) 441-9085
>
>
> > -----Original Message-----
> > From: Nevin Williams [mailto:nevie(_at_)nevster(_dot_)net]
> > Sent: Wednesday, July 21, 2004 7:42 PM
> > To: terry(_at_)greatgulfhomes(_dot_)com
> > Cc: Nevin Williams; spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > Subject: Re: [spf-discuss] Is SPF serving the best interests of the
> > end-user?
> >
> >
> > I'm sorry, I don't know where an apartment building came into my
> > analogy, nor can I determine what flaw you're pointing out in my
> > analogy.,
> >
> > I think it might be a desire to protect me with building policies,
> > which is why I have a choice of buildings to live in, in case I don't
> > like your building's policy.
> >
> > I didn't say anything about locking doors being useless at all.  I
> > think I encouraged it.
> >
> > I think I implied that banning messiahs wasn't going to help, if
> > home-owners did not lock their doors.
> >
> > Does this make sense?
> >
> >         Nevin
> >
> >
> >
> >
> > On Jul 21, 2004, at 4:33 PM, <terry(_at_)greatgulfhomes(_dot_)com> wrote:
> >
> > > Interesting analogy, but flawed.  Rather then comparing
> > email clients
> > > to a homeowner, better to
> > > compare them to an apartment owner, and the lock on the
> > building door
> > > is the mail server running
> > > SPF.  True, each person can lock their apartment door, at their
> > > discression.  But the building door
> > > still needs to be locked so there is some level of
> > secureness with the
> > > common premises of the
> > > building.
> > >
> > > I don't see how locking the building will make spam worse,
> > so what's
> > > to lose trying?
> > >
> > > And you don't offer any viable alternatives to locking the building
> > > door, you just say locking it is
> > > useless, and we should rely purely on the apartment door locks.
> > >
> > > (Could it be there are spammers on this list...  :)
> > >
> > > Terry Fielder
> > > Manager Software Development and Deployment
> > > Great Gulf Homes / Ashton Woods Homes
> > > terry(_at_)greatgulfhomes(_dot_)com
> > > Fax: (416) 441-9085
> > >
> > >
> > > > -----Original Message-----
> > > > From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > > > [mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
> > spf(_at_)nevster(_dot_)net
> > > > Sent: Wednesday, July 21, 2004 7:11 PM
> > > > To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > > > Cc: Nevin Williams
> > > > Subject: [spf-discuss] Is SPF serving the best interests of the
> > > > end-user?
> > > >
> > > >
> > > > In place today, we have a limited form of authentication for email.
> > > >
> > > > A receiving mail server ordinarily performs a TCP
> > handshake with the
> > > > sending mail server.
> > > >
> > > > The IP address of the sender can be used as a credential to accept,
> > > > reject, and discard email.
> > > >
> > > > RBLs and similar constructs, use this credential today.  I
> > think this
> > > > helps stem some mail for some people, but it hasn't been entirely
> > > > effective, hence this list.
> > > >
> > > > SPF, and other concepts like it, seem to be increasing the
> > > > difficulty a
> > > > sender will have to send unsolicited email to an end-user.
> > > >
> > > > Furthermore, it seems to be providing a protocol which
> > > > defines the ways
> > > > in which the difficulty is increased.
> > > >
> > > > If there is anything easier than a well-defined protocol
> > to exploit,
> > > > socially, and programatically, I can't think of it right now.
> > > >
> > > > SPF and other burden-the-sender concepts, are making somebody's job
> > > > more challenging and rewarding.  If, more likely when, SPF is
> > > > exploited, somebody will have really accomplished
> > something, and that
> > > > somebody, unpopular as he may be, will feel pretty darn good, and
> > > > hard-working, trying-to-do-the-right-thing somebodies will
> > > > feel pretty
> > > > darn bad.
> > > >
> > > > I think most system/network security folks understand and
> > accept that
> > > > they're in a  "can't win" scenario:  despite their very
> > best efforts,
> > > > they may be hacked, through no fault of their own.
> > > >
> > > > There has been a lot of effort put into making it difficult
> > > > and arduous
> > > > for unsolicited senders to send mail.  I don't think this direction
> > > > will result in any appreciable change in spam what-so-ever.
> > > >
> > > > The following sounds very absurd indeed.  Once you get over that
> > > > feeling, give it your best shot at considering.
> > > >
> > > > Has anybody looked into putting effort into making it more
> > difficult
> > > > for the average user to receive mail?
> > > >
> > > > Yes, I'm suggesting that if a user wants to participate in
> > the great
> > > > big real-world email system, spam-free, that the end-user
> > be given an
> > > > open-ended, reasonable-to-use framework that suggests, if
> > not compels
> > > > him to put effort into defining an individual method of letting his
> > > > contacts authenticate themselves for him.  Much like real life.
> > > >
> > > > If I want to enable someone to converse with me in real life,
> > > > I have to
> > > > provide my party a phone number, and an address, or an email
> > > > address.
> > > > Before I provide that party such important, personal
> > access, I would
> > > > decide on entirely personal values whether it was prudent.
> > > >
> > > > I would give my boss my home cell phone number, but a
> > vendor my desk
> > > > phone only.
> > > >
> > > > If my bank were to call me with news of consequence, I would
> > > > have them
> > > > properly identify themselves.
> > > >
> > > > In fact, if every email recipient made the way to get an
> > > > email through
> > > > to them somewhat unique, even if trivial for an ordinary
> > human to do,
> > > > wouldn't spammers decide that it just wasn't worth sending 100
> > > > different emails 100 different ways?  Wouldn't making the
> > ability to
> > > > spam boring, instead of challenging, do most to discourage it?
> > > >
> > > > Does an end user give a golly gosh darn what authentication scheme
> > > > their ISP uses, if they still get what they believe to be
> > spam?  Will
> > > > they stop complaining about unsolicited email when the receive it,
> > > > authenticated or not?
> > > >
> > > > There seems to be a conception that a receiver of email
> > should not be
> > > > burdened; that it's not fair that the recipient should
> > have to suffer
> > > > because there are those who would exploit the fact that
> > for the most
> > > > part, anybody who can figure out an email address can send unwanted
> > > > communication to someone who will read it and possibly care.  Well,
> > > > what if we were suddenly to get over this arbitrary lack
> > of boundary?
> > > > As a mail service provider, we might think of ourselves as
> > > > police.  As
> > > > a mail recipient, we might think of ourselves as a home
> > owner.  As a
> > > > spammer, we might think of ourselves as messiahs with a message to
> > > > sell.  Due to culture, legacy, stigma, whatever, home
> > owners believe
> > > > that they should not lock their doors, for someone might need
> > > > to get in
> > > > at all hours of the day.  It's not a law, for there aren't
> > > > many laws in
> > > > this particular place.  So the messiahs decide that they have
> > > > something
> > > > that's really important to say:  More important than personal
> > > > privacy,
> > > > or the unwritten rule of not entering without knocking.  So they do
> > > > enter, and sell, and spout, and bother.  Now, we as
> > home-owners, for
> > > > whatever reason, do not wish to take control of our
> > privacy, and lock
> > > > our doors.  So we report the incident to the police.  The
> > police wish
> > > > that the home owners would not get so upset about this
> > > > intrusion; what
> > > > did they expect?  However, the police act in the best
> > > > interests of the
> > > > home-owners, and as such, try to bring the problem under control.
> > > > Unfortunately, these messiahs have this very large horde of
> > > > viagra, and
> > > > they multiply like crazy.   Laws are enacted, but they're
> > > > difficult to
> > > > enforce.
> > > >
> > > > What should the police do in this case?   Keep making
> > > > stricter laws, or
> > > > move towards getting the home-owners to be responsible for
> > their own
> > > > privacy?
> > > >
> > > >
> > > > Hopefully, I'm not coming off as a curmudgeon.
> > > >
> > > > Good luck,
> > > >
> > > >         Nevin
> > > >
> > > >
> > > >
> > > >
> > > > -------
> > > > Sender Policy Framework: http://spf.pobox.com/
> > > > Archives at http://archives.listbox.com/spf-discuss/current/
> > > > Send us money!  http://spf.pobox.com/donations.html
> > > > To unsubscribe, change your address, or temporarily
> > > > deactivate your subscription,
> > > > please go to
> > > http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com