On Wed, 21 Jul 2004 spf(_at_)nevster(_dot_)net wrote:
If I want to enable someone to converse with me in real life, I have to
provide my party a phone number, and an address, or an email address.
Before I provide that party such important, personal access, I would
decide on entirely personal values whether it was prudent.
That is all very well and good, but unrelated to the problem SPF is trying
to address. Let's translate:
o An unlisted number does not stop tele-spammers. If anything, I get
more tele-spam on the unlisted number.
o Suppose you used caller-ID on your telephone to allow only whitelisted
callers to ring you, but it turned out that tele-spammers were able
to present any number they desired to your caller-ID interface?
o I get 40,000 emails a day. 500 make it to my mailbox. 100 are legit,
and 400 are quarantined as spam by a Bayes filter. If it were not
for the ability to block most (99%) spam before SMTP DATA, I would
have to block port 25 in order to be able to use the internet, and
would not have email.
o Imagine that you were unable to use your phone because every time you
picked it up to make a call, a tele-spammer was on the other end making
a pitch. That is the situation email is in today. Most forgery
needs to be stopped before it gets to the end user, or they won't
be able to cope.
o Suppose you give your phone number to a friend. Your friend puts your
number on his "Security is an Afterthough" Windows based PDA. As
he walks by a tele-spammer in the street, his PDA gets "bluejacked", and
you now have to change your phone number to be able to use your phone
again for a few weeks (except this doesn't actually happen that way
with the phone system because of caller-ID and making calls being
more expensive than sending email - I am making an analogy).
o Too many of my friends and family use Windows, and so giving them my email
guarantees that it will end up in the spammer lists. Some of my family
members cope by changing their email every month. I don't have to do that,
because I require authentication in any of various forms, including SPF.
o When there is no other authentication, I used to whitelist certain
mail servers and IPs for my clients customers. This used to be ad-hoc.
Now, I just add an SPF record for the sender in question to a local
SPF DNS registry used by my server and my clients servers. SPF
provides a *framework* for spelling out information that previously
had to be gathered and customized manually. When the sender eventually
gets with it and publishes their own SPF record, it overrides my
local registry. Even if no else ever publishes an SPF record, SPF
makes a very flexible system for my local white/black list that is
DNS based so I can update one name-server and have it seen by all
the machines delegating missing SPF records to it.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.