Re: Is SPF serving the best interests of the end-user?
2004-07-22 12:48:47
Hi Stuart,
Thanks for the detailed message; it inspired additional ways of looking
at the problems that come with a perception that email reception ought
not to be limited by the end-user themselves.
On Jul 21, 2004, at 5:38 PM, Stuart D. Gathman wrote:
On Wed, 21 Jul 2004 spf(_at_)nevster(_dot_)net wrote:
If I want to enable someone to converse with me in real life, I have
to
provide my party a phone number, and an address, or an email address.
Before I provide that party such important, personal access, I would
decide on entirely personal values whether it was prudent.
That is all very well and good, but unrelated to the problem SPF is
trying
to address. Let's translate:
o An unlisted number does not stop tele-spammers. If anything, I get
more tele-spam on the unlisted number.
Might be because phone numbers can be generated programatically, and
it's easy for a computer to do brute-force attacks on them?
If I expend resources to acquire an unlisted phone number, it means
that I'm somehow sensitive to receiving phone calls, since I've taken
effort to attempt to control them. A tele-marketer, with access to
those numbers listed, can figure out the smaller subset of numbers that
are unlisted. if 650-827-XXXX has 9000 listed entries, then some
remainder of the 999 are unlisted numbers. Blocks of those numbers not
listed might be businesses or unassigned. Dialing blocks of
out-of-service numbers will flag a war-dialer alert if one exists.
However, an unlisted number standing alone in a sea of listed numbers
is obvious by its absence. Those can be casually picked on for
high-pressure sales tactics, for wouldn't someone who was trying to
limit inbound calls feel more strongly about calls received, and be
more likely to be caught off-guard?
o Suppose you used caller-ID on your telephone to allow only
whitelisted
callers to ring you, but it turned out that tele-spammers were able
to present any number they desired to your caller-ID interface?
Well, spammers would have to figure out what numbers I white-listed.
This is a lot more work for them, isn't it? Not an insurmountable
amount of work for a computer to do, though.
Oh, and I think there are several hacks to the caller-ID system
available. Some VOIP provider recently had to adjust their policies as
their customers were setting arbitrary callback numbers or such.
o I get 40,000 emails a day. 500 make it to my mailbox. 100 are legit,
and 400 are quarantined as spam by a Bayes filter. If it were not
for the ability to block most (99%) spam before SMTP DATA, I would
have to block port 25 in order to be able to use the internet, and
would not have email.
Well, as those who send spam begin to correlate the 40,000 rejects with
the 500 accepts, should the volume of email remain steady (it's
actually rising, isn't it?) you would(will/do) see a trend favoring
accepts. As your Internet connection became bogged down by inbound
SMTP, you might decide to rate-limit SMTP instead of turning it off
completely, for the value of email isn't lost; just not as important as
web-browsing. The value of the global email system is declining. We
believe it's declining due to spammers, but that's only half of the
problem. The other half is that end-users do not have a convenient way
of placing reasonable limits on who may communicate with them, when,
and how.
Which is easier? Setting your own limits or enforcing limits on
another?
o Imagine that you were unable to use your phone because every time you
picked it up to make a call, a tele-spammer was on the other end
making
a pitch. That is the situation email is in today. Most forgery
needs to be stopped before it gets to the end user, or they won't
be able to cope.
Well, I don't have to imagine. I received so many calls on my
land-line a day that leaving the ringer on wasn't possible. I
eventually stopped service. However, the phone system hasn't ground to
a complete halt, and my work number isn't besieged. Why? Well, one
entity, the phone company, has visibility into calls placed and calls
received, and I think they keep an eye on unbalanced distributions. I
think a business line gets more protection from TMs than a residence
line. Why wouldn't it, after all? It's worth more to the phone
company.
I think people would cope just fine without email, really. Other ways
of communicating exist, and many have deprecated email in favor of
other methods already.
Forgery is not going to stop any time soon.
Forgery is also not what is permitting spam to be issued in the first
place. It's only a work-around spammers are using to get around
general attempts to limit their audience.
o Suppose you give your phone number to a friend. Your friend puts
your
number on his "Security is an Afterthough" Windows based PDA. As
he walks by a tele-spammer in the street, his PDA gets "bluejacked",
and
you now have to change your phone number to be able to use your phone
again for a few weeks (except this doesn't actually happen that way
with the phone system because of caller-ID and making calls being
more expensive than sending email - I am making an analogy).
I don't know how secure my phone number is really. It's like all other
numbers in North America. A computer could guess it in a blink of an
eye. Again, I suggest that if someone had to know my number AND
something else not quite so systematic about me to get a call through,
then it would be more futile to sic a computer on me.
o Too many of my friends and family use Windows, and so giving them my
email
guarantees that it will end up in the spammer lists. Some of my
family
members cope by changing their email every month. I don't have to
do that,
because I require authentication in any of various forms, including
SPF.
You're managing your communication in a way that makes sense to you.
Your family is doing the same.
Can family can reliably contact you even though they change addresses
once a month?
Can you contact them reliably?
Can you or have you figured out a way that does not exclude each others
preference for email management that you're all comfortable with, to
keep in touch?
o When there is no other authentication, I used to whitelist certain
mail servers and IPs for my clients customers. This used to be
ad-hoc.
Now, I just add an SPF record for the sender in question to a local
SPF DNS registry used by my server and my clients servers. SPF
provides a *framework* for spelling out information that previously
had to be gathered and customized manually. When the sender
eventually
gets with it and publishes their own SPF record, it overrides my
local registry. Even if no else ever publishes an SPF record, SPF
makes a very flexible system for my local white/black list that is
DNS based so I can update one name-server and have it seen by all
the machines delegating missing SPF records to it.
I don't think I implied that SPF ought to be excluded. I think I
implied that the end-user, ***the entity who complains most about
spam***, be given both direct responsibility and assistance in
selectively limiting and facilitating communication towards them.
I think greater success will come out of future spam solutions that
shift responsibility for unwanted email towards the recipient (perhaps
in the form of a bit of time and effort, and education, instead of
monetary), with less effort being put into controlling those who
originate communication.
Cheers,
Nevin
|
|