Re: Is SPF serving the best interests of the end-user?

Hi Stuart,

Thanks for the detailed message; it inspired additional ways of looking 
at the problems that come with a perception that email reception ought 
not to be limited by the end-user themselves.

On Jul 21, 2004, at 5:38 PM, Stuart D. Gathman wrote:

> On Wed, 21 Jul 2004 spf(_at_)nevster(_dot_)net wrote:
>
> > If I want to enable someone to converse with me in real life, I have 
> > to
> > provide my party a phone number, and an address, or an email address.
> > Before I provide that party such important, personal access, I would
> > decide on entirely personal values whether it was prudent.
> That is all very well and good, but unrelated to the problem SPF is 
> trying
> to address.  Let's translate:
>
> o An unlisted number does not stop tele-spammers.  If anything, I get
>   more tele-spam on the unlisted number.
Might be because phone numbers can be generated programatically, and 
it's easy for a computer to do brute-force attacks on them?
If I expend resources to acquire an unlisted phone number, it means 
that I'm somehow sensitive to receiving phone calls, since I've taken 
effort to attempt to control them.  A tele-marketer, with access to 
those numbers listed, can figure out the smaller subset of numbers that 
are unlisted.  if 650-827-XXXX has 9000 listed entries, then some 
remainder of the 999 are unlisted numbers.  Blocks of those numbers not 
listed might be businesses or unassigned.  Dialing blocks of 
out-of-service numbers will flag a war-dialer alert if one exists.  
However, an unlisted number standing alone in a sea of listed numbers 
is obvious by its absence.  Those can be casually picked on for 
high-pressure sales tactics, for wouldn't someone who was trying to 
limit inbound calls feel more strongly about calls received, and be 
more likely to be caught off-guard?

> o Suppose you used caller-ID on your telephone to allow only 
> whitelisted
>   callers to ring you, but it turned out that tele-spammers were able
>   to present any number they desired to your caller-ID interface?
Well, spammers would have to figure out what numbers I white-listed.  
This is a lot more work for them, isn't it?  Not an insurmountable 
amount of work for a computer to do, though.
Oh, and I think there are several hacks to the caller-ID system 
available.  Some VOIP provider recently had to adjust their policies as 
their customers were setting arbitrary callback numbers or such.

> o I get 40,000 emails a day.  500 make it to my mailbox. 100 are legit,
>   and 400 are quarantined as spam by a Bayes filter.  If it were not
>   for the ability to block most (99%) spam before SMTP DATA, I would
>   have to block port 25 in order to be able to use the internet, and
>   would not have email.
Well, as those who send spam begin to correlate the 40,000 rejects with 
the 500 accepts, should the volume of email remain steady (it's 
actually rising, isn't it?) you would(will/do) see a trend favoring 
accepts.  As your Internet connection became bogged down by inbound 
SMTP, you might decide to rate-limit SMTP instead of turning it off 
completely, for the value of email isn't lost; just not as important as 
web-browsing.  The value of the global email system is declining.  We 
believe it's declining due to spammers, but that's only half of the 
problem.  The other half is that end-users do not have a convenient way 
of placing reasonable limits on who may communicate with them, when, 
and how.
Which is easier?  Setting your own limits or enforcing limits on 
another?


> o Imagine that you were unable to use your phone because every time you
>   picked it up to make a call, a tele-spammer was on the other end 
> making
>   a pitch.  That is the situation email is in today.  Most forgery
>   needs to be stopped before it gets to the end user, or they won't
>   be able to cope.
Well, I don't have to imagine.  I received so many calls on my 
land-line a day that leaving the ringer on wasn't possible.  I 
eventually stopped service.  However, the phone system hasn't ground to 
a complete halt, and my work number isn't besieged.  Why?  Well, one 
entity, the phone company, has visibility into calls placed and calls 
received, and I think they keep an eye on unbalanced distributions.  I 
think a business line gets more protection from TMs than a residence 
line.  Why wouldn't it, after all?  It's worth more to the phone 
company.
I think people would cope just fine without email, really.  Other ways 
of communicating exist, and many have deprecated email in favor of 
other methods already.
Forgery is not going to stop any time soon.

Forgery is also not what is permitting spam to be issued in the first 
place.  It's only a work-around spammers are using to get around 
general attempts to limit their audience.

> o Suppose you give your phone number to a friend.  Your friend puts 
> your
>   number on his "Security is an Afterthough" Windows based PDA.  As
>   he walks by a tele-spammer in the street, his PDA gets "bluejacked", 
> and
>   you now have to change your phone number to be able to use your phone
>   again for a few weeks (except this doesn't actually happen that way
>   with the phone system because of caller-ID and making calls being
>   more expensive than sending email - I am making an analogy).
I don't know how secure my phone number is really.  It's like all other 
numbers in North America.  A computer could guess it in a blink of an 
eye.  Again, I suggest that if someone had to know my number AND 
something else not quite so systematic about me to get a call through, 
then it would be more futile to sic a computer on me.
> o Too many of my friends and family use Windows, and so giving them my 
> email
>   guarantees that it will end up in the spammer lists.  Some of my 
> family
>   members cope by changing their email every month.  I don't have to 
> do that,
>   because I require authentication in any of various forms, including 
> SPF.
You're managing your communication in a way that makes sense to you.  
Your family is doing the same.
Can family can reliably contact you even though they change addresses 
once a month?
Can you contact them reliably?

Can you or have you figured out a way that does not exclude each others 
preference for email management that you're all comfortable with, to 
keep in touch?

> o When there is no other authentication, I used to whitelist certain
>   mail servers and IPs for my clients customers.  This used to be 
> ad-hoc.
>   Now, I just add an SPF record for the sender in question to a local
>   SPF DNS registry used by my server and my clients servers.  SPF
>   provides a *framework* for spelling out information that previously
>   had to be gathered and customized manually.  When the sender 
> eventually
>   gets with it and publishes their own SPF record, it overrides my
>   local registry.  Even if no else ever publishes an SPF record, SPF
>   makes a very flexible system for my local white/black list that is
>   DNS based so I can update one name-server and have it seen by all
>   the machines delegating missing SPF records to it.
I don't think I implied that SPF ought to be excluded.  I think I 
implied that the end-user, ***the entity who complains most about 
spam***, be given both direct responsibility and assistance in 
selectively limiting and facilitating communication towards them.
I think greater success will come out of future spam solutions that 
shift responsibility for unwanted email towards the recipient (perhaps 
in the form of a bit of time and effort, and education, instead of 
monetary), with less effort being put into controlling those who 
originate communication.
Cheers,

        Nevin