spf-discuss
[Top] [All Lists]

Re: Is SPF serving the best interests of the end-user?

2004-07-22 12:48:47
Hi Stuart,

Thanks for the detailed message; it inspired additional ways of looking at the problems that come with a perception that email reception ought not to be limited by the end-user themselves.


On Jul 21, 2004, at 5:38 PM, Stuart D. Gathman wrote:

On Wed, 21 Jul 2004 spf(_at_)nevster(_dot_)net wrote:

If I want to enable someone to converse with me in real life, I have to
provide my party a phone number, and an address, or an email address.
Before I provide that party such important, personal access, I would
decide on entirely personal values whether it was prudent.

That is all very well and good, but unrelated to the problem SPF is trying
to address.  Let's translate:

o An unlisted number does not stop tele-spammers.  If anything, I get
  more tele-spam on the unlisted number.

Might be because phone numbers can be generated programatically, and it's easy for a computer to do brute-force attacks on them?

If I expend resources to acquire an unlisted phone number, it means that I'm somehow sensitive to receiving phone calls, since I've taken effort to attempt to control them. A tele-marketer, with access to those numbers listed, can figure out the smaller subset of numbers that are unlisted. if 650-827-XXXX has 9000 listed entries, then some remainder of the 999 are unlisted numbers. Blocks of those numbers not listed might be businesses or unassigned. Dialing blocks of out-of-service numbers will flag a war-dialer alert if one exists. However, an unlisted number standing alone in a sea of listed numbers is obvious by its absence. Those can be casually picked on for high-pressure sales tactics, for wouldn't someone who was trying to limit inbound calls feel more strongly about calls received, and be more likely to be caught off-guard?



o Suppose you used caller-ID on your telephone to allow only whitelisted
  callers to ring you, but it turned out that tele-spammers were able
  to present any number they desired to your caller-ID interface?

Well, spammers would have to figure out what numbers I white-listed. This is a lot more work for them, isn't it? Not an insurmountable amount of work for a computer to do, though.

Oh, and I think there are several hacks to the caller-ID system available. Some VOIP provider recently had to adjust their policies as their customers were setting arbitrary callback numbers or such.



o I get 40,000 emails a day.  500 make it to my mailbox. 100 are legit,
  and 400 are quarantined as spam by a Bayes filter.  If it were not
  for the ability to block most (99%) spam before SMTP DATA, I would
  have to block port 25 in order to be able to use the internet, and
  would not have email.

Well, as those who send spam begin to correlate the 40,000 rejects with the 500 accepts, should the volume of email remain steady (it's actually rising, isn't it?) you would(will/do) see a trend favoring accepts. As your Internet connection became bogged down by inbound SMTP, you might decide to rate-limit SMTP instead of turning it off completely, for the value of email isn't lost; just not as important as web-browsing. The value of the global email system is declining. We believe it's declining due to spammers, but that's only half of the problem. The other half is that end-users do not have a convenient way of placing reasonable limits on who may communicate with them, when, and how.

Which is easier? Setting your own limits or enforcing limits on another?




o Imagine that you were unable to use your phone because every time you
picked it up to make a call, a tele-spammer was on the other end making
  a pitch.  That is the situation email is in today.  Most forgery
  needs to be stopped before it gets to the end user, or they won't
  be able to cope.

Well, I don't have to imagine. I received so many calls on my land-line a day that leaving the ringer on wasn't possible. I eventually stopped service. However, the phone system hasn't ground to a complete halt, and my work number isn't besieged. Why? Well, one entity, the phone company, has visibility into calls placed and calls received, and I think they keep an eye on unbalanced distributions. I think a business line gets more protection from TMs than a residence line. Why wouldn't it, after all? It's worth more to the phone company.

I think people would cope just fine without email, really. Other ways of communicating exist, and many have deprecated email in favor of other methods already.

Forgery is not going to stop any time soon.

Forgery is also not what is permitting spam to be issued in the first place. It's only a work-around spammers are using to get around general attempts to limit their audience.



o Suppose you give your phone number to a friend. Your friend puts your
  number on his "Security is an Afterthough" Windows based PDA.  As
he walks by a tele-spammer in the street, his PDA gets "bluejacked", and
  you now have to change your phone number to be able to use your phone
  again for a few weeks (except this doesn't actually happen that way
  with the phone system because of caller-ID and making calls being
  more expensive than sending email - I am making an analogy).

I don't know how secure my phone number is really. It's like all other numbers in North America. A computer could guess it in a blink of an eye. Again, I suggest that if someone had to know my number AND something else not quite so systematic about me to get a call through, then it would be more futile to sic a computer on me.


o Too many of my friends and family use Windows, and so giving them my email guarantees that it will end up in the spammer lists. Some of my family members cope by changing their email every month. I don't have to do that, because I require authentication in any of various forms, including SPF.

You're managing your communication in a way that makes sense to you. Your family is doing the same.

Can family can reliably contact you even though they change addresses once a month?

Can you contact them reliably?

Can you or have you figured out a way that does not exclude each others preference for email management that you're all comfortable with, to keep in touch?



o When there is no other authentication, I used to whitelist certain
mail servers and IPs for my clients customers. This used to be ad-hoc.
  Now, I just add an SPF record for the sender in question to a local
  SPF DNS registry used by my server and my clients servers.  SPF
  provides a *framework* for spelling out information that previously
had to be gathered and customized manually. When the sender eventually
  gets with it and publishes their own SPF record, it overrides my
  local registry.  Even if no else ever publishes an SPF record, SPF
  makes a very flexible system for my local white/black list that is
  DNS based so I can update one name-server and have it seen by all
  the machines delegating missing SPF records to it.

I don't think I implied that SPF ought to be excluded. I think I implied that the end-user, ***the entity who complains most about spam***, be given both direct responsibility and assistance in selectively limiting and facilitating communication towards them.

I think greater success will come out of future spam solutions that shift responsibility for unwanted email towards the recipient (perhaps in the form of a bit of time and effort, and education, instead of monetary), with less effort being put into controlling those who originate communication.

Cheers,

        Nevin