spf-discuss
[Top] [All Lists]

Re: Is SPF serving the best interests of the end-user?

2004-07-22 13:14:08
On Jul 22, 2004, at 5:16 AM, Daniel Taylor wrote:

spf(_at_)nevster(_dot_)net wrote:
On Jul 21, 2004, at 4:48 PM, <terry(_at_)greatgulfhomes(_dot_)com> wrote:


Put the implied point still holds: Blocking at the server DOES matter, even if your MUA's implement protection. Every layer matters. Not having layers is, literally, like putting all your eggs in
one basket.
I don't think I expressed an intention to exclude SPF or schemes like it. While I have made no concerted personal effort to find flaws in the authentication schema itself, for it's not my goal to stomp on people's hard work, I am simply trying to point to an area where there only seems to be a limited amount of work... In making the recipient responsible for how accessible they are.

All well and good, but SPF isn't about the recipient per se,
it is about the sender, and letting the recipient know how likely
the sender is to be who they say they are.

But the recipient is the best judge of that, and will still suspect forgery even from an authentic, actual communication, if it's confusing and out-of-character.

Can SPF be used somehow by the recipients themselves to produce a DB of 'sender to recipient' relationships that a server can use? That is likely be more effective than leaving the individual recipient out of the loop.


The apartment building analogy is really quite good, since it reflects
how most e-mail systems are setup.

Current email systems are not really serving us well in this actual spam problem we have, are they?



You have the apartment building (mail server) with a doorman (MTA) and
a bunch of apartments (mailboxes). A good doorman will stop people or
let them pass based on who they are. SPF is like an ID. It doesn't need
to be widespread to be useful (how many people have "Press Passes"?),
and it gives the doorman a reasonable piece of information to work
with when deciding whether to allow them through. Of course, a lazy
doorman just lets everyone through, so the ID doesn't do them any good.

Or, if I get access to proper credentials, I just have to get past one doorman to have access to the whole building. Oh, and the building has several million units. Oh, and lookie, hardly any of those units have their doors locked. Oh, and if I'm sneaky about it, it will be awhile before someone revokes the credentials. Fortunately, there are nearly a limitless supply of credentials, and this doorman can't seem to recognize me from one day to the next. Wow, are these hallways crowded, too. Nobody seems to notice me if I appear friendly and smile.

Yes, the apartment building analogy is quite appropriate to the situation we have today.

I suggest that if end-users be given intelligent door-locks, they might be able to do more towards handling the spam that they complain about.

        Nevin




OK, the analogy is stretched a bit, but aren't all analogies
stretched like a gum bubble about to explode?

No, just this bubble gum analogy here. ;) Chew kevlar for improved performance.

        Nevin