Re: Is SPF serving the best interests of the end-user?
2004-07-22 13:14:08
On Jul 22, 2004, at 5:16 AM, Daniel Taylor wrote:
spf(_at_)nevster(_dot_)net wrote:
On Jul 21, 2004, at 4:48 PM, <terry(_at_)greatgulfhomes(_dot_)com> wrote:
Put the implied point still holds: Blocking at the server DOES
matter, even if your MUA's implement
protection. Every layer matters. Not having layers is, literally,
like putting all your eggs in
one basket.
I don't think I expressed an intention to exclude SPF or schemes like
it. While I have made no concerted personal effort to find flaws in
the authentication schema itself, for it's not my goal to stomp on
people's hard work, I am simply trying to point to an area where
there only seems to be a limited amount of work... In making the
recipient responsible for how accessible they are.
All well and good, but SPF isn't about the recipient per se,
it is about the sender, and letting the recipient know how likely
the sender is to be who they say they are.
But the recipient is the best judge of that, and will still suspect
forgery even from an authentic, actual communication, if it's confusing
and out-of-character.
Can SPF be used somehow by the recipients themselves to produce a DB of
'sender to recipient' relationships that a server can use? That is
likely be more effective than leaving the individual recipient out of
the loop.
The apartment building analogy is really quite good, since it reflects
how most e-mail systems are setup.
Current email systems are not really serving us well in this actual
spam problem we have, are they?
You have the apartment building (mail server) with a doorman (MTA) and
a bunch of apartments (mailboxes). A good doorman will stop people or
let them pass based on who they are. SPF is like an ID. It doesn't need
to be widespread to be useful (how many people have "Press Passes"?),
and it gives the doorman a reasonable piece of information to work
with when deciding whether to allow them through. Of course, a lazy
doorman just lets everyone through, so the ID doesn't do them any good.
Or, if I get access to proper credentials, I just have to get past one
doorman to have access to the whole building. Oh, and the building has
several million units. Oh, and lookie, hardly any of those units have
their doors locked. Oh, and if I'm sneaky about it, it will be awhile
before someone revokes the credentials. Fortunately, there are nearly
a limitless supply of credentials, and this doorman can't seem to
recognize me from one day to the next. Wow, are these hallways
crowded, too. Nobody seems to notice me if I appear friendly and
smile.
Yes, the apartment building analogy is quite appropriate to the
situation we have today.
I suggest that if end-users be given intelligent door-locks, they might
be able to do more towards handling the spam that they complain about.
Nevin
OK, the analogy is stretched a bit, but aren't all analogies
stretched like a gum bubble about to explode?
No, just this bubble gum analogy here. ;) Chew kevlar for improved
performance.
Nevin
|
|