Re: SPF will solve spam and punish spammers

Jonathan Gardner wrote:

On Friday 23 July 2004 09:48 am, Paul Howarth wrote:
how does SPF stop a spammer using throwaway domains with SPF records
allowing any zombie to send for the domain, where the domain was
registered using false information and phished credit card details?
The registrar shouldn't be registering people with false information. Anyregistrar that does should be held accountable.

Is everyone here happy for the price of domains to go up by an order ofmagnitude? That's what it would most likely cost for registrars to do anyreasonable level of checking that supplied information is valid.

How do we hold registrars accountable? Punish the registrar with the law.Revoke their rights to be a registrar. Blacklist all the domains registeredby that registrar.

This can all be done now but it's not happening. Having the law is one thingbut there has to be enforcement too, and that is just not happening at all.

A registrar that knowingly cooperate with criminals are accomplices. Theywill get the book thrown at them when the criminals get theirs. They willbe held just as accountable by the community as the spammers. I thinkregistrars will think twice before registering criminals when they realize(A) they may serve time and pay huge fines (B) the rest of the domains theyhave registered will be blacklisted.

There was a thread over on SPAM-L recently discussing the registrar used byScott Richter (optinrealbig etc.) to register most of his domains. Theregistrar claimed to be anti-spam but despite all the evidence presented,cancalled only one domain.

Richter has recently got off with a fine of $50,000 for spamming the City ofNew York. The prosecution was after $20 million. Richter must be laughing hissocks off.

If they used phished credit cards, then all of a sudden the stakes gothigher. They are committing a serious crime and when the hammer comes down,it is going to come down hard. Now instead of just email systemadministrators that want these people punished, we'll have credit cardcompanies on their tail as well. I encourage spammers and criminals tocommit more serious crimes. That way they will pay larger fines and stay inprison longer. It will also make them easier to track down and convict.


This is all happening right now. Virtually all of them get away with it.

If they are using someone else's virus infected machine, it won't matter. Wewon't abandon the IP based reputation system we have now - only add on topof it. Notice that AT&T (or whatever they are called - Comcast?) hasseriously cleaned up their act?

Comcast are playing whack-a-mole, blocking infected machines after the fact.They admitted that they aren't willing to pay for a proper abuse team to dealwith the underlying problem, despite their massive cash pile.

We can also do things like not accept any email from domains that haverecently registered, or subject such mail to extreme scrutiny.(Grey-listing) Only those people who have shown themselves to beresponsible will get a free pass to the inbox.


How do you know that a domain is new?

If we do this, the spammers have to spend significant resources turningtheir grey-listed new throw-away domains into golden trusted domains. Thatis not easy. It takes a serious investment of time and legitimate, realemail. You can't fake that. (If you do, you will get caught. For instance,at eBay, they buy and sell AOL CDs to raise their reputation. Guess what?That's a red flag.)
Accreditation services can come along and move you into the golden zone fora fee. Of course, the accreditation services will have a level of trust, ortheir word won't matter. If the spammer goes to a trusted accreditor, thenthe accreditor will verify their information (or we wouldn't trust it,would we?). When they spam, we will have a trail through the accreditor.

I agree with most of this. But originally-reputable services can becomedisreputable too. Most everyone will have a Verisign CA certificate in theirbrowser, but Verisign (a) brought us the SiteFinder fiasco, which made all.com domains "exist", and (b) sold a certificate for a Microsoft domain tosomeone that wasn;t Microsoft. How does this affect Verisign's reputation?


Paul.