I would not care if it cost $500 a year to register a domain if that would
make it unprofitable for spammers to buy throw away domains.
----- Original Message -----
From: "Paul Howarth" <paul(_at_)city-fan(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, July 23, 2004 1:32 PM
Subject: Re: [spf-discuss] SPF will solve spam and punish spammers
Jonathan Gardner wrote:
On Friday 23 July 2004 09:48 am, Paul Howarth wrote:
how does SPF stop a spammer using throwaway domains with SPF records
allowing any zombie to send for the domain, where the domain was
registered using false information and phished credit card details?
The registrar shouldn't be registering people with false information.
Any
registrar that does should be held accountable.
Is everyone here happy for the price of domains to go up by an order of
magnitude? That's what it would most likely cost for registrars to do any
reasonable level of checking that supplied information is valid.
How do we hold registrars accountable? Punish the registrar with the
law.
Revoke their rights to be a registrar. Blacklist all the domains
registered
by that registrar.
This can all be done now but it's not happening. Having the law is one
thing
but there has to be enforcement too, and that is just not happening at
all.
A registrar that knowingly cooperate with criminals are accomplices.
They
will get the book thrown at them when the criminals get theirs. They
will
be held just as accountable by the community as the spammers. I think
registrars will think twice before registering criminals when they
realize
(A) they may serve time and pay huge fines (B) the rest of the domains
they
have registered will be blacklisted.
There was a thread over on SPAM-L recently discussing the registrar used
by
Scott Richter (optinrealbig etc.) to register most of his domains. The
registrar claimed to be anti-spam but despite all the evidence presented,
cancalled only one domain.
Richter has recently got off with a fine of $50,000 for spamming the City
of
New York. The prosecution was after $20 million. Richter must be laughing
his
socks off.
If they used phished credit cards, then all of a sudden the stakes got
higher. They are committing a serious crime and when the hammer comes
down,
it is going to come down hard. Now instead of just email system
administrators that want these people punished, we'll have credit card
companies on their tail as well. I encourage spammers and criminals to
commit more serious crimes. That way they will pay larger fines and stay
in
prison longer. It will also make them easier to track down and convict.
This is all happening right now. Virtually all of them get away with it.
If they are using someone else's virus infected machine, it won't
matter. We
won't abandon the IP based reputation system we have now - only add on
top
of it. Notice that AT&T (or whatever they are called - Comcast?) has
seriously cleaned up their act?
Comcast are playing whack-a-mole, blocking infected machines after the
fact.
They admitted that they aren't willing to pay for a proper abuse team to
deal
with the underlying problem, despite their massive cash pile.
We can also do things like not accept any email from domains that have
recently registered, or subject such mail to extreme scrutiny.
(Grey-listing) Only those people who have shown themselves to be
responsible will get a free pass to the inbox.
How do you know that a domain is new?
If we do this, the spammers have to spend significant resources turning
their grey-listed new throw-away domains into golden trusted domains.
That
is not easy. It takes a serious investment of time and legitimate, real
email. You can't fake that. (If you do, you will get caught. For
instance,
at eBay, they buy and sell AOL CDs to raise their reputation. Guess
what?
That's a red flag.)
Accreditation services can come along and move you into the golden zone
for
a fee. Of course, the accreditation services will have a level of trust,
or
their word won't matter. If the spammer goes to a trusted accreditor,
then
the accreditor will verify their information (or we wouldn't trust it,
would we?). When they spam, we will have a trail through the accreditor.
I agree with most of this. But originally-reputable services can become
disreputable too. Most everyone will have a Verisign CA certificate in
their
browser, but Verisign (a) brought us the SiteFinder fiasco, which made all
.com domains "exist", and (b) sold a certificate for a Microsoft domain to
someone that wasn;t Microsoft. How does this affect Verisign's reputation?
Paul.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com