spf-discuss
[Top] [All Lists]

Re: SPF will solve spam and punish spammers

2004-07-23 11:24:59
[Jonathan Gardner]
The registrar shouldn't be registering people with false information. Any
registrar that does should be held accountable.
It looks like you never sow fake ID. Even your government issue them for 
witness protection program.

They are committing a serious crime and when the hammer comes down,
it is going to come down hard. Now instead of just email system
administrators that want these people punished, we'll have credit card
companies on their tail as well.

Who cares? One more company will search for unknown person.
Bin Laden still not found. 25.000.000 USD at stake and a lot of FBI/CIA 
resources.
http://www.fbi.gov/mostwant/topten/fugitives/fugitives.htm

Do you hope credit card company will be able to find person who has paid 60USD 
for web-site hosting?
They will be able only if he will come to their office and tell them about this.

If we do this, the spammers have to spend significant resources turning
their grey-listed new throw-away domains into golden trusted domains. That
is not easy. It takes a serious investment of time and legitimate, real
email.

Not so big investment.
How much it will cost to hire designer, programmer and support people to create 
tiny portal?
I can fit in 3000 USD. A few spam distributions will return all those money.
Even more - if portal will be profitable this will only benefit spammers.
If not - this portal will be easily converted in throwaway and all investments 
will be returned.

You can't fake that. (If you do, you will get caught. For instance,
at eBay, they buy and sell AOL CDs to raise their reputation. Guess what?
That's a red flag.)
This is outdated technique.
They now use hacked accounts and use them as buyers to buy from themselves and 
leave feedback. No more needs to sell CDs. They
can sell a ship, car or even house to themselves.
Even more - any your attempt to contact prior buyers will go to hackers. "Prior 
buyers" will recommend you to buy everything
ASAP.

Accreditation services can come along and move you into the golden zone for
a fee. Of course, the accreditation services will have a level of trust, or
their word won't matter. If the spammer goes to a trusted accreditor, then
the accreditor will verify their information (or we wouldn't trust it,
would we?). When they spam, we will have a trail through the accreditor.
I've raised an question - how to make accreditation services information 
sources reliable ?
I can attack accreditation services by flooding them that amazon.com spam me 
constantly.
Trivially. Using 100-150 zombies on USA people computers.
Currently there is no reliable information for accreditation.
Only guesswork and same unreliable prior information used.

I was also attacked once by site that has nice reputation - but performed 
illegal activities against me.
I've spent a lot of resources to recover after this attack. But it still leaves 
a big material breach in my pocket.

There is no reliable accreditation possible.
You can become bankrupt and start making money from anything. Including your 
reputation.
No way to prevent this.

--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua