-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 23 July 2004 10:32 am, Paul Howarth wrote:
Jonathan Gardner wrote:
On Friday 23 July 2004 09:48 am, Paul Howarth wrote:
how does SPF stop a spammer using throwaway domains with SPF records
allowing any zombie to send for the domain, where the domain was
registered using false information and phished credit card details?
The registrar shouldn't be registering people with false information.
Any registrar that does should be held accountable.
Is everyone here happy for the price of domains to go up by an order of
magnitude? That's what it would most likely cost for registrars to do any
reasonable level of checking that supplied information is valid.
Or the solution I proposed: We hold registrars accountable.
If you want to go to FamousRegistrarThatEveryoneLikes, they have a right to
charge more money or do more background checks. If you use a discount
registrar, you do so with the understanding that not everyone likes that
registrar.
How do we hold registrars accountable? Punish the registrar with the
law. Revoke their rights to be a registrar. Blacklist all the domains
registered by that registrar.
This can all be done now but it's not happening. Having the law is one
thing but there has to be enforcement too, and that is just not happening
at all.
It is going to happen shortly. It is happening on a small scale right now.
Up until now, we had no way of knowing whether someone was abusing a domain
name or not. With SPF, it will become obvious.
We can also do things like not accept any email from domains that have
recently registered, or subject such mail to extreme scrutiny.
(Grey-listing) Only those people who have shown themselves to be
responsible will get a free pass to the inbox.
How do you know that a domain is new?
It has no history.
Accreditation services can come along and move you into the golden zone
for a fee. Of course, the accreditation services will have a level of
trust, or their word won't matter. If the spammer goes to a trusted
accreditor, then the accreditor will verify their information (or we
wouldn't trust it, would we?). When they spam, we will have a trail
through the accreditor.
I agree with most of this. But originally-reputable services can become
disreputable too. Most everyone will have a Verisign CA certificate in
their browser, but Verisign (a) brought us the SiteFinder fiasco, which
made all .com domains "exist", and (b) sold a certificate for a Microsoft
domain to someone that wasn;t Microsoft. How does this affect Verisign's
reputation?
Reputation changes over time depending on their actions.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBAY3QBFeYcclU5Q0RAgmMAJ9i89LgLgwRUkcYf1L8+8iKYZF4JQCgqP9Z
hQJ1u2PCv5KprB0DWAoE3sE=
=Kx0U
-----END PGP SIGNATURE-----