----- Original Message -----
From: "Mark C. Langston" <mark(_at_)bitshift(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, August 13, 2004 2:08 PM
Subject: Re: [spf-discuss] Good Domain List one step closer to reality
(actually two steps)
I can easily envision a future in which a company (let's say Verisign)
comes to an agreement with major MXes that puts money in both
organizations' pockets if the MXes are willing to pass through
Verisign's accredited mail sources without further checks on the input.
Sure, it's a "what if" scenario, but it's not that far-fetched, and it
illustrates the dangers of associating a value judgment with a party's
ability to purchase accreditation.
This is *precisely* the concern some of us have with Microsoft's CallerID
system, that spammers will buy or steal access to machines with accredited
CallerID keys and use them to evade spam-filtering mechanisms and sail right
through the SPF/CallerID systems. Also, no money is necessary for this: some
spammers steal access to other's machines to send their spam, as
demonstrated by the recent spates of spam sent from zombied machines
worldwide.