Meng,
I appreciate your bringing this information to our
attention. Congrats.
From my own perspective, SPF/Sender-ID:
* helps to authenticate a particular domain is authorized
to use a particular MTA to send mail from.
The mail from identity can be SMTP mail from, EHELO/HELO
and/or SUBMITTER.
Good guys can use this, while spammer's can and will abuse
this.
Implementation by sending and receiving MTA's will help to
control spoofing and other means of hiding identity, making
it easier to reduce volume from spammers.
So what's the big benefit if spammer's can and will abuse
this?
* It helps to compel everyone to identify 'themselves' or
at least the particular MTA's authorized by a particular
domain to send mail from.
However, this does nothing to sort out the reputation issue
as has long been understood.
There are a number of different ways of sorting out this
issue.
You have referenced two. Others have been discussed, such
as gossip.
At the same time some folks have been working on the
accreditation question.
On the accreditation and implementation question, it sure
would help if:
* The protocol for Sender-ID could be amended to tie back
to the SPF protocol so that only one record has to be
published.
(I have been tasked with writing a non-tech SPF guide.
Folks on the SPF-help list have agreed to review it. But,
from my perspective it sure holds things up if we have this
'dual record issue' and the 'encumbrance/license' question
hanging over our heads.)
I know you have put forward a solution to the MARID mailing
list on the dual record issue.
I have gone further and asked for more (which is my want
sometimes) while also saying, if the protocol is amended as
you propose, great.
Many in the micro business community have not been thrilled
with some of the accreditation approaches we have seen to
date.
At the same time, with the:
* passage of the CAN SPAM Act of 2003 which left volume
control in the hands of Internet access services;
* Aspen Policy Institute Framework;
* FTC's call for Sender Authentication; and
* Policy paper published by the Anti Spam Technology
Alliance;
It has been self evident the writing was on the wall.
Free is nice for an accreditation service, but it is not
realistic. Why? It takes time, effort and energy to get it
right.
Also, there has been an issue of standards.
As a result of some of the debates I have had with members
of this group, along with activities I have been involved
with elsewhere, I have become convinced, verified opt-in is
ultimately the only acceptable standard as a basis from
which to work.
It is simple, easy and clean.
(Others will disagree with me on this point and I respect
their views.)
The question then becomes, how do you operate this type of
accreditation service?
* It must be neutral as between senders and receivers.
* The process for signing up by senders must be open and
transparent.
* There has to be a vetting process to keep 'bad guys' out.
* The process for being evicted must be open and
transparent.
* If you make the vetting process too tight, the service
will never fly.
* If you make the vetting process too lose, the service
will be abused.
* It must be affordable, so as to not amount to a barrier
to entry to micro business owners, while at the same time,
there must be sufficient penalties for non-performance,
such that folks won't want to break the rules.
People must understand, break the rules and you will get
thrown out, along with being tarred and feathered publicly
and get to pay a fine to boot.
* Internet access services and others must feel comfortable
in relying upon the service.
(This is not a service which will make people a vast
fortune. It is designed to fill a perceived gap.)
Any other suggestions, comments, criticisms? Thanks.
John
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.734 / Virus Database: 488 - Release Date: 04/08/2004