From: Andriy G. Tereshchenko
Sent: August 16, 2004 7:02 PM
Somebody, possibly John Glube wrote (possibly on August 17, 2004
1:17 AM) possibly this message:
* Receivers need to filter. Some sort of solution is required
for the micro business owner, who complies with best
practices and for whom email communication is mission
critical, so that receivers can protect their networks while
letting 'trusted,' 'accredited' or 'vouched' mail can pass.
Why I do not trust you? There was very long discussion about
pre-DATA rejection. Sure. For real forgery pre-DATA
rejection can be good. But why do you reveal yourself and
show spammer that you use SPF?
This will allow them to increase effect of spam. Those who
do not perform SPF filtering will regularly receive forgery.
But those who will use SPF filtering will receive emails
from domains with "good" reputation because of 500 USD paid
to ISIPP Accreditation Database owners.
It seems you are suggesting that a receiver by accepting
data from accreditation services exposes that he uses SPF
authentication.
In turn, I gather you are suggesting spammers will use this
information to enhance their efforts to defeat SPF
authentication and send more spam.
Okay, this is based on a presumption that a receiver relying
upon an accreditation service has to reveal anything.
You then go on to suggest, given this security risk,
receivers will need to use a service like ISIPP.
I note your gratuitous remark about $500 US. Thank you for
pointing out the bias in your position. However it does
nothing to enhance your statements.
Let me add that the folks at ISIPP have put a lot of time,
effort and energy in an effort to get their service right
and make it work for senders and receivers.
Also Anne Mitchell, who is the public face of ISIPP has been
a strong supporter and 'booster' of SPF for sender
authentication since the very early days. So, let's give
credit where credit is due.
If we are going to deal with issues properly, "slanging" -
meaning attacking for the sake of attacking - simply adds
fuel to the fire, but does nothing to further the position.
A lot of people have worked very, very, very hard to get
sender authentication where it is today.
Meng has been tireless in his leadership efforts. It has not
been easy, trying to put something 'new' together, dealing
with the old guard, huge corporations and this cranky lot.
The other day I listened to the audio as Mark made his
presentation of the Marid protocol document at the face to
face meeting of Marid.
I could hear the excitement in his voice. Who would have
'thunk' it that two 'kids' in the IETF world could have
taken a concept this far, so fast, concepts which will have
huge ramifications for us all.
And this is just the start. Now people have to implement all
of this in the wild, presuming the process gets through the
last hurdles.
Looking at just sender authentication let's see what's out
there:
* SPF to allow the receiving community to do pre-data checks
using SMTP mail from;
* Sender-ID using Submitter as implemented to do pre-data
checks and PRA to do post data checks;
* CSV using EHELO/HELO to do pre-data checks.
Some receivers will choose simply SPF. Others may elect SPF
and CSV. Others may elect SPF, Sender-ID and CSV.
Yes there have been struggles. One version string versus
three. SPF not being a formal protocol. At times the
exchanges have been extremely sharp.
However, this does not change the reality of what has been
achieved.
And this is just the first step. Next up, the design of
reputation services, along with accreditation.
We need to sort through the concerns and issues, come up
with a framework and then move ahead.
Cheers,
John
John Glube
Toronto, Canada
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004