Hi Everyone,
I want to express concerns about the need to handle reputation
very well, and a strong concern that, until something is in place
and thoroughly communicated to domain holders, we should not rely
on it in a major way. Any scheme that relies on small domain
holders and small systems finding out about it (such as by
reading this list??) and then actually doing something is asking
for serious trouble.
I have been in the position of having a domain blacklisted by
spam filtering software - a very large domain in this country run
by a monopoly telco. The havoc that caused to my business was
quite serious, and indeed I didn't even know until a friend
pointed it out to me. Enough to drive me to use small domain
names that wouldn't get blacklisted by one or two bad users. Now
it's being suggested that my escape path from "spam prevention"
technologies might disadvantage me by a new generation of "spam
prevention" approaches.
I haven't seen serious analysis of the number of small domains
with email systems yet. I suggest we are talking millions. The
combination of whitelists, blacklists, filters and other
technologies widely and unevenly applied will cause a range of
problems with multiplier affects that individually none of these
approaches cause.
Undelivered mail because of filtering and whitelisting and
blacklisting, often poorly applied and in dubious combinations,
could easily be as big a problem as spam. Spam has nuisance value
largely - undelivered mail has loss of business attached. If we
implement badly, we may just be replacing one problem with
another which could be even worse.
I'm not suggesting to throw this approach away. But I am
suggesting that this approach has to be thoroughly worked
through, the risks it raises thoroughly examined and mitigated
against, a communication approach targeted at affected groups
undertaken, and timing issues examined to ensure maximum success.
Good implementation is crucial!
Ian Peter
Senior Partner
Ian Peter and Associates Pty Ltd
P.O. Box 10670 Adelaide St
Brisbane 4000 Australia
Tel (617) 3870 1181
Mobile (614) 1966 7772
www.ianpeter.com
www.nethistory.info
www.internetmark2.org
www.theinternettapes.com (check out the new Internet history
Audio CD and Ebook at this site)
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of John
Glube
Sent: Tuesday, 17 August 2004 8:17 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Good Domain List one step closer
to reality (actually two steps)
Folks
On the whole issue of reputation and accreditation, Meng has
put up a good set of visuals here:
http://spf.pobox.com/aspen.html
This helps to explain what is going on in general terms and
is a useful read.
GOSSiP can fulfil the reputation side of the equation. The
problem is for those who have no reputation.
Establishing a 'good' reputation takes time and depending on
volume levels may simply not happen for an extended period.
With no reputation, depending on local policy your email will
most likely be subject to filtering.
It is correct that real time block lists like Spamhaus
provide a good measure of accuracy as to spam sources and
rejection.
However, this does not address the recipient's need for
content filtering even if the message does not come from a
known spam source.
If delivery is mission critical for your online business,
then business owners need a solution.
I appreciate many folks consider this a necessary evil at
best and something else at worse.
In the online community, email has become an almost immediate
means of communication at very minimal cost.
However, this lack of friction has in part lead to the
present problems with UBE.
Over the years, there has been lots of discussion about
e-postage and so forth. However, these schemes have been set
aside for the moment.
Why? I suggest if you have not done so, please read the FTC's
Feasibility Study on A National Do Not Email List.
http://www.learnsteps4profit.com/dne.html
See in particular the first 12 pages of the report, along
with the interviews conducted with the 3 computer scientists
retained by the Commission to provide guidance and the
related interview.
What seems workable within the near term based on everyone's
analysis of the situation is sender authentication as one peg
and reputation as the other peg, with accreditation being
used by those who fall in the grey area between good and bad.
On the reputation side GOSSiP and CLOUDMARK seem to be good
free alternatives.
I write seem to be only because in the case of GOSSiP were
are not yet out of the box and in the case of CLOUDMARK this
is a Sender-ID based implementation.
Neither solution has been field tested. We don't know whether
they are scaleable.
On the accreditation side, if people can come up with better
solutions, great.
However, a lot of people have looked at this whole problem
for quite some time. Extensive research was done by the Anti
Spam Research Group prior to MARID being established and the
sender pay model from all of the research I have read is the
consensus as the best approach.
A lot of folks are concerned this penalizes the micro
business owner in favour of large businesses.
Some people have gone so far to speculate this whole exercise
(being industry self regulation as opposed to banning UBCE)
was designed to squeeze the micro business owner out of the
email industry and leave it to the fortune 1000 companies.
I have no reason to believe this.
Others have suggested it will never work, involves conflict,
receivers have nothing to discuss.
Well if one believe anyone who is in business and uses email
is a spammer than yes this is true. But this is simply not
the reality.
What is self evident from the comments made on this list and
elsewhere is that:
* Receivers need to filter. Some sort of solution is required
for the micro business owner, who complies with best
practices and for whom email communication is mission
critical, so that receivers can protect their networks while
letting 'trusted,' 'accredited' or 'vouched' mail can pass.
* Some receivers are hostile because they are concerned this
may mean a loss of control over their networks.
The solution needs to be workable, viable and does not form
unrealistic barriers to entry or continued participation.
We are now in the SPF implementation phase.
This is why I came forward to this list and asked for
comments and input for which I am grateful. Further comment
is appreciated.
Curious, does anyone know how many SPF records were published
today?
John
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date:
11/08/2004
-------
Sender Policy Framework: http://spf.pobox.com/ Archives at
http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features SPF and Sender ID.
To unsubscribe, change your address, or temporarily
deactivate your subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com