spf-discuss
[Top] [All Lists]

Re: Opening Debate on SPF vs. SenderKeys

2004-08-20 13:06:32
Where I work, Mozilla is under 1% of our web traffic. 
...
Actually, I find that if I validate my HTML using the W3C's page validator, 
so 
that I'm actually using standards-compliant HTML, it usually renders properly 
in all browsers without any tweaking. It seems worth the effort

But I learned that was not buttering my bread as much as adding more 
features that work in IE. 
I don't think anyone would argue with that - but make sure it works in the 
other browsers too. 



Points well taken.


FYI...the company I work for is switching to using Mozilla Firefox almost 
exclusively. The users love it -- they like the tabbed browsing and the popup 
blocking. The final straw for us was when some of our machines had spyware 
automatically installed via one of IE's security holes


FYI, I guess we should either hope that Microsoft forgets how to copy other 
people's ideas or that Mozilla never has 95% market share so that it becomes a 
security target as IE is, depending what straw you want to hang on to.


OK so what *are* we talking about here - - AccuSpam or SenderKeys? 

You have very neatly avoided answering one of the crucial non-technical 
questions. Who is controlling this system and it's white/black_lists? 


No, I answered it very factually.  I said that no one controls it.

The authority controls when it sends the auto-responses, but it may or may not 
control the white or blacklists it is using (flexibility), but the MUA and the 
verifiers are not controlled by one authority or by each other.  It is a 
cooperative system, where all 3 players have flexibility.  This flexibility 
does not decrease accuracy of the anti-forgery, actually it increases it 
through redunancy.  Perhaps if you read the SenderKeys Overview more carefully 
and really think about it long and hard, else I guess wait until we put up some 
graphics or other info to make it easier to wrap you mind around I guess:

http://www.accuspam.com/senderkeys.php

If your feedback is that our Overview is too difficult to grasp, then the 
feedback is well taken.  Any others concur?

If you have a specific question, such as you did about the "white/blacklists" 
then I can answer it.


Is there a mail-list for senderkeys or accuspam (whichever we are meant to 
be discussing) . If you post that in the same way as several other private 
projects have done, some of this community may well join it and discuss your 
system with you in the way you would like. Please don't offer a forum - 
that's been aired and you would be well advised to stick to mail-lists. 


First of all, the weaknesses of SPF are relevant to the SPF forum.

Otherwise your point is well taken, as of course that needs to happen.

What is wrong with a Forum?

I personally hate mailing lists (will not stay subscribed very long).  I prefer 
to type into a web page than have to muck in email for something that ends up 
on a webpage archive any way.

Long drawn own discussions are usually reaching the point of futility or 
diminishing return.  We either have a solution or we do not.  The main positive 
feature of SPF was invented a long time ago.  It is the 80/20 rule again.

We will know very soon what is the main benefit of SenderKeys and that is it.  
No need to discuss it to death.

Most things in life are that way.  They are either elegant and simple or they 
are not worth it.


Technically - anything that's going to mean an upgrade of MUA's is going to 
have to do a huge amount of patching *and* make it *dead-easy* to apply. At 
that level you will be dealing with people who are point-and-click capable 
only, and if it doesn't work first time every time on every operating system 
on all types of hardware with all the rest of the software that the user 
will have installed to mess around with his mail - well - I'm sure you get 
the picture


Yeah I know that is the main problem with support SPF with "-all", then you 
have to upgrade not only the MUA, but also the server and the DNS.  That is why 
we need SenderKeys where we only upgrade the MUA and not worry about the 
incompatibles simultaneously upgrade MUA and SMTP:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0670.html


The most unwelcome part of your proposal - in my view - is the notion that I 
might be blacklisted because I refuse to join in. What happens to me then? 
Am I doomed to be included on your blacklist? 


SenderKeys does not blacklist any one.  It is an option for authorities (that 
are anti-spam systems...not all authorities) that are already doing 
blacklisting.  Many anti-spam systems do blacklisting, so your fear is not with 
SenderKeys but with anti-spam in general.  You better go ask all the anti-spam 
systems.

If you are asking about AccuSpam (again unrelated to SenderKeys), AccuSpam only 
blacklists you for senders you do not communicate with (that a spammer is 
forging for you) and you can very easily get unblacklisted when you have a need 
to. Otherwise it is your advantage to be blacklisted.  When you email a sender 
that had blacklisted you for sending spam (only if spammer was forging you), 
then you get a challenge response, which you complete to get unblacklisted.

The point is that once we have a viable anti-forgery (e.g. SPF with all domains 
using "-all") or SenderKeys, then no one gets blacklisted!!  All the forgery is 
detected and dumped directly in the trash.

The problem with SPF is getting all domains to do "-all" is impractical.  We 
need SPF for some things, but we also need SenderKeys:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0670.html


I am a small-user and I want a minimum work, zero cost facility 
that will tell me that the mail arriving in my inbox is actually from the 
domain that it says it is. That's all I want - and that's what spf is 
working up to. The jury is out on subdomains and some other issues, but 
it'll be sorted out soon, I'm sure.


No it will not be sorted out because there is no way to solve the "-all" 
delimma:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0670.html

SenderKeys solves it.


Fighting spam is *not* about centralised white and black listing. Your idea 
of spam is different to mine, and I don't want to apply your rules, I want 
to apply mine


SenderKeys does not force you to use AccuSpam or to use white and blacklists.

As a verifier, you use what every anti-spam and verification algorithm you want 
to use.  Complete flexibility is what SenderKeys is about.  Maybe that is why 
you are having difficulty grasping it.  It is very generalized as stated in the 
overview.


I discovered very quickly that this mail-list will respond well to you if 
you are totally up-front with you background/sponsor/employer/whatever *and* 
that you demonstrate a high level of competence in you work


Kind Regards,
Shelby Moore III

CEO 3Dize, Inc. (coolpage.com)
CEO DownloadFAST.com, Inc.
founder and main programmer of AccuSpam.com* (AntiViotic.com)
main programmer of Cool Page* (1998-), Art-O-Matic* (1996-8), WordUp* 
(1986-90), TurboJet (1988)
contributing programmer to DownloadFAST.com* (2001-), Corel Painter* (1993-5), 
Corel ArtDabbler, EOS PhotoModeler (1996), FONTZ! (1988)

shelby(_at_)coolpage(_dot_)com

* denotes major involvement in massive multi-year R&D projects with millions of 
characters (1000s of pages) of code