On Wed, 22 Dec 2004, Meng Weng Wong wrote:
background: phishing leads to direct losses in the
$500,000,000/y range. I argue that given $500,000 in
funding we can make a significant dent in that figure.
Investments in antispam standards development pays society
back at something like a 10,000% rate of return --- it's the
same kind of public good as, say, electricity, an effective
legal system, or running water and sewage. without it,
things fall apart.
This is why I've been working on finding funding to take
SPF+SRS+SES+DK to the next level. I have already seem some
verbal commitments in the five-figure range from big
enlightened companies. Yahoo, for example, is to be
applauded. I am also seeking funding from government
bodies, eg. HSARPA and ida.gov.sg.
Long story short is that the expectation of funding based on possibility
of SPF+DK being used to stop phishing is riding on unfounded expectations.
The problem is that neither SPF nor DK are very good at that - in order to
stop phishing not only do we need to say this appears to be good message,
but more importantly we need to say it is a bad message because its forged.
As you may have heard in the last months over and over again only very
organizations are willing to actually "fail" the message based on SPF
failure - that is in big part due to that SPF does not work with forwarding.
Similar problem exist for DK because it fails with mail lists. Mixing it
up and saying that together it would work would be a bad decision as far
as security is concerned because they are two very different technologies
designed to operate on different layers and relying on the mix when either
layer has failure conditions is a time-bomb waiting to happen (security
experts which do exist especially at HSARPA would understand).
That is not to say that you will not get the money, as people I'm sure
already told you the current trend is for US to allocate large part of
national budget to DHS and to do that USG even cut funding and grants to
others (i.e. NSF grants for internet research are harder to come by for
example) and since its end of the year, they do have funds to distribute,
besides 0.5k is pennies in the eyes of the government ...
My point however is before serious time and $$$ (if it becomes available)
is spent trying to implement more of the same proposals with known problems
(i.e. SRS, DK), we really need to look more closely at underlying technology
and actually get it to the point that each authentication layer can be
protected on its own and has ability to work with fail conditions. As people
may have told you this for example could be done with CSV/HELO because unlike
SPF MAIL FROM - that one is based on truly MTA identity and as such is
good for MTA ip verification, unfortunately its by itself is not super
useful and not an email address that can easily be associated with sender,
so while we definitely need to have it part of the overall system it needs to
be more robust and so investing in creating working UnifiedSPF implementation
(which would be only SPF-based session verification and no DK mixed in) is
one good step here. Another maybe looking at how to do SES as replacement
but with no message data mixed in (i.e. crypto on SMTP session space only).
And getting back to what I started last paragraph with, before we can start
to implement and spend $$$ what we need is to do more actual R&D on protocol
development and that is what MARID could have been good for if only it was
not stopped because of all those "political" issues (to say nothing of the
pressure to standartize bad technology). So SPF now needs to do best it
can to replace that group, before you start to refocus on the promotion
and fund distribution for some particular implementation (which BTW -
were not a very popular thing in the questionnaire I ran - >50% said they
don't want to see any officially labeled/promoted SPF implementation -
which is exactly would it be seen as if money is actually given to one
or the other implementation project).
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/