At 04:01 PM 6/30/2005 -0400, Stuart D. Gathman wrote:
I support SPF because I am tired of forged email. Spam is a related,
but separate issue. 'spam' varies with the recipient. For instance, my
parents actually *want* to get email ads for alternative medicine,
but they don't want email from the companies they trust to be forged. The
companies they use send me unsolicited ads which I don't want (i.e., they
are spammers in the UBE sense). But they are easy to get rid of because
they do not forge the sender. Their products are real - I've seen them when
visiting my parents. Heh - I even tried the elderberry syrup for a cold,
it seemed to work. (But controlled studies are scant.)
UBE can be coped with, it is the forged and obfuscated mail that desperate
spammers send in an attempt to get past filters that is the problem.
I guess that is basically the theory behind the CAN-SPAM act. You CAN spam,
provided you don't do *really* abusive things like forge the sender.
That is actually a decent compromise. A government mandated standard for
tagging bulk advertisements in the Subject or an auxilliary rfc822 header
would make me really happy. (Tags should include some kind of rating, so
for instance, porn ads wouldn't be delivered to children.) The current
requirement of "clearly marked" doesn't cut it. There has to be a specific
syntax.
Even better, a mandatory ESMTP tag for UBE would be ideal - I could screen the
UBE without wasting bandwidth on DATA, but I suppose that is a hopeless
dream. I guess the reason even "legitimate" marketroids won't support such a
measure is that they feel the need to force you to view their ads, somehow.
Hi Stuart. Sorry for the mixup on names.
At the risk of more misunderstanding, but in hopes I will learn something
new, I have a question. Assuming authentication works perfectly - i.e. we
never again have to deal with the problem of forgery of domain names, how
do we deal with spammers registering millions of domain names, providing
perfect authentication records, and spamming for as long as it takes
receivers to add the new name to some huge blacklist?
I guess my focus on spam is a result of that being a greater problem for me
personally than forgery. I've never, ever been tempted to fall for a
phishing scam, but every week I have to spend time going through tons of
offensive spam just to pick out the few false rejects. I've also been the
victim of a DDoS attack which took out my email for a few days, and I don't
think that would have happened if the spammers weren't trying so hard to
expand their botnets.
Just to clarify, I'm not saying SPF should change its focus from forgery to
spam, just that I don't see stopping forgery as a solution to the spam
problem (at least not the main problem, it seems that it does solve some
spam-related problems like backscatter.)
I welcome efforts to enforce labeling of UBE, but I don't anticipate great
success there. Authentication may help to locate the lawbreakers, but it
is my understanding that this requires a tremendous amount of effort,
following the money through international banks, dealing with false
identities, stolen credit cards, etc. This isn't going to happen for any
but the biggest spammers.
I see domain-rating services as providing a much more effective solution to
the spam problem than law-enforcement. We have a bunch of dogs crapping on
our lawns. We need a million BB guns, not a few Howitzers. Spammers will
of course, set up their own rating services, but conning a good rating
service will not be cost-effective. All we need is a few good
services. The rest we can ignore.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *