On Thu, Jun 30, 2005 at 01:54:37PM -0700, David MacQuigg wrote:
At 04:01 PM 6/30/2005 -0400, Stuart D. Gathman wrote:
At the risk of more misunderstanding, but in hopes I will learn something
new, I have a question. Assuming authentication works perfectly - i.e. we
never again have to deal with the problem of forgery of domain names, how
do we deal with spammers registering millions of domain names, providing
perfect authentication records, and spamming for as long as it takes
receivers to add the new name to some huge blacklist?
Those domains won't have any reputation history built up.
Eventually, I expect that people will either mark such mail as suspect
if the domain is unbonded, or they simply won't even accept such mail.
(As a side note, this sort of thing has *continually* been mentioned on
this list: Way back at the beginning, over 1.5 years ago with Meng's
AGUPI slides, and multiple times since then. If you've read through the
archives at all in preparation for posting here, you can't have missed
it.)
Just to clarify, I'm not saying SPF should change its focus from forgery to
spam, just that I don't see stopping forgery as a solution to the spam
problem (at least not the main problem, it seems that it does solve some
spam-related problems like backscatter.)
It's not a solution to (non-mailfrom-forged) spam in and of itself,
rather it's a necessary component to one particular set of ways of
identifying disreputable senders.
To paraphrase Meng's classic saying, (I don't remember the exact
wording), ~"spf is not an anti-spam method in the same way that flour is
not food.".
I see domain-rating services as providing a much more effective solution to
the spam problem than law-enforcement.
I believe that's mostly been the consensus of this list since day one.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com