spf-discuss
[Top] [All Lists]

RE: [spf-discuss] Phishing passing thru spf = not useful to me.

2007-04-20 10:22:19
Stuart D. Gathman wrote on Friday, April 20, 2007 11:19 AM -0500:

On Fri, 20 Apr 2007, Scott Kitterman wrote:

That has been proposed.  In my opionion there is too much momentum
behind SMTP to stop and redesign it.  If this does happen it's
going to be some other non-email protocol that just eats smtp's
lunch.  Maybe some kind of RSS/Jabber something.  I don't know.

My money is on Jabber.  But you'll still need a reputation system for
jabber domains.  You'll notice that widely used IM systems have some
sort of reputation.  For instance, AIM provides "Warn" and "Block"
buttons.

The issue is not whether there is a reputation system, but whether you
have a verifiable identity to look up.  SMTP was designed when there was
no reason to distrust an identity, and it also had to accommodate relay
transfers since the internet wasn't yet fully interconnected.  The
multiple identities inherent in a multi-hop transfer, coupled with the
inconsistent recording of transit information (Received: headers are
optional trace headers), made the task of validating identities very
difficult.  Add to that the complete generality of the multiple sender
identities in SMTP, which need not bear any relation to one another, and
the situation for recipients is difficult.

The IM protocols all came about after the appearance of email spam and
after the internet became fully interconnected, so they naturally did a
better job of controlling sender identities.  PGP, S/MIME, SPF and DKIM
are all ancillary protocols to add some measure of sender identity
verification to SMTP.  The fact that no ancillary protocol has
succeeded, despite the problem getting worse, is evidence that a major
change to SMTP for this purpose is most likely impossible at this point.

--
Seth Goodman

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com