[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Adrian Midgley wrote: | On Friday 09 July 2004 18:50, Simon Waters wrote: | |>>Why not just sign all your emails - all the end user benefits (they know |>>it is from you can can discard the other emails claiming to be from you) |>>and none of the drawbacks of SPF. | | | Many of the people I exchange email with are insufficiently clued to handle | signing, but that isn't what SPF is for.
I disagree the key point behind SPF is to stop spoofing of email from addresses. You can do this by changing the entire email infrastructure or you do it by using established Internet standards S/MIME, OpenPGP, both of which are already incorporated into all sensible email clients, and one of which even occur in Outlook family (although I wouldn't recommend it).
|>>SPF transfers work from 1 to 3. | | Is that very much?
For the likely benefits gained reengineering the entire email infrastructure is way too much work. For the work involved we could implement entirely new email architecture with less grief.
| I envisage setting up a rule that deletes unseen all email whcih claims to be | from a domain which has implemented SPF and whose SPF record does not state | that the machine from which the email came is one of that domain's email | servers.
So the spam will come from elsewhere - so the benefit is only ensuring Paypal scams come from Paypal employees and crackers, or paypa1.com
| The designers of eg pobox.com who rather than being just large email systems | are large email systems that relay mail for many mobile users - their worst | problem - will have to establish either SMTP AUTH, a good idea for mobile | users I'd say
SMTP Auth moves the restriction on email from trusted IP, to someone who happens to know/guess/steal the password for a mail account.
I don't have a problem with the further deployment of SMTP Auth, it needs to be done well, and I don't think most implementations are there yet. It must rate limit email (goodbye to emailing your whole address book), it must log and reject multiple password attempts, and it introduces password management for something that may never of had it before.
|>>It doesn't solve the spam problem, and |>>it only partially address impersonation (unlike signing emails which |>>addresses this one properly). | | It doesn't address impersonation at all.
I think you missed the point here. That is all it addresses and it does it badly.
| The only thing it addresses by | design is the spoofing of email from lines. This solves one part of a large | and complex (spam) problem, in a way that seems to me to be proportional and | somewhat clever.
| Screening out a large number of emails quickly on the basis that they are not | from where they say they are allows more resource to be applied to the more | clever and trickily sneaky spam.
To be honest I expect XP SP2 to have more impact on spam, as it addresses some of the core technical problems.
|>>Since SPF doesn't actually address the spam problem, it doesn't reduce |>>(2) significantly at least not until you switch on the "don't accept |>>email from non-SPF users" or those advertising all addresses (like AOL |>>was at one point - may still do) and that isn't happening anytime soon. | | That was not my understanding, and of course if one adds even a single pointto | the spamishness score on the basis of SPF records that don't allow an email | to be discarded out of hand, it will make a big difference to the probability | of a spam getting through.
You can score likely spam sources with RBLs in Spam Assassin without reengineering the whole of SMTP. I think your assuming SPF is a spam solution - so I think you missed the point.
| Spam being a social problem will require a complex adjustment of society to | deal with, SPF is one bit of technology I've been convinced of the merit of, | and the various laws on UCE while poorly effective in their own right share | the merit that they provide a criminal offence which has been committed by | most senders of spam which cannot easily be blocked on the basis of where it | came from.
Almost all spam is sent using compromised PC's, which almost certainly violates criminal statutes in all countries the spammer are likely to live. In this country unauthorised access to computers carries a very hefty maximum sentence.
The antispam houses claim they know who the people who send the bulk of spam, and they claim they have provided this information to the US Department of Commerce. So if you want a "social solution" press for enforcement.
-----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFA78jPGFXfHI9FVgYRAkhFAJ4gs6YqWN1jor0hgPXOWF39yWZ+qACgjD5A pN+sHil4FQZW89e1t269noI= =GVVr -----END PGP SIGNATURE-----
-- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.