Post by Andrzej Adam FilipI hope that SPF implementations will *force* SPF opponents to propose a
better safeguard against sender faking instead of endless complains "it
is bad STOP do nothing STOP" (exaggerated).
OK, my $.02 on the matter:
The first question is: Why do spammers use "faked senders" (whatever the
definition of this term in *this* context may be (*)) in the first place?
As we all know, there are things like expendable accounts/addresses,
spam friendly ISPs, registrars that do not thoroughly check contact
information, yadda yadda. If we succeed to enforce "non-faked" sender
addresses, and assumed that the point of faked senders were to just make
it impossible to trace spam back to the spammer, would they have much of
a problem switching to non-faked, but still utterly useless (in terms of
recognizing or backtracing spam) sender addresses? I don't think so.
Getting a technically legitimate address or even domain is neither
costly nor time-consuming nor complicated nor buried under red tape, or
at least not much, and that's unlikely to change.
So, why aren't spammers doing just that right now?
Possibility 1: They're tight-fisted bastards and, when given the choice
between swimming through hot legal water (ID theft, implicitly libelling
the joe-jobbed address, antispam legislation specifically mentioning
falsified contact info, creating zombie computers with virii, you name
it) for free and spending just a couple dollars more, they go for the
first option. In this case, what effect would it have to have the good
guy half of the world stomp out faked senders? It would force them to
switch to option 2. Net effect *so far*: negligible.
Possibility 2: They're not actually interested in disguising as just
SOME sender, they're trying to impersonate a sender or sending domain
that the recipient TRUSTS so as to make filtering more difficult. Now
let's assume that we manage to make that impossible. Will spammers stop
trying to send spam? No, as detailed above, they'll just use different
sender addresses. Net effect: Joe Average Email User will feel more
encouraged to install a whitelist and "be done with it" than ever before.
Is that the future of email that we want to see come true? That everyone
and his MTA takes on the habit of downright IGNORING emails unless the
sender has (say) spelled his sender address in a phone call to have it
whitelisted?
Sorry, not in my books; if I wanted *that*, a much more sound technical
implementation would be to install an FTP server, create write-only
accounts for the "whitelisted" people, tell them userid and password by
the OOB channel we're already assuming to exist, and have them transfer
"emails" in MH format straight to my hard disk. Or go back to UUCP
networking, only with SSH logins instead of modem dialups. Just NOT
SMTP, as it is based on the idea of providing service to whichever
anonymous who can connect to port 25, which is exactly what I'ld be
basically trying to get rid of.
I'm *not at all* ready to take the stance of "if I do not know you
*already*, you seem not to be worth listening to you". And I certainly
don't think that I'm ever going to know the reputation of most people or
entities on the Internet. By logical conclusion, yes, I will continue to
look - with varying degrees of attention, of course - at emails where I
do not have the slightest who the guy sending it may be. What I need in
order to put up a fight against spam in *this* scenario is not simply
that there is some reliable ID attached to email, but also that
obtaining new such IDs all the time will not take place - whether it's
made downright impossible, or just too costly to have spamming stay
profitable.
What technical means does that translate to? Well, I don't think that
that's cast in stone yet. There has been a time where everyone expected
PKIs to bring widely deployed cryptographic signatures and positive ID
(be it Verisign certificates for servers worldwide, SigG conformant
personal certificates in Germany, or whatever), but it didn't work out.
Some hold the belief that the PGP-style web of trust could do such a
thing if given a chance (where the asset that a spammer cannot easily
regenerate would likely be a not-too-new, sufficiently unique listing on
the keyservers). The newest contender is the .mail TLD, making the
subdomains thereunder the asset that's costly to replace. Not to forget
C/R (asset = whitelisted address after responding to the challenge) and
"email stamps" (I forget the official name; the stuff where you have to
solve a cryptographic puzzle before you can move on in the SMTP
transaction, making this very connection the valuable asset). And
probably a good deal more, some using the sender address for IDing
(which would then need to be protected against forgeries), some not. As
long as it works and doesn't chain me to some monopoly, I do not care
which one will prevail. Or which *selection of several*, for that matter.
Regards,
J. Bern
(*) I'm using the SMTP (and NNTP) server of kamp-dsl.de. KAMP is a
*connectivity* provider, and I *could* be a customer of theirs
with no email address technically connected to them *whatsoever*.
Is it "sender faking" when I hand the KAMP SMTP server an email
with my real email address on it, just because I get connectivity
and a POP mailbox from different providers? What if I made a typo
in that address, would THAT be forged, and if not, how on *Earth*
do you expect a technical mechanism to tell *that* from an all-out
forgery?