-- Mark Andrews
On 6 Jul 2025, at 09:01, Tim Howe via NANOG <nanog@lists.nanog.org> wrote:
One of the biggest problems I face is that spamming is largely accepted as perfectly normal for some groups.
Convince marketing people that they shouldn't be able to just email everyone they can identify about anything they want and it just doesn't compute.
I get more spam directly from Salesforce's network than anywhere else because it's a service their customers expect them to supply.
Have fun fighting that.
--TimH
On Sat, 5 Jul 2025 18:44:05 -0400 Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
At the 2003 MIT Spam Conference there were two keynotes, myself and someone else who is highly esteemed in the e-mail world.
They spoke about these various emerging (in 2003) authentication methods and I asked a question like any participant which echoed what's being said below: Aren't the bad guys just going to learn how to make their email authenticated? So all I know, with great certainty, is this email is from Phishing R Us, Inc?
The answer was, well of course, but this will all work because we will also develop reputation systems.
That was 2003, nearly a quarter century ago.
Unfortunately too many of the problems on the internet were solved on paper (i.e., RFCs and their ilk) 20, 30, 40...years ago.
But nothing came of them because writing down a clever engineering hack is a lot easier than herding a billion cats but the organizational structures lean heavily in favor of the "let's write up another clever engineering hack!" crowd.
Put another way: Why is there no economics behind solving any of this?
In other areas like, e.g., creditworthiness vast infrastructures have been built and maintained and seem to work well enough to keep the lenders afloat (actually, to keep them among the wealthiest in all of world history.)
But this stuff remains mostly a volunteer effort except where someone can maybe spin up a consultancy or customized service but it's always tiny in the scheme of things.
Follow the money? Apparently there is no money to follow!
On July 5, 2025 at 16:11 nanog@lists.nanog.org (John Levine via NANOG) wrote: It appears that Michael Thomas via NANOG <nanog@lists.nanog.org> said:
Email doesn't even have that. Thunderbird, which is what I use, has precisely *nothing* to say about DKIM/SPF/DMARC.
Well, yeah. As you surely know as well as anyone, if a message is authenticated that tells you nothing about whether it's mail you want or mail that's malicious. For that you need a reputation system that knows something about the domain that's authenticated. That seems a lot easier to do at delivery time and put the bad ones in the Junk folder, or don't deliver them at all.
Do you have any visibility into, say, MAAWG and why they don't take this up as a standards effort?
Honestly, they'd just laugh. It's not a new idea, and there is a great deal of experience that says asking users to make security decisions in the UI mostly adds confusion.
On the other hand, if you use Thunderbird, I don't think it'd be very hard to write a plugin that looks at the Authentication-Results: header and adds locks or skulls and crossbones to the message display. Try it, tell us how you like it.
You can start with this one:
https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/
R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZKODZNYV...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/JZFJX3FA...