On 7/5/25 3:44 PM, Barry Shein via NANOG wrote:
At the 2003 MIT Spam Conference there were two keynotes, myself and someone else who is highly esteemed in the e-mail world.
They spoke about these various emerging (in 2003) authentication methods and I asked a question like any participant which echoed what's being said below: Aren't the bad guys just going to learn how to make their email authenticated? So all I know, with great certainty, is this email is from Phishing R Us, Inc?
The answer was, well of course, but this will all work because we will also develop reputation systems.
That was 2003, nearly a quarter century ago.
Unfortunately too many of the problems on the internet were solved on paper (i.e., RFCs and their ilk) 20, 30, 40...years ago.
But nothing came of them because writing down a clever engineering hack is a lot easier than herding a billion cats but the organizational structures lean heavily in favor of the "let's write up another clever engineering hack!" crowd.
If you're talking about reputation systems, maybe you should talk to the folks clamoring to solve the DKIM so-called "replay" problem who claim that spam "replays" causes problems with their reputation from big mailbox providers. Part of the problem with all of this is that everything that happens on the receiver side is opaque to the world at large and providers aren't saying what's going on under the hood with any specificity for... reasons. I can understand their reasons, but unless you've worked at one and by some miracle can talk about it, nobody on the outside knows what they are really doing. Mike