On Wed, 2005-07-06 at 15:23 -0400, Rich Kulawiec wrote:
[late followup, sorry]
On Thu, Jun 23, 2005 at 05:42:17AM -0700, Dave Crocker wrote:
The real fight is to find ANY techniques that have long-term, global benefit in reducing spam.
We've already got them -- we've always had them. What we lack is the guts to *use* them.
As we've seen over and over again, the one and only technique that has ever worked (and that I think ever *will* work) is the boycott -- whether enforced via the use of DNSBLs or RHSBLs or local blacklists or firewalls or whatever mechanism. It works for a simple reason: it makes the spam problem the problem of the originator(s), not the recipient(s). It forces them to either fix their broken operation (any network which persisently emits or supports spam/abuse is broken) or find themselves running an intranet.
The looming battle is not about a reluctance to utilize reputation. This "authentication" effort is a shift from using the remote IP address into utilizing the domain name. This changes the nature of how reputation affects shared servers. A name is more specific, and at the same time, more pervasive. This change to the use of domains is progress. However, path registration is really just an "authorization" mechanism. Calling this an "authentication" mechanism presumes the domain owner enjoys exclusive use of their domain on the server. While this may satisfy the typical bulk email distributor, the average domain owner may discover they remain prone to forgery. Such domain owners may also be harmed publishing server authorization in this case, while creating a support nightmare. The user-feedback reputation schemes suggested overlook the uncertainty created when which header or parameter being assured by the sender is unknown, or when domain exclusivity is not maintained at the server. In an era where networks are often populated by zombie systems, this oversight is troubling. Unless the domain owner administers their own servers, and doesn't expect messages to forwarded accounts not to be lost, then they should consider using a signature based alternative instead. In addition, signatures will likely represent less overhead than path registration. Path registration, due to the need to place higher priority on unseen headers, will not offer effective anti-phishing solutions either. Signature based alternatives again hold greater promise for anti-phishing as well. There are few email recipients that do not use various types of black-hole lists. As this battle shifts into using domain names, be careful. Make sure you can defend your domain's reputation. If not, a name-based reputation system directing your domain's email to a "junk" folder will having you longing for the good ol' days of black-hole lists. -Doug