On Mon, Apr 14, 2014 at 10:33:40AM -0700, Matthew Petach wrote:
So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet?
Sender validation means NOTHING in a world with hundreds of millions of bots and hundreds of millions of email accounts that are either (a) hijacked or (b) created at will by the bot herders. My spamtraps see spam all day every day from all over the world that passes whatever alleged "sender validation" technology is the flavor-of-the-month. Can it work in some isolated edge cases? Sure. Can it work on an Internet scale? No. As I've said many times, email forgery is not the problem. It's a symptom of the problem, and the problem is "rotten underlying security" coupled with "negligent and incompetent operational practice". But fixing that is hard, and nobody -- not Yahoo and not anybody else either -- wants to tackle it. It's much easier to roll out stuff like this and pretend that it works and write a press release and declare success. ---rsk