[Asrg] Receiver Initiated Authentication

[SM]

At 16:58 16-09-2007, Michael Kaplan wrote:
>I propose a method of rapidly achieving a near comprehensive SPF 
>database.  The core of this concept is that questionable 
>unauthenticated email will be bounced; the return of this bounce 
>authenticates the domain.  This domain and the MTA listed in the 
>return path of the resent bounce is now entered into a shared 
>database.  All future emails from this previously unauthenticated 
>domain sent via this MTA will now be authenticated after consulting 
>this newly established database.

As this is a research group, it's good to see new proposals like 
yours.  Your proposal, like a few others, revolves around 
Challenge/Response.  Once we start meddling with bounces, we make 
that feature even more unreliable.

Near universal distribution of Auto-Resend software is not as easy as 
it sounds.  If you cannot get the administrators to update their 
systems, then you won't get hundred times more people upgrading their 
software.  The cost will be much more if you upgrade the client software.

CAPTCHA has been circumvented.  Getting users to a website to solve a 
CAPTCHA is not that difficult.  If spammers did not get more than an 
insignificant number of people to visit their website, they would not 
have been in business.  CAPTCHA also has usability issues.

A Single Universal Receiver Generated SPF Database is like having a 
single worldwide authority responsible for email.  This raises 
questions about control and cost.

I suggest that you don't underestimate the technical prowless of spammers.

Regards,
-sm