[Asrg] where the message originated (was: DKIM role?) (SM)

Ian Eiloart iane at sussex.ac.uk
Mon Jan 19 05:02:49 PST 2009 


--On 19 January 2009 07:28:42 -0500 Rich Kulawiec <rsk at gsp.org> wrote:

> On Mon, Jan 19, 2009 at 11:16:19AM +0000, Ian Eiloart wrote:
>> And, right now, they don't much care about that. Why? Because too few
>> people respect SPF records. I'll bet that if, say, a couple of the major
>>  email service providers, or all .gov or .gov.uk addresses started to do
>> so, then Maplin would start to get that right.
>
> You seem to think that SPF is a good idea.  It's not.  There's a reason
> why the earliest and most prolific adopters were spammers, and it's
> most certainly not because it stops spam.

It's because it increases deliverability of email, but that's 
indiscriminate and needs to be combined with an effective reputation 
service for email domains. The reputation service would make spf less 
attractive for spammers, and more attractive for the rest of us. SPF on 
it's own does little. SPF + DKIM a good reputation management system could 
achieve a lot.

>  There's also a reason why
> it's been abandoned by some rather large operations who rolled it out at
> some point in the past.

> The days when sending bounces was acceptable are fading into the distance.

Yes, and that's a bad thing. It's bad that spammers have made an effective 
notification system virtually unusable. However, it's the spam that's the 
root problem. We shouldn't be throwing the baby out with the bathwater, we 
should be trying to reclaim SMTP so that we can use it as it was designed.

That means getting effective accountability into the system. Certainly, if 
we were starting from scratch, then SPF would be a part of the system, and 
forwarding mechanisms would have accounted for SPF. That's where we need to 
get to. The question is how do we get there from here?

> Attempts to preserve them are doomed by the ability of bad actors to
> redirect that traffic to destinations of their choosing and thus to
> enlist bystanders in DoS and other attacks.  I think in part this is
> because the community is slowly realizing a general principle: anything
> that allows third parties to cause them to generate outbound traffic to
> arbitrary destinations is a bad idea.  (This applies to much more than
> mail, but since that's our focus here...)



> SPF belongs on the same scrap heap with C/R, SAV, e-postage, and other
> pre-failed ideas that are one or more of (a) abusive (b) ineffective
> (c) unworkable or (d) attack vectors.  And I think we've already extracted
> from it all the lessons we're going to learn about *why* it's a failure,
> so let's move on to something -- anything -- that might have a chance.
> Whatever-it-is might also turn out to be worthless, but at least we may
> learn something new from it.
>
> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list