North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless service restrictions (was RE: Anti-spam System Idea)

  • From: Guðbjörn S. Hreinsson
  • Date: Wed Feb 18 20:38:00 2004

> >> I think that the "registration" oriented authentication mechanisms
> >> rmx, lmap, etc.) can be useful only when the authenticator is the
> >> hosting network provider, rather than a message author.
> GSH> I think widespread use of SPF will gut the major sources of spam.
> Well, it will gut a great deal of email mobility and third-party
> services.
It will mean you can no longer use just about any SMTP server you like. But
why can't you use your ISP's submission server using SMTP AUTH? I do not
see that this adjustment to roaming users is serious, there are plenty of
your organization/ISP can continue to provide email to it's users and use

> It will probably have no meaningful effect on actual spam.
Oh, it will.

> For example, as you note:
> GSH> Then, of course, the spammers will find other ways...
And we will deal with those ways as well. If not, then lets roll over
right now.

> That means that _at best_ MTA author registration schemes, like SPF, are
> tactical responses.
There are forums for discussing smtp replacement, SPF is not meant to be
a replacement for SMTP but augmentation; yes, that's tactical.

> The problem is that they cause a _strategic_ change
> to the email semantic model; and the scaling effect of its
> administration is really quite terrible.
I don't see that. This is really no different from when just about everybody
to secure their open relays or stop using email, or secure their proxies or
go under,
or... It's not strategic in and by itself. It's effect on mail server
management and
efficiency is probably more than using black lists (depends on how many you
today), it will mean some dns administration, but hey! we are in the it
business, this
is to be expected, we don't expect stagnation do we?

> Pretty massive effect, for such a short-term benefit.
It's pretty straight forward. There are details to it, especially on the dns
records but
other than that, it's less massive than black lists probably.

> Not to mention that, on the Internet, it is never possible to deploy
> anything in a short-term time-frame.
Not everywhere. It will take some more time than closing open relays

> And, oh by the way, all SPF tries to do is to authenticate the From field.
Not quite. It only "authenticates" the domain part of the From field.

> Forgive me for not being reassured that wide use of SPF will merely mean
> that the spam I get will have a valid From field.

There are estimates that 40-70% of spam today is from spam proxies. If a
proxy sends mail to a SPF enabled MTA with a MAIL FROM where the domain
has SPF records then the MTA can easily slice and dice at will.

That's pretty drastic. If it only puts spammers back to the drawing board
for a while
then it's quite worth it, because their old techniques are becoming very