On 2/21/08, Stephen J. Turnbull wrote:
Granted, Brad himself often criticizes the implementation at AOL, Yahoo, et al. But the underlying strategy is the same. "Stop spam as far upstream as you can."
Yeah, but SPF/SenderID and DKIM/DomainKeys are not the right tools to be forcing everyone else in the industry to be using to achieve this goal. You might as well force everyone to use only 24lb sledgehammers when they want to fasten any two objects together, and ignore all other fastening technologies like screws, glue, etc....
The DKIM guys did their homework -- they identified the weaknesses in SPF, and they found ways to avoid pretty much all of them. Problem is, they brought out the crypto-nuclear weapons to use against the spammers, and they forgot that the spammers are like cockroaches, and they're the only ones who'll be left on this planet when the nuclear weapons actually get used.
You can't have it both ways. If AOL's database is organized by IP, when you get filtered, you will get filtered by IP. If you want Yahoo to distinguish your "diligent" (and/or "lucky") domains from the less so, you're going to have to give them domain keys so the good ones can't be spoofed by the bad ones (or worse, by the bad guys themselves).
I don't think you can effectively protect these assets by domain. Among other things, there are far too many places out there that might have a valid need to send e-mail on my behalf, using my address, and any domain-level protection mechanism would almost certainly break that aspect of e-mail. There go all your e-mail greeting cards, there go all your e-mail notifications of birthdays or other events, and a whole host of other things.
You can't even protect these assets completely by IP address. If the spammers can get friendly with an ISP so that they can advertise bogus routes to your network, then they can send out mail from their machines using your IP addresses, and all your IP-based security mechanisms go out the window.
The mail will be treated by the other end as if it really had been sent by your mail servers, and then they'll go away in five minutes. But the damage has already been done -- the spam has been sent, and someone else has been blamed. And all those ephemeral routing advertisements never get logged anywhere, so no one would ever know that it wasn't really you that was sending e-mail from that IP address.
You don't have to like it; I don't like it at all. But it's not very useful to propose that the 600-lb gorillas "stop targeting the middlemen," nor to complain about gorillas that ask for authentication of every domain that wants to clear its reputation with the simians' systems.
I don't mind them targeting the middleman. I just want them to target using the appropriate tools.
I want them to have enough intelligence to know when a user has set up forwarding on our system to their system, so that when a spam message comes in and the user clicks "report as spam", they can look through the headers of the message and avoid blaming us for sending spam to that user, because we were actually just doing what the user asked us to do.
The alternative is to just refuse to forward e-mail anymore. And I don't really like that.
Oh, and btw, this also affects mailing lists, because all the low-level mechanisms for forwarding e-mail are functionally identical to operating a mailing list.
Not until we can provide an alternative that looks like it
might work.
They've got the money. Let them pay to come up with something that will actually work.
-- Brad Knowles <brad@shub-internet.org> LinkedIn Profile: <http://tinyurl.com/y8kpxu>