Mailing List Archive

On Mon, Feb 23, 2004 at 11:00:26AM -0500, Meng Weng Wong wrote:
> | It seems people who believe in SPF are also prepared to accept a fair degree
> | of breakage in their mail.
>
> The way I see it, there's already a fair degree of breakage, and I'm
> betting that the total breakage under SPF will be less than the breakage
> without SPF.
>
> Can you elaborate on the better solutions? I would happily jump to a
> better one.

For joe-jobs, an SRS-like cookie system is a good solution.

Do we agree on the rest of the problem?
http://archives.listbox.com/spf-discuss@v2.listbox.com/200402/0603.html

I had excluded "forged MAIL FROM on deliverable mails" from the problem set
(but included "forged From: headers")

This might be changed if I can be convinced of the value of a reputation
system.

Would such a system be based on the reputation of an entire *domain*
(myisp.net), or an individual user (fred@myisp.net)?

If working on the reputation of a domain, assuming it's an ISP, we risk
either:
(1) accepting mail from disposable spamming accounts, because a sufficient
proportion of mail from that ISP is not spam; or
(2) blacklisting entire ISPs who don't do enough to discourage spammers on
their network.

Case (2) can already be done via IP blacklists, so SPF hasn't helped us, and
case (1) means we get spam from disposable accounts. So I don't think either
case puts us in a better position than we are already.

If working on the reputation of an end-user, then the mail must be validated
as coming from that individual user. That means SMTP AUTH if the ISP is
going to "certify" it, or else the end-user signs it themselves (e.g. the
ISP either signs their public key, or publishes their public key in a
specific place in the DNS)

However, if we are talking about the reputation of an end-user (who is
likely a low-volume mail sender): how do they establish their initial
credentials so as to be able to send mail to anyone? And how can this be
done in such a way that spammers can't go through the same process
themselves?

Genuine customers are going to be very unhappy if they can't quickly
establish their credentials with the rest of the world to be able to send
mail, and there is a large volume/turnover of ISP accounts to be handled.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Mon, Feb 23, 2004 at 04:23:53PM +0000, Brian Candler wrote:
|
| However, if we are talking about the reputation of an end-user (who is
| likely a low-volume mail sender): how do they establish their initial
| credentials so as to be able to send mail to anyone? And how can this be
| done in such a way that spammers can't go through the same process
| themselves?
|
| Genuine customers are going to be very unhappy if they can't quickly
| establish their credentials with the rest of the world to be able to send
| mail, and there is a large volume/turnover of ISP accounts to be handled.

That is the role of an accreditation service provider such as bondedsender.

I should put something about this in the faq.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com