On Thu, Apr 29, 2004 at 12:42:04PM -0500, Seth Goodman wrote:
|
| Meng has produced and published slides which correctly, IMHO, argue that the
| some of the cost burden of email needs to be shifted from the recipients to
| the senders. At the same time, he has argued that CBV's are too costly and
| that major providers would likely not buy into any scheme that relies on
| CBV's.
Meng is probably wrong about that --- major providers *are* doing CBV
today, eg. Verizon. So CBVs are obviously not too expensive for major
providers to do, especially if their mail servers are centralized enough
to take advantage of clever things like memcached.
I think Meng's argument against SES is based more on the apparent
*requirement* that all receivers must do CBV for the full benefits of
SES to be obtained, and even then there's the replay attack scenario.
| callouts. If sender callouts are so expensive, why would PoBox do them,
| even in the absence of SES where you don't get much information by doing
| one?
In the absence of SES, CBVs are a stopgap measure that just happen to
work well today; spammers are making up random localparts, but as CBV
becomes more popular the next move will be to make up real localparts.
*That* move is answered in different ways by SPF and SES. With SPF,
receivers are expected to check the client IP and do all the SPF stuff.
With SES, receivers are expected to CBV.
Meng was thinking about SES/CBV during his shower this morning and
wondered if we'd addresses the problem of replay attacks yet. If a
spammer gets his hands on a good SES return-path, can't he send out a
spam with return-path? CBV would pass.
|
| Meng has produced and published slides which correctly, IMHO, argue that the
| some of the cost burden of email needs to be shifted from the recipients to
| the senders. At the same time, he has argued that CBV's are too costly and
| that major providers would likely not buy into any scheme that relies on
| CBV's.
Meng is probably wrong about that --- major providers *are* doing CBV
today, eg. Verizon. So CBVs are obviously not too expensive for major
providers to do, especially if their mail servers are centralized enough
to take advantage of clever things like memcached.
I think Meng's argument against SES is based more on the apparent
*requirement* that all receivers must do CBV for the full benefits of
SES to be obtained, and even then there's the replay attack scenario.
| callouts. If sender callouts are so expensive, why would PoBox do them,
| even in the absence of SES where you don't get much information by doing
| one?
In the absence of SES, CBVs are a stopgap measure that just happen to
work well today; spammers are making up random localparts, but as CBV
becomes more popular the next move will be to make up real localparts.
*That* move is answered in different ways by SPF and SES. With SPF,
receivers are expected to check the client IP and do all the SPF stuff.
With SES, receivers are expected to CBV.
Meng was thinking about SES/CBV during his shower this morning and
wondered if we'd addresses the problem of replay attacks yet. If a
spammer gets his hands on a good SES return-path, can't he send out a
spam with return-path? CBV would pass.