Spam Philosophy (was: Re: [lug] Getting mail out of the Qwest/MSN mire)

Sean Reifschneider jafo at tummy.com
Mon Jul 10 23:19:08 MDT 2006 

On Mon, Jul 10, 2006 at 08:17:29PM -0600, Nate Duehr wrote:
>SPF's a dud.  Plenty of spammers out there using rotating IP's and  

I presume you mean rotating domains?  Because you can't just use a
collection of IPs and get arbitrary sender domains to pass the check.

SPF is probably the fastest and most effective things a domain owner can do
to prevent the spoofing of their domain.  As someone who's had to deal with
tens of thousands of bounces on a weekend because some idiot sent out an
advertisement for their cookie recipe using the sender address yummy in
tummy.com, this matters to me.

>from real places like Yahoo and MSN also and those pass the SPF  
>record test, if I remember correctly.  Complaints to their abuse  

Sure, but spammers and viruses who have been hijacking other peoples
domains have basically been shut down by SPF.  Doesn't seem like a dud to
me...  Sure, spammers can still get yahoo addresses, but it's allowed
domain owners to "take back" their domains.

>Don't know - that's one of the challenges.  :-)  It's time to figure  

Fair enough, but I don't see an obvious solution and the effectiveness of
signed messages revolves around the identity issue.  I don't see a solution
to it.  Even if you have to pay for identities, you will find someone who's
will to pay for it or who is going to steal them.

>How do any biometric systems know this?  (Other than personal  
>identification of people standing at the entranceway to a data- 
>center...)  Another challenge.  Maybe your biometric devices need to  
>be better, they eventually will be.  :-)

It depends on the biometrics system design.  If it's implemented in
hardware, like a smart card or the IBM Embedded Security Subsystem, where
the key and biometrics are embedded in the hardware and you pass the auth
information to it, it signs it and you get a single-use response, it's
good.  However, if the biometrics are implemented largely in software with
a reading device, you can read it just like you can sniff a password with a
software keylogger.

>Very good point... but still doesn't answer the question WHY NOT know  
>EXACTLY who's servers passed a message to you?

I have no objection to it being there, I just don't have a use for it.

>It's also not like e- 
>mail being anonymous is rarely if ever REALLY needed, ever.  I'm sure  

I agree there.  We can't simply say that there shall be no more anonymous
e-mail.  Many people make use of it for various, legitimate, reasons.

Did I tell you last week we received a phone call from someone saying they
were responding to a web inquiry on load-balancers?  Turns out it was
because I had done a search for that term, clicked on this places web site,
and left.  They used my reverse DNS to track down a number to call, simply
because I clicked on a link to their site from google.

More and more places, google included, are collecting more and more
information about us, and there are legitimate reasons to try to interfere
with those.

So, yeah, I agree that we need to preserve anonymous e-mail.

Thanks,
Sean
-- 
 Any technology distinguishable from magic is insufficiently advanced.
                 -- Gregory Benford
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability

More information about the LUG mailing list