Re: spoofing email addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> As the AD who sponsored this work, I have to disagree.   ...
> The recent interim meeting resulted in an agreement to work on
> a converged spec taking ideas from SPF and Caller-ID.

Why?  These are latecomers to the field.  Or is it because of this:

<http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=21100498>

	Microsoft To Merge Caller ID With SPF Anti-Spam Scheme 

	Microsoft on Tuesday agreed to blend its Caller ID for E-mail
	anti-spam proposal with another of the leading domain
	authentication schemes, Sender Policy Framework (SPF).

	The company reached the agreement with Meng Wong, the author of
	SPF, to merge the two proposals into one specification that will
	be presented to the Internet Engineering Task Force (IETF)
	standards body in June.

	...

> I do believe there are some tractable pieces here we can pull
> off of the problem and solve, and I believe the working group
> is committed to that task, no matter who proposes the solution.

I think the working group is committed to the appearance of relevance,
and now that there's a moving juggernaut, it's become important to get
out in front of it somehow and appear to be leading.  From [ibid]:

	Both Caller ID, which Microsoft chairman Bill Gates first touted
	in February, and Wong's SPF would confirm the sender's domain.

	...

	"We're pleased to see Microsoft and the SPF community working
	together on a unified specification," said Andrew Newton,
	co-chair of the IETF working group that handles domain
	identification issues, in a statement.

If there's a more blatant example of rubber stamping in the history of
IETF, then I hope a better historian than I can share the archives with
me.  Right now there's an elephant in the room with us and it's called
"fully verified opt-in" and this elephant is somehow invisible.  Microsoft
has been doing verification for years now, so it's not as if they would
increase their costs or lose revenue if they just came out and told the
world to do the same.  Even Yahoo recently sent me a verify-o-gram, so
the tide is turning.  But still, the elephant remains invisible, and we
have a federal anti-spam law that allows unverified opt-out.

It's as though we want to stop forgery and make everybody run
nonexecutable stack segments in XP to prevent a bazillion bots from
relaying spam to us, so as to prevent "wild spam" and yet, by dint of
ignoring the invisible elephant, ensuring that it will always be
possible for "reputable" companies to spam like crazy.  Which always
made sense to me during the years when Microsoft wasn't doing
verification, but it doesn't make any sense to me any more.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]