E-Mail Authentication Will Not End Spam, Panelists Say

Thu Nov 11 22:16:39 PST 2004

Thus spake R.A. Hettinga (rah at shipwright.com) [11/11/04 16:29]:
: Several executives and academics speaking at a forum sponsored by the
: Federal Trade Commission said criminals are already steps ahead of a major
: initiative by e-mail providers to counter those problems by creating a
: system to verify senders of e-mail.
: 
:  In theory, such an authentication system would make it harder for spammers
: to disguise their identities and locations in an attempt to avoid being
: shut down or prosecuted.

(Having watched the IETF group for a while, and spent much time fighting
spam...)

No person who is pushing for SPF believes that it will reduce the volume of
spam.[1]  What SPF *does* do is make it easier to track it down -- the From
address will actually match the domain it was sent from.  This makes the
Abuse department's job *much* easier, as in theory, any spam complaint you
receive about your domain will be *from* your domain.

While this doesn't always mean you have a spammer in your midst, it /does/
mean that the piece of mail in question /did/ come from your networks, hence
it is something you can track down without worry about wasting time that
would be better spent elsewhere.

Arguably, this doesn't gain the anti-spam fighters anything, as the spam
still comes from somewhere.  But if you lay out the seriousness of the
problem to your subscriber, the chances of a repeat offense (which, ideally,
would result in account termination) drop to very close to zero.  This is
also something that ISPs can combat internally, such as forcing SMTP
authentication (which, granted, opens up a whole other bucket of worms), not
allowing outbound SMTP connections (unless explicitly granted), or having
only a web interface to e-mail (thus blocking all outbound SMTP connects,
even to their own mail servers, period).

The 'criminals' aren't necessarily 'steps ahead' -- they're just working
within the SPF framework, and doing exactly what SPF wanted them to do.  SPF
is *one* step towards limiting the volume of spam, but it in and of itself
does not.  There are a great number of other tools that, when combined with
SPF, can and do make a difference in the spam volume being sent.  Yes, each
tool has drawbacks, and I'm not going to claim otherwise.  But for the 95th
percentile, they won't really notice a difference.  Until their account is
cut off, that is.

[1] Any person who claims otherwise just plain doesn't understand SPF or its
goals.  Unfortunately, a few people have claimed that SPF will cut down on
the spam volume, and this take was snapped up by the media and subsequently
pushed out as the primary goal of SPF.  It is, AFAIK, generally agreed that
to cut down on spam volume, we need a whole different protocol from SMTP.