Slashdot Mirror
AOL Will Not Support Sender-ID
DominoTree writes "America Online said Thursday that it will not support the Microsoft-backed antispam technology called Sender-ID. The online giant cited 'lackluster' industry support and compatibility issues with the anti-spam technology SPF that AOL supports."
Sender ID Framework
SPF is just as effective as Sender-ID for the general internet and is MUCH easier to implement. I am a consultant for quite a few small non-profits and so far I haven't charged any of them for setting up SPF records since it's generally a 2 minute process to create the record (at the most), and an email or a 2 minute phone call to their DNS provider. Sender-ID would force me to do some actual work which would in turn cost my customers money.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Well, I'm glad that people like it the second time around. Would be good if I got credit up front!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
It's not that it is from MicroSoft, not that it's patented, but that it's patented with a special license and it has unclear specification. The current license does not allow the transfer of the rights to a third party - therefore making it unimplementable on GNU Public Licensed programs. GPL requires that any modifications must be passed on for free (if ever want to pass it on), and MS license doesn't allow copying the source code and the license. Therefore, you can't implement Sender-ID for anyone else but for yourself.
Also that wiggle room around the specification is an alarming thing. MS - with many other companies - have shown that any gaps in the specification can and will be used by companies in competition. Given a chance, suppliers will make their product incompatible with other suppliers' products if they have the market share - thus increasing their market share further.
If we give them the power to choose what programs can deliver mail in the Internet, who are we going to blame but ourselves if they want to (ab)use that power? Instead, if they break an existing standard we can point our finger at them and say that their product does not meet the standard and therefore it's their fault that interoperability fails.
?SYNTAX ERROR
I'm not exactly a proponent, but I can respond to most of his points;
* SPF breaks pre-delivery forwarding.
SPF doesn't break pre-delivery forwarding at all, you just need to include the machine forwarded to in your SPF record.
post-delivery forwarding is a problem, but at least in theory, it can be solved by only checking SPF records at the first receipt point,
or by having a smart checker that knows about your forwarding.
I.e. if Alice is sending to Bob, then there's a point at which the message leaves Alice's control, and enters Bobs.
Before that point, Alice can adjust her SPF record to include all possible point of egress.
After that point, Bob needs to check based only on the IP that entered his realm of control.
This may be hard for Bob to do, or beyond his understanding, but that doesn't mean it's impossible.
* SPF hijacks existing DNS mechanisms.
Bullshit. SPF uses TXT records.
It's even RFC 1464 compliant, so it won't interfere with other TXT records (unless someone's already created the "v" tag)
It could have been made less likely to collide by using "spf1=" instead, but it doesn't hijack anything.
* SPF gives ISPs a "lock-in" weapon against their customers.
This one baffles me.
If you're using the address bob@example.com, then example.com already has you by the balls.
If you're using bob@vanitiydomain.tld then you are in control of your own SPF record, and can switch it to anything you like.
* SPF is useless for several entire classes of people.
That would be anyone who sends direct-to-mx email from random IPs.
Those people will have to change.
Sorry, sucks to be you.
The percentage of people in this class is very near zero.
* SPF relies upon DNS for security, but DNS isn't a security service.
Yeah, so?
No one said SPF was perfect, they said it was better than what we currently have (nothing.)
Spoofing DNS, while possible, is considerably harder than forging a from address.
If this were really a concern, we'd already have adopted one of the many "secure" dns alternatives.
* SPF is vulnerable to race conditions during database changes.
Yeah, so?
So is email in general.
* SPF creates new categories of third class citizenship.
Sheese - time to break out the tin foil hat.
The purpose is to discriminate against people who forge addresses.
I suppose some people will try and push all kinds of crap into, around, and on to SPF - but it's really innocuous as these things go.
* SPF doesn't actually address unsolicited bulk mail at all.
That is correct.
SPF is a tool against forgeries only.
It doesn't directly prevent email delivery at all.
* SPF hands Verisign its next unwelcome "innovation" on a platter.
If that's the worst thing you can think of for Verisign to do when they have complete control of the DNS system, then I have no respect for your imagination.
Verisign could create SPF records for existing domains.
Verisign could make resolving TXT records a "premium" service which costs money.
Hell, Verisign could just raise the fees for owning a domain name in
Yes, Verisign is an evil monopoly with near total control over the domain name system, and they can fuck you over at any time.
Get over it.
SPF didn't make them that way, nor will it contribute to their general evilness.
-- should you question authority?
SPF isn't an AOL technology - it's an open project. The core of the protocol seems to be adding some extended information in your DNS records.
SPF website
Regards,
Denny
Police State UK - news and