The point that you are missing is that once we have SPF, we will know where the messages came from.
We can then use reputation-based systems to determine whether we want to accept mail from any particular source.
Since the zombies will be forced to send through the client's legitimate mailserver, ISPs whose mailservers routinely relay zombie spam will quickly get bad reputations. This will lead to pressure on the ISPs not to relay that spam.
This in turn will force those ISPs to solve the problems within their own networks -- in turn putting pressure on the users who allow their systems to be compromised.
If these users don't do something to secure their systems, the ISP will prevent them from using their mailservers.
The users will then either have to learn to secure their own systems, put pressure on vendors to supply secure systems, or switch to other vendors who already provide secure systems.
It all helps to slowly move the problem back up the chain to those who are causing it.
Do consider Debian-based distributions, as part of Debian's goal is to enable others to produce such beasts. While Debian aims to be available on many architectures, the people who are creating distributions based on Debian don't have to worry about this, and so can spend their effort on making it easy to use/install/whatever rings your bell instead.
Not that Debian 'proper' isn't trying to become easier to install etc., just that it isn't top priority.
The UK legal systen is not the place to start frivolous lawsuits unless you have no money to start with and so won't be worse off if you get made bankrupt.
> You should be able to just go to a local record > store and have a blank CD-R burned with your > selections, then and there.
Please, no!
If only because burnt CDs will last for a fraction as long as properly pressed ones. Your selected burnt-on-demand albums *will* be completely unusable long before traditional-style pre-pressed ones would be.
How many times do you want to have to pay for that music? Do you really want to lead us down the path that ends with pay-per-listen? (via replace-your-knackered-CD-every-year, subscribe-to-our-download-service-cos-it's-far-mor e-convenient-than-those-crappy-CDs, and finally streaming-music-doesn't-fill-up-your-harddisk)
I also actually happen to like having the complete package (when it's done properly). The design, lyrics etc. are all part of the overall "work". It took a long time for album package design to adapt from vinyl to CD, but the good designers out there have certainly caught on to some of the possibilities that CD packaging offers.
Insist on quality, not just short-term convenience!
As you say, SMTP servers should only send messages that they can accept responsibility for. The problem is that spam doesn't usually come from a responsibly-run SMTP server; it's likely to come from a pretty much random IP address.
With SPF, that IP address has to be listed as a valid mail originator for a particular domain (the one that it claims to be sending mail from).
So, what's to stop a spammer setting up a domain and publishing SPF info for it? Well, nothing. But it won't take long for that domain to be blacklisted. And if they try to send mail pretending to be from other domains, SPF will help us detect it.
So the spammers will have to register domains and set up SPF for them.
For a legitimate user, it's a one-off effort to set up SPF for their domain. For a spammer, it will be a continuous drain of time and money setting up new domains to replace the ones that get blacklisted. There will also be the bonus that they have to publish some kind of contact info in the whois for their dodgy domains. Even if registrars often don't currently ensure that accurate info is included in whois, that will come, and in the meantime it will still be easier to track the spammers down, harder for them to employ hundreds of clueless morons to do their work for them, and more expensive for them to spam.
"Broken SMTP" and "don't know much about the internet" my arse.
Actually, there are several people who do know a hell of a lot about the Internet involved in this, and the problems (yes, including the one you mention) have been considered.
I'm afraid I can't remember how it gets round that particular problem, though; you'll just have to read up on it yourself.
Don't worry, it's still being actively worked on. In fact I believe there is work going on with the IETF's ASRG (Anti-Spam Research Group) to integrate some of the various proposals (SPF, DMP, RMX, whatever) together.
I, and many others I know, will practically never bother to respond to TMDA challenges.
Oh, and in case you were wondering, many of the people I'm talking about are the kind who spend hours of their precious time helping people out and answering questions on mailing lists. When you spend half an hour trying to help someone out only to be presented with a TMDA challenge, the last thing you feel like doing is responding to it.
Unless you can configure TMDA (or whatever other dodgy challenge-response system you choose) so that it will always let responses to your outgoing messages in without challenging (and very few people seem to get this right), DON'T DO IT.
It's just rude.
Seriously, google around for a while and you'll see what I mean.
> This is a BAD idea. What happens when I have 3 > different email accounts that I use for different > things, and I want to send mail from each of them > from my home ISP? Sure, each email provider can > provide a secure SMTP for me to log into, but this > sounds like a lot of work.
Actually it's a very good idea.
A lot of work? For the ISPs? Or for you?
Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, would be small.
For you? Just go into your Outlook (or whatever) preferences and edit the outgoing server. Big deal.
As for spammers getting round it, sure they can forge their mail as if it were from someone else at the same domain. But the admins of that domain will have their server logs and will know who to go after.
And the fact that the spammer will only be able to post from a domain he (any "she" spammers out there feeling hard done by, do speak up) controls will greatly reduce the number of bounces you and I get from spam that pretends to be from us.
So, overall, while SPF won't stop spam, it will help, and it will introduce a lot more accountability into the email process -- which can only be a good thing.
Slashdot Mirror
The point that you are missing is that once we have SPF, we will know where the messages came from.
We can then use reputation-based systems to determine whether we want to accept mail from any particular source.
Since the zombies will be forced to send through the client's legitimate mailserver, ISPs whose mailservers routinely relay zombie spam will quickly get bad reputations. This will lead to pressure on the ISPs not to relay that spam.
This in turn will force those ISPs to solve the problems within their own networks -- in turn putting pressure on the users who allow their systems to be compromised.
If these users don't do something to secure their systems, the ISP will prevent them from using their mailservers.
The users will then either have to learn to secure their own systems, put pressure on vendors to supply secure systems, or switch to other vendors who already provide secure systems.
It all helps to slowly move the problem back up the chain to those who are causing it.
Cheers,
Nick
Both unipod and monopod are in common usage to describe a stick that you use to hold a camera steady.
But why quibble? Let's just agree to call it "unbalanced". As one might also describe the mental state of anyone who's bought SCO stock recently.
Do consider Debian-based distributions, as part of Debian's goal is to enable others to produce such beasts. While Debian aims to be available on many architectures, the people who are creating distributions based on Debian don't have to worry about this, and so can spend their effort on making it easy to use/install/whatever rings your bell instead.
Not that Debian 'proper' isn't trying to become easier to install etc., just that it isn't top priority.
So we're all safe then... oh, wait...
> You should be able to just go to a local record
r e-convenient-than-those-crappy-CDs, and finally streaming-music-doesn't-fill-up-your-harddisk)
> store and have a blank CD-R burned with your
> selections, then and there.
Please, no!
If only because burnt CDs will last for a fraction as long as properly pressed ones. Your selected burnt-on-demand albums *will* be completely unusable long before traditional-style pre-pressed ones would be.
How many times do you want to have to pay for that music? Do you really want to lead us down the path that ends with pay-per-listen? (via replace-your-knackered-CD-every-year, subscribe-to-our-download-service-cos-it's-far-mo
I also actually happen to like having the complete package (when it's done properly). The design, lyrics etc. are all part of the overall "work". It took a long time for album package design to adapt from vinyl to CD, but the good designers out there have certainly caught on to some of the possibilities that CD packaging offers.
Insist on quality, not just short-term convenience!
As you say, SMTP servers should only send messages that they can accept responsibility for. The problem is that spam doesn't usually come from a responsibly-run SMTP server; it's likely to come from a pretty much random IP address.
With SPF, that IP address has to be listed as a valid mail originator for a particular domain (the one that it claims to be sending mail from).
So, what's to stop a spammer setting up a domain and publishing SPF info for it? Well, nothing. But it won't take long for that domain to be blacklisted. And if they try to send mail pretending to be from other domains, SPF will help us detect it.
So the spammers will have to register domains and set up SPF for them.
For a legitimate user, it's a one-off effort to set up SPF for their domain. For a spammer, it will be a continuous drain of time and money setting up new domains to replace the ones that get blacklisted. There will also be the bonus that they have to publish some kind of contact info in the whois for their dodgy domains. Even if registrars often don't currently ensure that accurate info is included in whois, that will come, and in the meantime it will still be easier to track the spammers down, harder for them to employ hundreds of clueless morons to do their work for them, and more expensive for them to spam.
"Broken SMTP" and "don't know much about the internet" my arse. Actually, there are several people who do know a hell of a lot about the Internet involved in this, and the problems (yes, including the one you mention) have been considered. I'm afraid I can't remember how it gets round that particular problem, though; you'll just have to read up on it yourself.
Don't worry, it's still being actively worked on. In fact I believe there is work going on with the IETF's ASRG (Anti-Spam Research Group) to integrate some of the various proposals (SPF, DMP, RMX, whatever) together.
Do behave. TMDA is a ridiculously bad idea.
I, and many others I know, will practically never bother to respond to TMDA challenges.
Oh, and in case you were wondering, many of the people I'm talking about are the kind who spend hours of their precious time helping people out and answering questions on mailing lists. When you spend half an hour trying to help someone out only to be presented with a TMDA challenge, the last thing you feel like doing is responding to it.
Unless you can configure TMDA (or whatever other dodgy challenge-response system you choose) so that it will always let responses to your outgoing messages in without challenging (and very few people seem to get this right), DON'T DO IT.
It's just rude.
Seriously, google around for a while and you'll see what I mean.
> This is a BAD idea. What happens when I have 3
> different email accounts that I use for different
> things, and I want to send mail from each of them
> from my home ISP? Sure, each email provider can
> provide a secure SMTP for me to log into, but this
> sounds like a lot of work.
Actually it's a very good idea.
A lot of work? For the ISPs? Or for you?
Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, would be small.
For you? Just go into your Outlook (or whatever) preferences and edit the outgoing server. Big deal.
As for spammers getting round it, sure they can forge their mail as if it were from someone else at the same domain. But the admins of that domain will have their server logs and will know who to go after.
And the fact that the spammer will only be able to post from a domain he (any "she" spammers out there feeling hard done by, do speak up) controls will greatly reduce the number of bounces you and I get from spam that pretends to be from us.
So, overall, while SPF won't stop spam, it will help, and it will introduce a lot more accountability into the email process -- which can only be a good thing.