Not wanting to throw gasoline on an already raging e-mail
authentication fire, but it _does_ look like a fight is
gearing up between Domainkeys Identified Mail (DKIM), a
joint effort between Cisco, Yahoo and a number of other
vendors, and Microsoft's Sender ID scheme.
http://abcnews.go.com/Technology/wireStory?id=872527
[and]
- ferg
Microsoft had this working even one year ago (i.e. they showed presentations
in private with those yellow warning tags), but going public with this and
corresponding press announcements right now likely have to do with that IESG
is reviewing SID drafts (their teleconference is tomorrow) and MS wants to put more pressure on them because so far its failing to gain enough votes
because of technical problems with SID scheme and that it wants to reuse
v=spf1 without proper authorization of domain owners in incompatible way:
https://datatracker.ietf.org/public/pidtracker.cgi?command=print_ballot&ballot_id=1573&filename=draft-lyon-senderid-core
(where as SPF itself has more votes and might actually pass though barely)
For more info on what MS and SID is doing wrong see:
http://www.openspf.org/OpenSPF_community_position_v102.html
http://www.gossamer-threads.com/lists/spf/discuss/19859
P.S. It would really be great if IETF remained true to its origin
and goals did did technical reviews and selected proposals based on
the technical capabilities and not on what large company is exerting pressure on them (especially not by means of press announcements).
But I guess "E" is now turning more and more into "V", see:
http://www.merit.edu/mail.archives/nanog-futures/msg00019.html
Not wanting to throw gasoline on an already raging e-mail
authentication fire, but it _does_ look like a fight is
gearing up between Domainkeys Identified Mail (DKIM),
The real fight is to find ANY techniques that have long-term, global benefit in reducing spam.
Yes, advocates for particular techniques are getting aggressive when they have any leverage, but the market tends to be good at marginalizing schemes that do not really provide benefit.
It's a big network out there.
Yes, it would. It would also be great if the IETF realized that there is
really very little need for email authentication: (a) forgery is a minor
problem compared to spam, and even solving the forgery problem completely
(which isn't gonna happen) would have a temporary and negligible effect on
spam; (b) the authentication problem can't be "solved" anyway until the
complete lack of security on hundreds of millions of network endpoints
is "solved"; and (c) the originating IP address of any SMTP connection
tells you _exactly_ who is responsible for that traffic, whatever it
turns out to be.
---Rsk
[late followup, sorry]
The real fight is to find ANY techniques that have long-term, global
benefit in reducing spam.
We've already got them -- we've always had them. What we lack is
the guts to *use* them.
As we've seen over and over again, the one and only technique that has
ever worked (and that I think ever *will* work) is the boycott --
whether enforced via the use of DNSBLs or RHSBLs or local blacklists or
firewalls or whatever mechanism. It works for a simple reason: it makes
the spam problem the problem of the originator(s), not the recipient(s).
It forces them to either fix their broken operation (any network which
persisently emits or supports spam/abuse is broken) or find themselves
running an intranet.
We've known that this works for 20-odd years. It hasn't stopped working;
what's stopped is the willingness to use it en masse, and to endure the
consequences of thereof. And no new technology, however clever, is a
substitute for the will to make this happen when necessary.
I grow rather tired of people whining about the spam (and abuse) problem
on the one hand...while refusing to take simple, well-known, and proven
steps to push the consequences back on those responsible for it. While we
may no longer be in a position to remove particularly egregious networks
from the Internet, we most certainly are in a position to remove the
Internet from them via coordinated group action -- producing an
equivalent result.
It's gonna come down to this sooner or later anyway. We might as well
do it now, rather than waste another decade fiddling around with
clever-but-useless technical proposals and worthless legislation
while the problem continues to proliferate and diversify.
---Rsk
I grow rather tired of people whining about the spam (and abuse) problem
on the one hand...while refusing to take simple, well-known, and proven
steps to push the consequences back on those responsible for it. While we
may no longer be in a position to remove particularly egregious networks
from the Internet, we most certainly are in a position to remove the
Internet from them via coordinated group action -- producing an
equivalent result.
It's the group interaction this requires that is the problem. For
instance, as a small ISP, it's hard to make a difference at all if you
block someone like, say, comcast or verizon (not pointing fingers,
just using examples) ... A small ISP could, conceivably put
themselves out of business doing something like that..
Coordinating something like that is difficult to begin with, but if
you're on the receiving end, I'm sure there will be lawsuits involved.
Regardless of the legality, a lawsuit costs money, money a smaller
ISP may not have.
Then there's the problem with getting everyone to agree to block
someone .. Not everyone is going to agree that company X needs to be
blocked.
Overall it's a great idea, but I don't think it's practical ... I've
stuck to using blocklists and intelligent filtering. I've spent a
great deal of time over the past few years developing our system and I
think it's doing a fine job at the moment.. 
> As we've seen over and over again, the one and only technique that has
> ever worked (and that I think ever *will* work) is the boycott --
> whether enforced via the use of DNSBLs or RHSBLs or local blacklists or
> firewalls or whatever mechanism. It works for a simple reason: it makes
> the spam problem the problem of the originator(s), not the recipient(s).
> It forces them to either fix their broken operation (any network which
> persisently emits or supports spam/abuse is broken) or find themselves
> running an intranet.
>
I agree that the "boycott" approach is effective. It does not, however, completely resolve
the issue that is SPAM. First and foremost, it does not make the spam a problem of the
originator at all times. The issue is directly illustrated with smtp servers
that are RFC ignorant and don't notify the sender that an error occurred. Sure, there's
not too much work involved, I'm asked about a message that was supposed to be delivered,
nope it wasn't, must be an issue on your end. It still requires me to look into the
problem. The second issue with boycotting, is the false positives. And dhcp makes
this a nightmare issue because some blacklists are retarded about how long entries
are left in the list.
Quite honestly, I think a good blacklist lookup and some sane bogon filters is
relatively effective. Just be careful about what blacklist sites you use.
Some blacklist sites require you to pay them to have entries removed. You can gurantee
a lot of false positives arise from using sites like these.
Or simply build your own. Rich is correct. The design and technology has been in
place for at least a couple of decades. It does work, for the most part.
Tim
The looming battle is not about a reluctance to utilize reputation.
This "authentication" effort is a shift from using the remote IP address
into utilizing the domain name. This changes the nature of how
reputation affects shared servers. A name is more specific, and at the
same time, more pervasive. This change to the use of domains is
progress.
However, path registration is really just an "authorization" mechanism.
Calling this an "authentication" mechanism presumes the domain owner
enjoys exclusive use of their domain on the server. While this may
satisfy the typical bulk email distributor, the average domain owner may
discover they remain prone to forgery. Such domain owners may also be
harmed publishing server authorization in this case, while creating a
support nightmare.
The user-feedback reputation schemes suggested overlook the uncertainty
created when which header or parameter being assured by the sender is
unknown, or when domain exclusivity is not maintained at the server. In
an era where networks are often populated by zombie systems, this
oversight is troubling. Unless the domain owner administers their own
servers, and doesn't expect messages to forwarded accounts not to be
lost, then they should consider using a signature based alternative
instead. In addition, signatures will likely represent less overhead
than path registration.
Path registration, due to the need to place higher priority on unseen
headers, will not offer effective anti-phishing solutions either.
Signature based alternatives again hold greater promise for
anti-phishing as well. There are few email recipients that do not use
various types of black-hole lists. As this battle shifts into using
domain names, be careful. Make sure you can defend your domain's
reputation. If not, a name-based reputation system directing your
domain's email to a "junk" folder will having you longing for the good
ol' days of black-hole lists.
-Doug
No, the *point* of the boycott is the "false positives". ISPs *will* react
when their general users find themselves unable to send e-mail because the
entire netspace of the offending ISP is blocked (boycotted).
Blocking only a small subset of an offending ISP, in order to isolate the
block to only the downstream spammer, is not a boycott; it's looking the
other way.
(I may believe in the principles here, mind you, but I'm far to small to
make a point. A workable net-boycott absolutely requires that action be
taken by a non-castrated 800lb gorilla.)
Having lots of vocally unhappy customers == castration?
The obvious response is to say "well, think about how unhappy
they are with all the spam" -- but that's not how it works in
the real world. Instead, the customer STILL gets tons of spam,
and is incensed that can't e-mail Aunt Tillie whose only crime
is to use the same ISP as some zombied machine.
Boycotts worked great back when spammers were stationary and
users were more complacent, but spam sending techniques have
evolved a lot in the past ten years.
No, "castration" here means not having the bollocks to instigate a mail
block against an entire remote ISP (even for a short time) so that the
offending ISP will wake up and take notice.
And, of course, *sending* mail to the offending ISP is unaffected. 
Of course, this sort of response is the kind that is only warranted in
principle when a cesspool gets really bad. That's unfortunately subjective,
but a network with several *hundred thousand* zombied boxes, and doing
nothing about it, would probably qualify. As would a provider collecting
pink contracts by the pallet.
A lot of them are still stationary. You may see lots of traffic coming
from spam proxies but these are all controlled by farms of servers and ISPs hosting these farms know what these servers are for and let it be.
They are just happy they don't get reports about it any more and their
hosting of such customers can be hidden and behind the scene ...
It depends, of course, on who is doing the spam filtering.
I've seen several people I respect, doing good and sensible filtering
that is as surgical as possible, but remarkably effective given that
this filtering is applied at 800 lb gorilla sites.
I've also seen some people, with root and/or enable on remarkably
large networks, who don't realize that good spam filtering is not just
knowing the syntax for "access list 101 deny" or "vi /etc/mail/access,
then makemap hash access.db < access"., and who I wouldn't trust to be
postmaster@etch-a-sketch, let alone on a production cluster of
mailservers.
Kind of the difference in effect that a fused bundle of dynamite has,
when it is used by
* A trained mining engineer
* Wile E Coyote
Though, to be fair, Wile E affects only himself, and he's back up and
running within seconds even though he's interestingly blackened with
frizzed eyebrows and smoking whiskers. Dumb spam filtering affects a
whole lot of innocent users, a lot more than a dynamite blast or a
fall off a high cliff into high voltage power lines seems to affect
Wile E.
--srs
> > The second issue with boycotting, is the false positives.
>
> No, the *point* of the boycott is the "false positives". ISPs *will* react
> when their general users find themselves unable to send e-mail because the
> entire netspace of the offending ISP is blocked (boycotted).It depends, of course, on who is doing the spam filtering.
I've seen several people I respect, doing good and sensible filtering
that is as surgical as possible, but remarkably effective given that
this filtering is applied at 800 lb gorilla sites.
Which is exactly what I said, too. One particular gorilla has at least
started to enforce long-established RFC "standards" that most folks blindly
ignored out of laziness for years.
I've also seen some people, with root and/or enable on remarkably
large networks, who don't realize that good spam filtering is not just
knowing the syntax for "access list 101 deny" or "vi /etc/mail/access,
then makemap hash access.db < access"., and who I wouldn't trust to be
postmaster@etch-a-sketch, let alone on a production cluster of
mailservers.
And this is the problem -- but then, such miserably inept admins are usually
also responsible for the *outflow*, and are thus working for a highly
intersecting set of ISPs that should be targeted for escalation, "collateral
damage", "false positive" blocking in order to get them to wake up and read
documentation for once....
I'd not be too quick to blame them considering that they are after all
supposed to be on the same side we are. And because occam's razor is
always in mind.