This content was published by Andrew Tomazos and written by several hundred members of the former Internet Knowledge Base project.

uhm, SPF?

I've seen similar systems doing what you described already, out in the wild. I think it works fine (asusming the significant setup requirements were met) but it seems all we need is enforcement SPF (Sender policy framework).

What you've proposed is a hack for a system that presumes mutual trust in a small community (academics sending email in a world with 10,000 email accounts). It also is annoying to human users, and that's the most important drawback. I want my email address to be root@turingstudio.com, not root-fds9a8s79a8sd7@turingstudio.com

Since there is no policy body that can guide implementation of SPF (IETF isn't really "good enough") - I think it will be an alliance of a bunch of large providers: earthlink, aoHell, M$, g00, etc. It would be very easy to transparently control spam by enforcing SPF, since 99% of spam originates from IPs in dynamic blocks assigned to big dsl and cable providers.

Enforcement of SPF would make spammers immediately visible and their infrastructure would collapse from attack, not to mention lawsuits ;) Just do a quick reverse lookup on the domain the connection claiming to be from and get the SPFs, then check to see if it is allowed and deny the connection outright if it isn't. When SPF is enforced by large providers, it will automatically become a requirement for everyone else, which I think is great. Most authors of widely used MTAs are implementing it now.

Spam is an infrastructure problem, and really should never need to be exposed to joe-user.

[The problem with SPF is the same as digital signing. It requires that all your correspondants use it in order for it to be effective. This is not practical. Segmail works whether or not your correspondants also use Segmail. AT]

Back to Index