DMARC -> CERT?

• Previous message (by thread): DMARC -> CERT?
• Next message (by thread): DMARC -> CERT?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 14, 2014 at 10:33:40AM -0700, Matthew Petach wrote:
> So, I take it you prefer a world in which there's no sender
> validation, and receiving floods of spoofed sender email
> spam is just part of the price of being on the internet?

Sender validation means NOTHING in a world with hundreds of millions
of bots and hundreds of millions of email accounts that are either (a)
hijacked or (b) created at will by the bot herders.  My spamtraps see
spam all day every day from all over the world that passes whatever
alleged "sender validation" technology is the flavor-of-the-month.

Can it work in some isolated edge cases?  Sure.  Can it work
on an Internet scale?  No.

As I've said many times, email forgery is not the problem.  It's a symptom
of the problem, and the problem is "rotten underlying security" coupled
with "negligent and incompetent operational practice".  But fixing that
is hard, and nobody -- not Yahoo and not anybody else either -- wants
to tackle it.  It's much easier to roll out stuff like this and pretend
that it works and write a press release and declare success.

---rsk

• Previous message (by thread): DMARC -> CERT?
• Next message (by thread): DMARC -> CERT?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]