> On 17 Aug 2020, at 12:25, Alessandro Vesely <[email protected]> wrote: > > On Mon 17/Aug/2020 11:46:55 +0200 Laura Atkins wrote: >> >> The forum page is off the FTC website, but the document links are >> still accessible: > > > A copy is here: > https://web.archive.org/web/20120603201012/https://www.ftc.gov/bcp/workshops/e-authentication/ > > A sentence says: > > The Report, however, identified domain-level authentication as a > promising technological development that would enable Internet > Service Providers (‘‘ISPs’’) and other domain holders to better > filter spam, and that would provide law enforcement with a potent > tool for locating and identifying spammers.
And, 17 years on, we know that domain level authentication doesn’t actually help filter spam nor does it provide law enforcement with a potent tool for locating and identifying spammers. It was promising, it didn’t live up to the promise. There were a lot of thrown at the wall during those 3 days of talks. One of them was domain level opt-out. Another was a global opt-out list similar to the postal opt-outs run by the DMA. Another was a technology called TEOS. HashCash. The list of things we discussed as promising solutions was extensive. Just because we discussed a particular kind of solution does not mean that anything was decided. It also doesn’t mean that any particular solution mentioned was workable. >> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day1.pdf >> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day2.pdf >> https://www.ftc.gov/sites/default/files/documents/public_events/ftc-spam-forum/transcript_day3.pdf > > > Thanks. Let me quote a paragraph by Paul Q. Judge, from the 3rd pdf: > > It doesn't require that one day everyone turns it on and we begin > to drop the rest of the e-mail and break e-mail. If a domain > decides to turn it on, then they've prevented forgery for their > domain and they're protected. For persons that have not turned it > on, then their e-mail still flows but they are not able to > stop people from forging messages from their domain. So, I think > it's something useful and can be deployed incrementally. We know, now, that turning on domain level protection does not stop phishing attacks against that company. It stops direct spoofing of the domain, but the phishers simply use a completely different domain. Just this weekend I got a PayPal phish. PayPal who helped invent DMARC are still getting spoofed and phished. Sure, the phishers aren’t using the paypal.com <http://paypal.com/> domain, but that doesn’t seem to have any effect on their success at stealing money from people. > It seems we're still stuck midstream... Stuck at what? Many of the people who were at that conference are still working in the field and understand both the purpose and what came out of the forum. I’d also say that most of what happened there is a nice bit of history but is also irrelevant to addressing the spam problem as it is now. Email has evolved significantly in the last 5 years, much less the last 15. We can use the discussion as history to say “we looked at this and it didn’t work” but I don’t really see a lot of value in saying “let’s retread things from a decade and a half ago that didn’t work.” laura > > > Best > Ale > -- > > > > > > > > > > > > > > > > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise [email protected] (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
