free registration required: http://www.nytimes.com/2003/10/06/technology/06SPAM.html
If you don't want to bother with that, the idea is to try earmark mail as legitimate (the way habeas does) with some kind of certificate. excerpt: "The upper hand is probably held by the four largest service providers <http://www.nytimes.com/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=MSFT>Microsoft, America Online, Earthlink and <http://www.nytimes.com/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=YHOO>Yahoo which have been meeting since April to try to define spam fighting standards. They say they must go slowly out of respect for the decentralized nature of the Internet (and on the advice of their lawyers). "We're very self-conscious about being a big player in the e-mail business, and we don't want to be seen as laying out the law for everyone," said Brian Sullivan, senior director for mail operations at America Online. "We need to build a consensus around a framework." aka, Len "the politically correct formula for inaction and failure". ( Len: this is so simple it must be naive, but why don't all of the big 4 start insisting that senders must conform to the credentials defined in the RFCs and "best practices", as AOL has done by insisting on PTRs? They wouldn't be laying down the law, just following the law laid down by the RFCs. Of course, something so free and easy and immediate would never be approved by a lawyer. ) "There is also a growing agreement that it is not enough for an e-mail sender to identify itself (Len: eg, via credentials). The sender must also earn the trust of e-mail recipients, by promising to follow certain standards and having violations tallied and published. That would let people choose to discard mail from senders with high complaint rates." Exactly, while the (DNS) credentials approach, augmented by DSP/SPF, would essentially eliminate forgery, it would not eliminate spammers who have all the credentials + DSP/SPF but still send spam. ie, credentials + DSP/SPF would be necessary (to establish a minimum level of trust), but not always sufficient to guarantee mail delivery. ie, credentials would not excuse bad behavior nor prevent blocking. The beauty of credentials is that you can block all the non-credentialled senders, eliminating tons of spam, and then use the credentials to identify clearly the spammers. Len
