Here is a quick view of what I have been working on in my spare time :) I have been interested in anti-spam anti-forgery initiatives for quite some time… some of the early writing in this journal is about spam and how we should be fighting it. One of the recent initiatives/proposals to combat forgery is SPF. I have been tracking it and staying active on its list, in addition to keeping up with SPAM-L and also participating in MARID, which is an IETF group checking out anti-forgery efforts with an eye toward publishing an Internet RFC.
Here is a summary of one recent event. Also, due to my persistent, positive presence on the SPF discussion list, and participation in a few in-person meetings, and possibly also due to my strategic Silicon Valley location, I was asked to speak on another panel next week in SF… I will keep everyone posted as to how that goes. /gregc.
The INBOX event took place over two days (I think) and I didn’t go to the whole show, but I attended the two evening sessions that were related to SPF. On the whole it was a *VERY* positive show for us. Here is a description.
I will be very brief in describing the first evening event, called “Accountability Symposium”. The event was organized by Margaret Olson (who represents Constant Contact and also some responsible email senders trade group).
Margaret Olson: Opening comments, description of the forgery problem.
Dave Jevans: Phishing
Omar Tellez: Overview of Anti-Abuse Working Group
Dave Crocker: History of SMTP
Andrew Newton: Overview of MARID working group
Meng Weng Wong: SPF and the New SPF/CID proposal
Harry Katz: Overview of CID, and more about SPF/CID convergence
Ray Everett-Church: Eprivacy Group
Miles Libbey: Overview of Yahoo Domain Keys
This symposium was intended to be a series of overviews, not a working session. The various speakers were each summarizing one particular effort, for the benefit of the general INBOX attendee audience. After the speakers were all done, they all sat in front and were subjected to questions from the audience.
Looking at the agenda you would assume that SPF wouldn’t get much air time, but I have to say, I think SPF and MS being united against forgery probably had the best impact on the crowd. SPF and CID were the subject of many questions, and many of the other speakers who did not come there to talk about SPF gave their words of encouragement anyway. In addition to the positive feeling generated by SPF/MS having a tentative agreement to work together, SPF and CID were also mentioned prominently in the MARID overview, and SPF was mentioned as a possible tie-in with Y! Domain Keys as well.
At least three questions fired at Meng about how this will work and when it will start working were answered with “It’s working now… but for those of you who would like to know more about what happens next, and what YOU can do, please be here tomorrow for the SPF BOF meeting.” About the third time this answer was given there was a bit of a chuckle that went around the room.
After the meeting, I went to dinner with Meng and a bunch of others, some of whom I didn’t actually meet. The Ethiopian place we were headed for was already closed, so we regrouped and headed for The Cheesecake Factory. (This restaurant kicks ass… if there is one near you, you MUST go.) A good time was had by all.
Those whom I can remember were probably either in the car I was in or seated near me…
Meng Weng Wong, Pobox
Martin, Inbox Technologies
Suresh R., Outblaze
Carl Hutzler, AOL
Dan Quinlan, Spamassassin/IronPort
Add others whom I forgot or didn’t know for a total of 12 diners.
We talked about SPF a bit, but mostly we talked about spammers, anti-spam activists, and our favorite techniques for stopping spam. I got to shake hands with both Carl and Suresh, both of whom I admire from reading SPAM-L.
After a brief detour to get Meng’s ransomed luggage, we returned to San Jose and went our separate ways.
The second day was the SPF BOF (Birds of a Feather) session. The room was not packed as tightly as the night before, but I would estimate there were still about 100 or so people.
About the first half of the session was a quick overview of where we have come so far, and what we believe the next steps are, followed by a long series of questions from the audience, mostly of the form, “How are we going to get X person or group to do Y task?” Most of those were answered by someone actually from the group in question saying “Yes we can do that”, or in a lot of cases “Actually, we have already done that.”
There was also widespread repeating and approval for the ideas that
1. We are not trying to solve spam
2. We realize that stopping forgery will take a number of steps, possibly 10, 15, 20 or more, and that we can really only see the first 3 or so of those steps from where we stand now. In other words, the work we are doing is Necessary, But Not Sufficient to stop all forgery.
3. We are heading in the right direction. Minor course corrections are still possible, but we benefit more by keeping the fleet together than we would by going separate ways and arriving at an intermediate step sooner.
Notable mentions include:
We agreed to use “SPF-ID” as a working name for now.
Sendmail Inc. was represented by an exec and a couple developers, all of whom said they were committed to implementing the new SPF-ID
Carl from AOL announced that they would be using SPF to manage their whitelist entries, and that people wanting to be on AOL’s whitelist would be required to publish.
Dave Crocker gave a presentation. (Sorry I don’t have notes from that…)
Dennis Dayman from Verizon also announced that they were publishing records as well.
I personally spoke up a couple of times to raise points or questions.
1. We have talked a lot about the negatives of spam and abuse and the behavior we want to stop, as well as the things that might break. There is also a positive side to all this, and that is the positive benefit to users of seeing a validated address. We need to punch up this selling point and make this a positive side of our marketing message. We need to sell not just email professionals, but end users on the concept of verification. We need people to like it and tell others about it so that they will go ask their ISP, “Why don’t I have check marks showing validated emails”
2. Large players can help the community at large by reporting their progress, as well as reporting the statistics of the mail that comes in. For example, if a large mail receiver says that their incoming mail still not compliant with SUBMITTER/PRA is 99% spam, that is useful information to everyone else. They can also tell who the non-compliant forwarders are and start to put pressure on them.
Meng announced that the official garment of SPF was the black poncho, and gave one to Carl and another to Dennis Dayman from Verizon.
Meng said: people can publish the SPFv1 stuff now, and implementors should get started with the SPFv1 spec. In terms of milestones, the new MARID stuff won’t be done till end of June or in fact August, but the SPFv1 semantics are at the core of the MARID work anyway so they can just repurpose the code when the time comes.
The final closing statement was a call to everyone to publish SPF records now, and a show of hands of anyone who is not able or willing to go back to their company and make sure SPF records get published. The results were encouraging: none :)
I managed to tag along with Meng and a few others, and this time we made it to ethiopian food. The food was wonderful and the staff was great (Zeni Ethiopian on Saratoga Av.)
As a result of both days, I trundled on home, feeling quite positive about the future of SPF, CID, MARID, etc. (I should probably do another summary that covers MARID, interim meeting, merger talks, etc. I think MARID is going to turn out to be more important to us than even MS)
Even after reading the list the last couple of days, I am still not discouraged. I am still quite optimistic.