Why ‘user authentication’ is a bad idea
Nick FitzGerald Computer Virus Consulting
download slides (PDF)
SPF, Caller-ID, Sender ID and DomainKeys are all, to varying degrees, user authentication schemes being actively pushed as anti-spam measures - things that will slightly change how we ‘do email’ but significantly reduce, if not eliminate, spam and keep it down. All such claims are based on a naïve belief in the power of ‘user authentication’ to beat ‘the spam problem’.
Sadly, the common claim that these approaches will greatly reduce spam is not only a misguided idealization of what may be achievable, but it is downright wrong-headed. The chance to make a buck may be behind one or two of the major players pushing for such solutions, but mainly the inability of these approaches to deliver what is so often promised is apparently due to abject ignorance of how the world is already really working in ways that render these proposals useless.
This paper will point out a few nasty facts about spam and spamming that the SPF, etc. folk have either entirely missed or chosen to ignore, then proceeds to explain why these realities not only make SPF, etc. irrelevant as ‘anti-spam’ approaches, but also all but entirely remove the real, but very small, advantages the more conservative sometimes claim for these approaches.
