Re: DMARC -> CERT?

[Leo Bicknell <bicknell () ufp org>]

On Apr 14, 2014, at 3:58 PM, Rich Kulawiec <rsk () gsp org> wrote:

> As I've said many times, email forgery is not the problem.  It's a symptom
> of the problem, and the problem is "rotten underlying security" coupled
> with "negligent and incompetent operational practice".  But fixing that
> is hard, and nobody -- not Yahoo and not anybody else either -- wants
> to tackle it.  It's much easier to roll out stuff like this and pretend
> that it works and write a press release and declare success.

I think you're on the right track, but still suggesting their is a
technical solution.  I submit there is not.

There is no car alarm that prevents all car thefts, no door lock that
prevents all burglaries.  No trigger lock that prevents all gun deaths,
no lane departure system that prevents all car crashes.

Spam cannot, and will never be solved by technological measures alone.
They can help reduce the levels in some cases, or "squeeze the balloon"
and move the spam to some other form.

Ultimately the way to reduce spam is to catch spammers, prosecute them,
and put them in prison.  The way we keep all of those other crimes low 
is primarily by enforcement; making the punishment not worth the crime.
With spam, the chance that a spammer will be punished is infinitesimal.
There are hundreds, or thousands, or tens of thousands of spammers for
every one that is put into jail.

If we'd put even 1% of the effort that's been thrown at technical measures
over the years into better laws, tools for law enforcement, and helping
them build cases we'd be several orders of magnitude better off than
technological solutions that are little more than wack-a-mole.

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail