1) There is nothing new here. We've seen it all before, and nothing has ever worked. It's just another FUSSP. Nobody will use the Registry, and it will fail for lack of participation. Trust me. I've been in this business for 20 years.
Resp: The Registry uses existing technology, nothing new, just a more effective arrangement of the pieces. The key differences are we have avoided some serious barriers, and provided the right motivators. We are not depending on senders to take the first step. The Registry will work well enough with default records. It will work even better when senders fix their records, and they will be motivated to do that by the desire to limit their responsibility to just a few well-controlled IPs.
As for receivers, you are right, there is a lot of cynicism built up over the years. Success in the initial rollout will depend on making it easy for receivers to upgrade their MTA's and spam filters. The upgrades need to be thoroughly tested before the rollout, and there needs to be a professionally-managed website for education and support. Some good PR might help also. The cost of all this will be far less than the millions receivers will pay to use the Registry and far less than the billions we are wasting every year we let email abuse continue.
2) The author needs to study how authentication works. First, there is no such thing as a common identity that can be shared by all methods. Second, all of the existing identities can be faked. Repeat until it sinks in: There is nothing in any email command or header that can be trusted.
Resp: Using a Declared Identity or a Default Identity does not limit the choice of authentication methods. What it does is reduce the uncertainty about the sender's intention, and provide a unique name for a Registry query. The choice of authentication methods is done by the owner of the Identity in the Registry record. Yes, a Declared Identity can be faked, but only if the true owner of the Identity allows that to happen. Every sender has an IP address that can be captured during the mail transfer session. To use the example in the article, it's as if the sender were saying "HELO, this is smithbarney.com, sending to you from <IP>." If the Registry record under smithbarney.com doesn't authorize that IP (using a method chosen by smithbarney), we can assume the message is not from smithbarney.com.
A good analogy to the role of the receiver's border MTA, is that of a border guard checking the IDs of travelers. Currently, we have a system where the border guard cannot ask for an ID. He has to check whatever IDs he finds in the travelers bag. When he checks those IDs against a central database, rejection means nothing. It is common practice for travelers to carry many IDs, and there are legitimate reasons, or at least plausible excuses, for none of the IDs being valid.
The proposed Default Identity at least has no legitimate reason for being invalid, although still many plausible excuses. The excuses will go away when it is advantageous for the traveler to not carry any invalid IDs. It will be even better when most travelers *declare* their ID, and there is no excuse for it to be invalid. That will happen when the border guards provide an express lane for these cooperative travelers. It might also happen by legal mandate, but one of our goals is to make everything work voluntarily with minimum change in existing protocols.
3) Central control = corruption. Spammers will take over your Registry before it even gets off the ground. They will register millions of domains with spam-friendly registrars, and generate lots of email to themselves just to run up good reputation scores for those domains.
Resp: There is very little opportunity to corrupt the Registry itself – it is just a clearing house, not a Rating Service. A properly-chartered organization will always be responsive to the needs of email recipients, even if the Internet is 95% owned by spammers, and that will never happen.
Some of the Rating Services will be corrupt, but receivers will figure out which ones they can trust. The good ones won't be fooled by obvious tricks like sending tons of phony mail to themselves. Their domain ratings will not be based on any fixed automatic formula that can be corrupted by gaming the system. No doubt, rating services will have a challenge in dealing with fraud, DoS attacks, and legal harassment, but we have to assume that at least a few will be successful in separating the criminals from the legitimate domains. All we need is a few good ones.
We need to get off this idea that spammers are some kind of invincible supermen. They are a small and immature segment of the Internet getting away with this abuse only because we lack the will to stop them.
4) The costs of the Registry will be enormous. The last time they tried this, the fee was $2000 per year, and nobody signed up.
Resp: The amazing thing about email abuse is the cost/benefit ratio. It costs the victims about $1000 for every $1 in criminal profits. If only we could get these Internet criminals to turn their talents to auto theft, we could cut the current costs, estimated at $22 billion per year, by a factor of 100!! :>)
If email recipients would spend $3 per year to support the Registry, we would have a billion dollars a year to work with. That is far more than we need. Legitimate users of email have far more economic power than the abusers. The Email Senders Registry will allow some of that power to be focused on getting reliable identities and reputations on senders. Rating Services will do whatever they must to provide reliable ratings, and the cost of doing it will be easily paid out of subscriptions to the Registry.
As for the last time they tried this, I assume you are talking about the .mail registry proposed by Spamhaus. There are a number of important differences in the new proposal, including the lack of dependence on senders to contribute, or even cooperate.
5) What is spam? There will never be an agreement on an answer to that question. Any attempt to classify all email as either good or bad is doomed to fail.
Resp: The Registry doesn't attempt to make that classification, just facilitate the efforts of others – the Rating Services. Some will succeed, at least in the eyes of their subscribers. Rating Services will follow whatever procedures they think are appropriate to keep their subscribers happy. The better ones will likely have rapid feedback from their subscribers, so they can adjust their procedures to deal with new forms of spam and new spam sources.
6) You say the Registry is open-source, but you expect everyone to pay. You can't have it both ways.
Resp: The programs are open-source. The services are not. You don't expect a company using Apache to provide free web-hosting. The Registry has basically the same business model. We expect to provide first-rate services, including domain ratings from the best companies in the world. These services will cost us a lot of money, even if we operate the Registry on a non-profit basis. That money should come from receivers using the Registry services. This will ensure that the Registry is always operated in the best interests of receivers.
7) You cannot expect an ISP to reject mail based on a sender's reputation. This will inevitably reject some non-spam, and the ISP that rejected the non-spam will get blamed and lose customers.
Resp: The ISP should not be setting the reject policy. A well-designed mail receiver will allow each recipient to set his or her own thresholds and options for rejection of spam. Many recipients will set high thresholds, and the rejects from those recipients will motivate legitimate senders to clean up. The goal of the Registry is to empower recipients.
8) The overwhelming majority of domains do not have their own mail servers. Some email services handle email for tens of thousands of domains. So you face a huge crush of opposition.
Resp: Most of these tiny domains will find it convenient to use an A-rated forwarder, probably their own email service provider. The forwarder will scan the mail for viruses and spam, and send it using its own HELO name.
The exceptions may be small or infrequent senders that have a reputable name, and need to avoid raising suspicion about their email. If they use a forwarder, the recipient will see something like the following on any mail where the From line differs from the authenticated HELO name.
From: "American Red Cross"
AmericanRedCross@redcross-email.org
Authenticated Sender: advertising.com (domain rating A - proven trustworthy)
For these organizations, the email service should assign a static IP address, and the organization should authorize that address under its own name. There may still be a problem of accumulating a good reputation for the name, but that is where accreditation and bonding services can help.
Although the majority of domains don't have their own mail servers, the majority of legitimate mail comes from large domains that do have their own servers. Large domains will authorize their own servers. Small, unknown domains that don't use a reputable forwarder will face increasing levels of rejection as the statistical difference between the high-rated group and the remainder becomes greater. Eventually, the remainder will be so polluted that the small domains will do whatever it takes to get out. This is an unfortunate burden for small non-abusive domains, but it is a necessary burden to distinguish them from abusive domains.