Why ‘user authentication’ is a bad idea

Nick FitzGerald Computer Virus Consulting

  download slides (PDF)

SPF, Caller-ID, Sender ID and DomainKeys are all, to varying degrees, user authentication schemes being actively pushed as anti-spam measures - things that will slightly change how we ‘do email’ but significantly reduce, if not eliminate, spam and keep it down. All such claims are based on a naïve belief in the power of ‘user authentication’ to beat ‘the spam problem’.

Sadly, the common claim that these approaches will greatly reduce spam is not only a misguided idealization of what may be achievable, but it is downright wrong-headed. The chance to make a buck may be behind one or two of the major players pushing for such solutions, but mainly the inability of these approaches to deliver what is so often promised is apparently due to abject ignorance of how the world is already really working in ways that render these proposals useless.

This paper will point out a few nasty facts about spam and spamming that the SPF, etc. folk have either entirely missed or chosen to ignore, then proceeds to explain why these realities not only make SPF, etc. irrelevant as ‘anti-spam’ approaches, but also all but entirely remove the real, but very small, advantages the more conservative sometimes claim for these approaches.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.