On 27 Mar 2016, at 21:58, Thomas Cameron wrote:
Has anyone actually gotten a single legit message from that domain?
No system I work with ever has. On most of those systems mail from a *@*.top envelope sender would need to look quite hammy in other ways to be accepted.
Contrary to the hype of the domain huckster industry & their trade org ICANN, we have not run low on classical gTLD and ccTLD names. What's in short supply are ultra-cheap names offered by naive, spammer-complicit, or simply reckless registrars and registries in ways that allow names to be registered in huge volumes by spammers who may never even *really* pay *anything* for the names they register. The cheaper a domain is to register and the easier it is to register it fast and use before actually needing to pay for it, the more likely it is to be used for spamming. Dumb registrars/registries get abused, smarter ones are essentially complicit by pricing new gTLD domains so low for first years that it's no big thing for a snowshoe operation to buy them by the hundreds or thousands and actually pay the fees, unlike the days when some registrars let registrants change their minds on buying domains for a few days and get full refunds.
IMHO we're close to the point where it will make sense to make email default-deny and to build standard protocols for senders to be returned to the traditional trust model on a domainwise basis for each receiving system or domain. The authentication methods already exist, there just isn't enough adoption (for some good reasons) and we don't have usable authorization models.
