ietf-asrg
[Top] [All Lists]

RE: [Asrg] Taxonomy of anti-spam systems version 2

2003-03-18 08:55:49
Message: 44
From: Paul Judge <paul(_dot_)judge(_at_)ciphertrust(_dot_)com>
To: "'Asrg (asrg(_at_)ietf(_dot_)org)'" <asrg(_at_)ietf(_dot_)org>
Date: Tue, 18 Mar 2003 04:10:50 -0500
Subject: [Asrg] Taxonomy of anti-spam systems version 2

After more thought and feeedback from some people on the list, here is a
second draft of the taxonomy of anti-spam systems.

The systems are classified into prevention, deterrence, and reaction
approaches.

I like the idea of getting a good classification, but there are a few things
wrong with this attempt.

I think you've left out an important option in the reaction approaches list.
Why not add
        j)      Try to punish
Without this as a reaction, why bother considering deterrence at all?  It
can have a lot of subheadings - punish finacially (either civil charges like
the Washington State law, or fines at criminal law), punich through
non-financial criminal penalties, maybe punish by damage to reputation,
punish by withdrawing ISP services, and so on.

All your deterrence mechanisms amount to just 1 thing - reliable
identification of the source (it matters little whether you call it
"authentication", "non-repudiation", or "Tracking".  Some spammers don't
mind being identified (most of the big players in IT have spammed, anyone
who is going to blcaklist them is someone they probably don't want to talk
to anyway so they did it identifiably) so it's not a very good deterrent.
Dterrence requires not only being caught, but some effective punishment for
being caught (OK, that punishment can be "damage to reputation" in some
case).

Several of the things represented as "prevention" mechanisms depend on that
source identification: at least blacklists, whitelists, reputation systems
(and don't these last give a fail closed option as well as a fail open
option?) so the things you list as deterrents aren't just dubious
deterrents, they are components of some of the prevention actions. And some
of the preve

Some things listed as prevention are actually deterrence, not prevention:
any payment system, for example, is a deterrent not a prevention (of course
a sufficiently strong deterrent amounts to a prevention).

Some things listed under prevention are actually Spam reactions (and
properly a component of deterrence) rather than prevention: "payment upon
misbehaviour" for example.

Tom Thomson

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg