This month's summary (up to today, since a month ago today) of ASRG is
included. Non-technical spelling errors will be caught by the editor -
but I'd like to know if you feel I've misrepresented you, made a factual
error, or missed out a Really Important And Interesting thread.
I'd also like to BEG people on this list who are using mail clients that
are somehow destroying or not setting 'In-reply-to' or 'References'
headers (this group of people noticably overlaps with people called
'Fridrik' and people who mis-spelled 'referrer' in a widely-used
protocol) to find a slightly more recipient-friendly MUA, and remind
people that replying to an existing message to start a new thread also
causes problems for those of us using MUAs that will nicely thread
emails (like mutt).
So it begins:
Yakov posted a link to a draft submitted to IETF entitled 'A No
Soliciting SMTP Service Extension', which would basically require
senders to define their email with certain keywords. Phillip Miller was
not impressed, saying that work on consent frameworks was specifically
in order to avoid "content-specific solutions that are open to
definition wars, redefinition, and even worse, cross-border legal
wrangling", and suggesting that implementation of said standard would
lead to the "[requirement] that senders, to be compliant with every
possible national law, check their mail against each and every
John Levine thought that the alternative would be that "each country
[would] make up its own rules", many of which would be contradictory,
pointing out that UCE in Korea has to start with the Korean word for
advertisment, where the US rules will probably require 'ADV' - "the same
subject can't simultaneously be in Korean and English."
Phillip Hallam-Baker decided it was "all over for challenge-response" as
spammers were now allegedly asking visitors to free 'adult' websites to
'solve' the non-machine-readable images that challenge-response systems
use to verify a human sent the originating message. Yakov pointed out
that this would require spammers to provide a working return address to
their spam - essentially dooming the scheme.
There was some debate as to how cost-effective this method would be, but
as no-one had any figures, the thread floundered. It was suggested that
this would be most useful for setting up 'free' webmail accounts
en-masse, for use by spammers.
Walter Dnes, in a later thread, suggested that all it would take would
be one visually-disabled person with a good lawyer to get 'Turing test'
schemes based on graphical recognition to become illegal anyway - this
spawned a discussion on 'multi-modal' tests.
He also painted a rather dystopian future, suggesting that there were
'legitimate' spammers who "do not want to see spamming made totally
illegal, because they want to get in on the act once the 'bad' spammers
are shut down ... the main difference between them is that 'bad
spammers' break the law, while 'legitimate spammers' buy politicians to
rewrite the law ... if technical solutions do succeed in stopping spam,
mark my word, you *will* see 'must carry' legislation for 'legitimate
A large thread kicked off on the subject of websites sending email on
behalf of a user - such as the 'Email this article' to a friend feature
that many online publications have. This was decried as being 'forged
spam' by Alan DeKok - the upshot seemed to be that some people believed
that any email you couldn't be absolutely sure came from a given sender
was 'forged spam', and others didn't - no particularly compelling
solutions were suggested.
The FTC sought comments (by way of Yakov) on their proposal to require
those sending sexually-explicit UCE to label their email subject line
with 'SEXUALLY-EXPLICIT-CONTENT', and making this phrase the only thing
a user would see when they first opened such an email. The deadline for
feedback has passed, but you can see the original proposal here:
Fridrik Skulason requested a summary of 'RMX, DMP, SPF, LMAP, etc', and
was rewarded by Yakov's breakdown:
"The basic concept of LMAP is to publish in DNS a list of IPsthat are
authorized to use the domain name in the MAIL FROM or HELO arguments of
the SMTP transaction. The technical differences between RMX, SPF, and
DMP is how this data is stored in DNS, how it is parsed, extensibility,
and whether [the] HELO parameter is addressed"
There was some discussion on requiring originators to specify the size
of their message at the SMTP level, so as to allow throttling of
connections from potential spammers, and so on. Peter Holzer was not
convinced that size was a good indicator of how likely a message was to
be spam: "My users complain if they get a single 1k spam message per day
and they complain if they don't those 67 40MB PowerPoint presentations
that someone sent them in an hour".
Yakov claimed that the FTC had estimated that 70% of spam is fradulent
and could be 'enforced' under existing laws. He lamented that while
politicians are willing to talk about the problem, very few are willing
to give 'cold hard cash' to the enforcement agencies to allow them to do
this. Harry Tabak followed up with the insight that most spammers tend
to be using zombies, making this process hard, and offered the insight,
based on his filtering attempts, that "the cost to spammers of a failed
delivery must be cheaper than the cost of pruning a mailing list" -
zombie hosts with the same IP would keep trying to deliver to an email
address that had rejected their emails before.
B: Pinky, Are you pondering what I'm pondering?
P: Wuh, I think so, Brain, but isn't Regis Philbin already married?
-- Pinky and Brain
Asrg mailing list