[HIV analogy snipped]
These "house of cards" trust relationships in the E-mail sphere are
That's not exactly true of course - getting that first spam DOES NOT mean
that you now have spam for the rest of your life. If only HIV infection
could be eliminated by revoking trust after the fact.
Fine, but the same thing holds true in that you don't know how much of the
"trust" you inherited from someone else was inherited from someone else which
was inherited from someone else, and somewhere down the line there was someone
whose "trust" was expressed prematurely or unwisely. And usually there's no
ready way for you to figure out what to revoke, such that you don't throw out
the baby with the bath water.
The other point is that people very simply make mistakes. Even sites which are
normally well-administered and trustworthy still can be infected, or still
I simply believe it makes a LOT more sense to identify most spam by observing
its variance from accepted and agreed form. E-mail coming from a given
correspondent which DOES NOT LOOK LIKE the mail you expect to get from that
correspondent can, and probably should, be quarantined or even t-canned until a
different treatment is indicated.
If I get a 170K-byte PIF file attachment from my dear old Aunt Mildred, it's a
pretty safe bet that it's a virus or worm... she would simply never
send me anything like that (nor, in fact, would probably anybody else).
If she sends me an ActiveX-based attachment or a Java-based decryption script,
that also is pretty clearly outside of the technical capabilities I'd expect to
see coming from her.
Meanwhile, the fact that I get illicit stuff CLAIMING to have been sent by her
should not prevent the delivery of the stuff Aunt Mildred sent me that DOES
like the stuff she sends me. It shouldn't be terribly difficult for software
differentiate (at least for such extreme cases, and probably for more nuanced
cases as well) between the two.
Meanwhile, the stupidity of trusting SPF and such
approaches to control spam is evidenced by the following report that came
within the last week... (and please forgive me if this has already been >
Neither *reputation* nor *authentication* schemes can have any real value
ON THEIR OWN.
I'm not EVEN convinced that they have any really compelling value OTHERWISE,
either. The fact is that people move and travel, and sometimes legitimately
send mail from unusual places (airport E-mail kiosks, cruise ship Internet
cafes, etc etc) and while they still need to sign and return-address their mail
as usual, they may not have ANY control whatsoever about the servers used to
process the outgoing mail.
Only by using them _together_ might one hope to gain any real
benefit. Do not make the mistake of damning reputation schemes because of
the ineffectiveness of 'authentication'.
The fact remains that authentication and reputation schemes are broken as soon
as the trusted system gets compromised by viruses or worms that turn them into
That said - I'm inclined to think that *reputation* established by a wider
audience with a good overview of subject behaviour is more likely to be
useful (and harder to break) than some transitive *trust* thing.
Perhaps, but IMHO it's still better to have the RECIPIENT control it, based on
who THEY trust and what THEY expect to legitimately receive from each familiar
and recognized sender.
I think it makes perfect sense to put a suitably restrictive set of
acceptability rules on E-mails coming from previously unknown senders... loose
enough to allow for initial contacts, but tight enough to trip up most spam
(and, at a minimum, tight enough to ban the tricks that are commonly used to
evade antispam content filtering). And, of course, to virtually eliminate
and viruses (the genesis of so many spambot zombies) arriving in E-mails.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
Asrg mailing list