On Tue, 16 Mar 2004, Ed Gerck wrote:
Dean Anderson wrote:
On Tue, 16 Mar 2004, Ed Gerck wrote:
What information theory says is that the probability of detecting
spam is less than 100%.
No, information theory doesn't say that at all.
Sure it says, and that's why a spam filter will never be 100%
effective. I guess we agreed on this before ;-)
I think you must have missed my message noting our disagreement.
Now, you may want to refer to that mythical element, the 'spam-free'
protocol, a protocol that an information theory model says cannot
be built. I guess we also agreed before that a 'spam-free' protocol
is impossible. The IETF should not attempt to develop it.
Thus, in asking for IETF technical solutions for spam, it is
obvious that I do not mean spam filters or 'spam-free' protocols.
We would all be very happy with a protocol that is almost
spam-free -- in fact, I believe we would be quite happy with 90%
at this time. Me thinks we don't need 100% ;-)
An IETF technical solution to reduce spam is doable. Your comment
on 'spam-free' is useful-free ;-)
The IETF cannot reduce spam either. Protocol changes are simply
gratiutious. One might say that there is very little spam on X.400 mail
systems. But it is simply because spammers aren't interested, not because
X.400 has some special immunity. Spammers will simply adapt to any
gratuitous change. At best, only a temporary reduction would be obtained,
until the spammers adapt. After they adapt, there is no reduction.
However, I think there are things that show some promise that might be
harder to adapt to, such as automated text summarization, bayesian
filters, mail agents that filter on the user's interest in the message
subject, and such. I think these are worth pursuing, but these are not
subjects for the IETF. Further, there are still inverse methods for
spammers, so even these will simply be temporary. But I think the benefit
of intelligent agents and summarization and interest filtering could be
very beneficial in filtering even non-spam mail.
Ages ago, managers had secretaries filter there postal mail and phone
calls. I'd love to have a 'secretary' filter my email, so that I could
subscribe to noisy lists and see only the messages that I was interested
in. But this is technology that isn't a protocol, nor does it seem to be
in need of a protocol, so there is little or no reason for the IETF to be
No, it is quite useful: The IETF can do nothing to prevent spam.
;-) this mantra is becoming a spam.
Or perhaps it is the mantra that the IETF can do something to reduce spam.
What interests the IETF are technical spam solutions, for example,
that would prevent email that comes from unidentifiable or rogue
senders/MTAs to be ever received.
The only thing that can acheive this is to turn off the computer.
No, it's a matter of degree. Even if not all spam is preventable,
preventing email address spoofing (even to a degree) would have
a range of benefits. For example, I would no longer receive
those "undelivered" messages for email that I purportedly sent,
but actually never did. And people receiving email from me could
actually trust to some extent the outcome of their filters. And,
to be clear, I'm not talking about PKI.
Actually, I want to receive those bounced messages. Otherwise I don't know
if someone is out there trying to abuse me. Often, the perpetrator can be
identfied from these bounce messages, since they usually include the
original message and its mail headers, which give an IP address and a time
of use. But it is easy to delete messages from "Mailer Daemon" if you
don't want them.
The problem here is to distinguish the real you from the not-real you.
Or rather, to distinguish the unauthorized not-real you from both the
authorized not-real-you and the real-you. Real users use relays. Real
users also use agents, like cron jobs to send email. How do you know the
cron job is not a spammer? It might be abuse. It might not be abuse. We
don't know until we check on it. There is no way to avoid this check.
RMX can't work, because real users need to be able to use a wide range of
relays, which depends on their physical location as well as their
arrangements for outsourcing, as well as the service offerings of multiple
providers. For example, Av8 Internet provides relay services for users of
earthlink, because those users have leased line services from Av8, but
email services from Earthlink, and earthlink doesn't do relay service
outside its IP address space.
How is the relay to know if the message is really from you or not really
from you? Password (or per-user account) style authentication (such as
SMTP AUTH) hasn't had any effect on spam, and it doesn't scale well, and
isn't widely supported. Passwords can be stolen by viruses, or by
disgruntled users if they are well-known. If you exclude PKI, then
spoofing is easy. If you add PKI, then how do we know that the private key
has not been stolen by a virus? Much or most of the junk/spam is now sent
from viruses. They can certainly start using the infected users identity
if necessary. We should be glad that they aren't. Forcing them to use the
users identity would be another way to shoot ourselves in the foot.
But none of this would reduce spam, because spammers would simply adapt.
The IETF can specify protocols with certain features, say PKI, but doing
so will not prevent spam, since the IETF (nor anyone else) cannot specify
a 'spam-free' protocol. This is a result of information theory.
Because it can't be perfect, it can't be done? No one needs perfection.
All we need is to have a degree of spam-freeness that is acceptable.
No. But what we are left with is a whack-a-mole solution that is no better
than what we have now. All we can do is automate that whack-a-mole
procedures. And of course, spammers can automate the avoidance procedures.
These are constraints that are imposed by information theory, and the fact
that spammers want to abuse the mail system.
Sterilized milk is not bacteria-free, it just has a reduced count
of bacteria -- which count is low enough to guarantee its stated
Bacteria are not as smart as people trying to abuse the system. Assuming
that spammers will be no smarter than bacteria is just another false
assumption. Though, perhaps we are getting to the core assumptions that
people making these proposals are relying on.