On Mon, Mar 03, 2003 at 10:29:34AM -0500, Daniel Feenberg wrote:
Somehow it seems more practical to just buy a domain name and use it till
the spam filters catch on, although $10 is probably significant for many
spammers.
By this reasoning, the proposal could succeed at providing authentication
without actually reducing spam.
That's the next step of the story.
First, we have to keep in mind, that we still have no precise and
concise definition of "Spam", and I guess we'll never have.
My draft is focussed on the sender address fraud aspect of Spam, while
most people are focussed to the "mail which I don't want to have"
aspect. Unfortunately, the latter one is not easy to grab in a technical
and automated way.
And there's another point: My approach could be seen as a "european
way". Let me explain this:
The RMX records don't stop spam. They stop e-mail fraud (i. e. using a
foreign domain as a fake sender address), at least to a certain level.
When you receive a message, and the RMX records say "good", then
what's the use of this? You can assume that the owner of the domain
has somehow in any way authorized the sender to do so, is somehow
responsible. It is a link between the message and the domain.
Now, what's that good for?
In Europe, especially in Germany, the whois entry of a domain usually
gives detailled information about who's responsible for a domain. This
is a link between a domain and a real human. OK, what's that good for?
You can sue the person.
You can blame the person.
You can blacklist the person (which is more effective than
blacklisting his/her domains which can be changed like underwear).
Effectively, you know who is molesting you. The mail suddenly turns
from an anonymous standard Spam to a plain normal, but still
unsolicited message.
There are still some problems:
- Some countries /ISPs don't keep the whois entries filled with
reasonable informtions, especially the far east countries.
So teach your MTA to reject messages from domains which don't
have reasonable whois entry. It will force them to update
their entries.
- Some countries (e.g. the USA) don't have that european idea
of a human's identity. In Europe, people have identity cards,
you don't simply change your name or identity. Your name
and address can be "verified". In the USA, people insist of
beeing free to choose any name and address. It is very difficult
to authenticate somebody when you lack a reliable identity.
Ok, back to the Spam problem.
We can't find a technical solution as long as we don't define Spam.
Spam is a term for "everything annoying which can be found in a
mailbox". Forget about it. We'll have to find real, hard criterias.
I'll suggest those:
- Forged sender address
- Non-individual mass mail
- Lack of personal relation between sender and recipient
- recipients address found in context which was not supposed to
allow this certain message transfer
When we know what we are talking about, we can start to design
protection mechanisms. RMX records are designed against forged
sender addresses (domain part).
regards
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg