ietf-asrg
[Top] [All Lists]

Re: [Asrg] Spam detection system proposal

2003-03-05 12:39:08
On Wed, Mar 05, 2003 at 10:42:27AM -0500, David F. Skoll wrote:
On Wed, 5 Mar 2003, Vernon Schryver wrote:

What are the *detectable* differences between a spammer and a legitimate
mass mailer, assuming we can't read the minds of the recipients?

There are no such differences, detectable or not.

Then this ASRG is a waste of time.


Even though I am a coder at heart, sometimes I realize the real world
has something to offer when it comes to dealing with abusers.

The real world doesn't usually do security with physical security.
It punishes after the fact and uses that as deterrence.

Thus the proposal I sent in my opening message.  The difference between
spammers and legit bulk mailers is that legit bulk mailers are willing
to be accountable if they abuse bulk mail.   Spammers, of course,
are not.

Very few of the world's low level security problems are solved by
putting up a clever high fence.  You notice that there is nobody
checking your bags as you leave the Sears store.

That's how we like it.  We don't want to close up open societies and
open protocols for a bit more security against abuse.

There are tricks you can use to detect patterns between spammers and
legit bulk mails.  One trick is the spam-trap, which is what BrightMail
does.   If a mail came to a spam trap, especially if it's checked
by a human being, you have a fully reliable identification of a
spam attack.

The number of bad addresses is another test, but not nearly so
reliable.   Spamasassin style filters are another test, possibly of
some use.

In the end, though, if we can get most of the legit bulk mailers to
do something -- anything -- to let us know they are accountable for
abuse, I think we can lick this thing.


Some of the things that they can do to show accountability are:

        a) Sign a contract
        b) Offer money / hashcash / post a bond
        c) Be vouched for by somebody else who is accountable
        d) Simply have a good reputation, have a well known established
           mailing list found in any of the existing databases of
           mailing lists.
        e) Live in a legal jurisdiction which punishes spammers
           _effectively_.  (ie. not any of the current U.S. state
           spam laws which do more harm than good.)
        f) Be a member of an association reliably pledged to not
           abuse bulk mail.  This could include, I kid you not
           the DMA, or BBB or similar.  Or Habeus if it is shown to work.
        g) Host your list with somebody who meets the above criteria
           as a host, like Topica, Yahoo eGroups, etc.

There are a lot of choices and there can be more.
        
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg