On Thu, 6 Mar 2003 10:05:40 +0100
Hadmut Danisch <hadmut(_at_)danisch(_dot_)de> wrote:
On Thu, Mar 06, 2003 at 12:24:17AM +0000, Adam Back wrote:
I think figuring out who you want to listen to is the receivers
problem, so in short practically you can't.
I see.
Did I get this correctly? The senders is protected by the
constitution, and is free to send whatever rubbish he wants to send,
with any name he wants to use, maybe anonymously, maybe with any
forged name, to any victim he wants to molest on the victim's expense?
As to legal theories:
In US law (and let's do keep in mind that US law isn't axiomatically a valid
template for what should happen) there's a difference between what a speaker
is legally allowed to say without penalty, and what a speaker can be prevented
from saying (prior restraint). So for instance you can be tried for
publishing obscene material but (in theory) you cannot be prevented from
publishing it. It's considered more in the interests of society to permit the
speech and let courts decide whether it violates the law, than it is to allow
the government to shut down the presses.
So this is the model that some of us are accustomed to, and find useful.
As for the intent of the standards, and technical measures:
- Email is one of the oldest network applications, and authentication was not
availble (and probably not feasible) when the protocols were designed. Nor
was it necessary at the time - the network was small enough (both in number of
users and number of machines) that it was relatively easy to track down
miscreants. It's not clear that we know how to make authentication work for
the scale of the Internet even now - we have algorithms and protocols for
authentication that will work but the trust models do not appear to scale.
This should not deter us from making recommendations, but we need to
understand that it's not easy to actually deploy.
- By explicit design, and for good and valid reasons, domain names have
nothing to do with IP addresses. IP addresses are tied to network locations.
so using IP address to determine domain name is not appropriate - or at least,
not generally applicable.
- By explicit design, and for good and valid reasons, mail originators are
allowed to assert that they are sending a message "From" someone else. (so
for instance a message can be "From" multiple people, or can be "From" the
boss even though it was originated by the secretary.) The Sender field was
supposed to contain the identity of the originator in this case (e.g. an
indication of the account from which it was sent, which is not expected to be
a valid reply address). This field has been misused so widely that it is now
useless, but another (and better defined) field could be created to replace
it. At any rate, the intent was not that the originator of mail could escape
accountability for his/her actions by changing the From field from its
default.
However the mechanisms for enforcing Sender at the time RFC 822 was written,
if they ever worked, are not available today. Today there is no clear line
between "administrator" and "user", between the user for whom it is legitimate
to decide who can use an email address and the user who merely has addresses
assigned to him.
And it's just the victims own business how to deal with it?
Some of the burden inevitiably resides with the recipient. Spam is in the eye
of the beholder, it is different things to different people. It is dangerous
for others to presume, in the absence of some instruction from the recipient,
that the recipient doesn't want to see a particular message.
Keith
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg