On Wed, 5 Mar 2003, Hallam-Baker, Phillip wrote:
I don't think that the response loop idea is acceptable as a general
solution. In my view it should only be used as a last resort if
a mailer has exhausted every other means of authenticating the
sender. That means SSL, S/MIME and PGP. Nobody should be using
intrusive means of authentication when there are non-intrusive
options available.
How intrusive is it for a person to expect all correspondents to use
S/MIME or PGP authentication? Most of the people I correspond with don't
even know what those are, let alone know how to use them.
My inbox is presently guarded by an autoresponder that sends and receives
return-address confirmation requests via SMTP. One might say that, in
effect, I consent to receive email from people who use (and monitor) the
"From" address that they use. While not technically elegant, this method
is widely implemented and pretty well understood.
I'd love to replace it with something less intrusive, but I don't think
it's really my decision. Rather, the decision lies in the hands of all
the people with whom I correspond.
So then the problem is getting everyone to use SMIME or PGP or whatever.
They don't have to know they're using it (just like they don't "know" what
SMTP stands for), it just needs to be pervasively implemented.
I think it is acceptable to send a callback loop request if all
other means of authentication have been exhausted first and the
message in question has been identified as having a high
probability of being spam. Otherwise this type of behaviour is
simply anti-social.
I disagree with that assertion - autoresponder-based whitelists are a net
gain for the community. Since instituting my autoresponder and whitelist
about a year ago, I've received about two pieces of spam. The number of
unseeing spam messages is probably around 1500. I've probably sent a
couple dozen (admittedly annoying) confirmation requests to actual human
beings. In the big picture, the number of annoying messages put before
live humans has dropped from 1500 to 25. If everyone took up whitelisting
and automated confirmation, the number of unwanted messages everyone
received would drop by a comparable ratio. I don't think this that's an
anti-social vision at all. To the extent that it is, the blame lies on
the penis-extension people and their ilk, not those who have instituted a
system that results in a reduction of the total number unwanted messages
arriving in inboxes.
It's not a perfect solution, and I hope we can come up with something
better, but it works. I note that this very mailing list uses a similar
method to screen subscription requests. I don't consider that
anti-social, in fact I consider it a very wise practice.
The bandwidth cost of every piece of spam goes up by a factor of two to
three, though - there's the confirmation request, and then the bounce
report created by said request. That's the drawback I have the hardest
time rationalizing. But it works *very* well, and that's rationalization
enough for me.
--
Nate Waddoups
Redmond WA USA
http://www.natew.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg