Re: [Asrg] Do we need to do anything?
2003-03-07 07:02:58
At 0:22 -0500 3/7/03, Kee Hinckley wrote:
At 5:18 PM -0500 3/6/03, Jim Youll wrote:
As a server operator for several domains, I don't know that life
would be made
I said ISP. Not domain operator. For some ISPs bounces are already
such a big problem that they are interfering with normal email
processing.
I've also run an ISP. Same. Our life as an ISP would not be made hell
by addition of additional e-mail addresses that we halt at TO:... if
anything, if we could shift the traffic from procmail to that early
step, the servers would be happier.
Beyond that I'm not going to debate it with you. These techniques are
in use at various places already, I've requested statistics and hope
to get some soon... It is an effective technique for some people in
some settings.
These need not be used everywhere to create a noticeable effect on
inbound spam for normal people like my grandmothers and niece and
nephew, who are more like "typical" internet users than anyone
reading this message is.
A diversity of techniques is appropriate. This is one of them.
"hell" by it. Spammers can send a finite number of messages, there
IS a point of economic breakdown. As things stand now it seems to
matter little whether
What is that point? I know the necessary numbers were presented at
the MIT Spam Conference but I didn't note them. Anyone care to
estimate at what point the return becomes so small that spammers
lose money? Obviously it depends on what you're selling. The
Nigerian schemes can afford to send messages for a very long time,
given that their return is sometimes in the millions of dollars.
The numbers for the Nigerians were estimated in the last few weeks at
about one million dollars, total, for all instances of the scam
worldwide, ever. If they could afford to send continuously, they
would, but they cannot. There is a cost, however small, first a
matter of efficiency, second a simple matter that if too much mail is
bouncing from somewhere, we next cut off that somewhere and that's
the end of it.
Finally, if the same care is taken with these addresses as with the
addresses we use now (I think I must be reachable by at least 15-30
addresses right now), then the rate of turnover need not be
excruciatingly high... further, a
You talk about turnover as though it were acceptable. Do you move
your house every year? Do you change your name? What is the
acceptable rate of turnover for the address "kee(_at_)hinckley(_dot_)com"? How
about "support(_at_)example(_dot_)com"? Do you want every user to have to go
the website of every company they do business with every time in
order to find out what the current support address is? What about
this mailing list?
Please, don't be so fast to jump. I've already said several times
that this does not work for all users in all circumstances. But
nothing really does at this point. Nope, support@ and help@ and
sales@ are going to be screwed for a long time, and they need other
solutions.
There are many times that I use an e-mail address that can very well
be transient, and in those cases, it is preferable to use a throwaway
rather than my main address. For example, posting an online
classified ad, posting to a newsgroup... i definitely should use an
only-for-there transient address when joining a mailing list such as
this due to the wide dissemination, and I'd use it just for this
list. So, there are many instances of communications that are
_expected_ to be short-lived and i see nothing wrong with using a
short-lived e-mail address for them. In fact I already do that. If
all the parties behave themselves, no future communication will ever
come toward me just to be bounced back. If they don't, then there is
a pretty good chance the offender will remove me (because it's not
spam but a badly behaved merchant), and finally, sometimes, but not
always, the address may have been leaked, and in that case I don't
receive spam.
I've also said that this process would have to be automated to be
really useful. If someone writes to me out of band and we begin
talking at length, yeah, that person needs a separate address to
write me with since the other may go away someday. So clearly, the
best use of these is 1:whatever messaging where the scope of the
messaging does not change. I can think of many cases that fit this
rule. Not all. Many.
The technique could be used to immunize certain settings, in
particular public forums that permit out-of-band member-to-member
communications, from address harvesting.
I have asked for some stats from the people who run craigslist.org,
which places an anonymous, transient, FORWARDED (talk about
"expensive") e-mail address on every posting. I have never received a
spam due to an address that was harvested from there. Why? Because
nobody harvests addresses from there, since they are all for the most
part invalid from one to thirty days afterward. No value.
1:1 mapping that allows tracking of a leaked address to its source
introduces the possibility of enforcement of all manner of
penalties against the transgressor... so I don't think this
approach would lead to an explosion of inbound spam, not at all.
And how do you determine the transgressor for the address you posted
to the web or put on your business card or that was forwarded from
your mother's address book by a virus? We're back to authentication
again. And if you have authentication, you don't need disposal
email addresses.
Obviously it was my mother or her computer. I give her a new address
for writing to me, I turn off the old one, and we continue to
correspond. I note that this is not necessary until a problem occurs.
Most instances of mail-forwarding-viruses do not lead to spamming so
it is certainly not a given that the turnover rate would be high at
all.
- jim
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|