Ok.. here is my current climate for Friday 03/07/2003-
RMX: is really neat, but all the it actually does is allow the validation of
the sending server. It does nothing to actually stop the spam. As a
postmaster, this concept still has me drooling all over myself as currently
most of my spam is spoofed and each IP lookup takes time to insure that the
spammer isn't using a legitimate service that I cannot block as a whole.
I still believe that it can be incrementally deployed and AUP violators can
be more easily identified and CHARGED $$$.
DNSRBL: the issue I have with this is- What crazy person is entering the
IP's?
CONTENT FILTERING: I do this currently. There is a difference between
context and content that has yet to be resolved and since it is
programmatic, it can be eventually defeated. It is a horsepower hog.
TOKENS: I have privacy issues with this if the token is generated by the
sender. Virus writers and hackers could also hijack or misuse them.
I am sure that point "i)" should be taken out for the time being. I believe
that to be a personal preference and would restrict discussion of some
really good ideas.
I disagree on "h)" too. I believe that the actual sender of UCE should be
charged $10 per email ;-)
Have a good weekend all!
Regards,
Damon Sauer
-----Original Message-----
From: Adam Back [mailto:adam(_at_)cypherspace(_dot_)org]
Sent: Friday, March 07, 2003 2:26 PM
To: Balachander Krishnamurthy
Cc: asrg(_at_)ietf(_dot_)org; Adam Back
Subject: evaluating proposals against requirements (Re: [Asrg]
requirements for a proposed solution + notion of consent)
Those requirements sound good to me, it may not be possible to satisfy
them all simultaneously but at least they express the problem so
people can measure solutions against them. I've numbered them, let's
measure a few of the current proposals against these:
a) should minimize spam to some acceptable level
b) should not prevent delivery of legitimate mail
c) should not adversely impact valuable functionality
d) should be easy to use (even for grandma)
e) should be easy to deploy, incrementally
f) should not depend on universal deployment to be effective
g) should provide incentives to deploy for those doing the deployment
h) senders and receivers should not have to pay additional monetary costs
i) should not require new protocols
j) there should be no additional impact on privacy
(this presumes the solution is universally deployed for the sake of
argument; deployability and chances of getting there are covered by 6,
7 and 9).
1) RMX plus fixed DNS
b,d,h,j
I think the rest it does not do. To explain a) I suspect there will
still be lots of spam from AUP violations, and spammers who run their
own RMX servers; c) complicates sending while travelling; e) if you
deploy it incrementally you lose mail; f) can't reasonably be turned
on until fully deployed; g) provides no incentive to deploy until
critical mass is reached as you can't turn it on; i) it requires
depoyment of new protocols.
2) Bayesian filters + hashcash + token white lists.
a,b,c,d,e,f,g,h,j
About things it does not do: i) it requires deployment of extensions
to existing protocols
Some of the things it claims to do are not as effective as other
solutions: a) it will reduce spam, but it won't stop it because it
just increases the cost from 0.0001c to say 1c -- this may help
because it may become more targetted; b) bayesian filters have a small
but not zero false positive rate; f) before universal deployment you
are relying on bayesian filters, and hashcash is just to avoid false
positives; g) your incentive to deploy is to avoid mail you send being
caught in false positives; h) individuals would have only CPU costs,
which they probably already have sufficient spare resources for, some
large organizations if they add tokens at the outgoing mail hub may
have to upgrade hardware;
Also about this approach: it's not clear how long Bayesian filters
will hold-out -- they are effective now because of limited deployment,
I suspect if deployment got to a high enough spammers might go the
next level and win that arms race.
I welcome any criticism of the ratings of either of these, and
suggested ratings for other proposals.
Adam
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
*****
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg