At 6:35 PM -0500 3/7/03, David F. Skoll wrote:
You don't look at that queue at all. It's managed automatically; anything
that stays in the queue more than a few days without getting a response
is discarded.
Ah. I see. So the Turing test is a necessary part of it. Otherwise
the spammer can simply automate the response and then send the spam.
But now you've just said that you never check the queue. So you
don't get the quick message from someone going on vacation, the
notification from the library system that your book is overdue, or
the email from shipping at your favorite book company telling you
that your book is out of stock.
> If I send you mail initially with a throw-away address then you
have't a clue whether "Kee Hinckley" <xasdfadf(_at_)hotmail(_dot_)com> is
really the person you were talking to at the conference yesterday.
Sure I do. I remember you by your name, not your email address.
But you've just reduced the limited amount of authentication that the
email system has. If I tell you my email address is xxx(_at_)example(_dot_)com,
and you get email from xxx(_at_)example(_dot_)com, you can be pretty sure a
reply will go to the real me. If all you know is my name, and you
get mail from someone claiming to be me with the address
xxx(_at_)example(_dot_)com you know only know whether the domain name matches
what you were expecting.
I'm not saying this is a huge authentication problem as there
probably aren't a lot of exploits--but it certainly seems like a step
in the wrong direction.
I suppose you could work around it by using a convention based on the
real address. That would make things work a bit better. (E.g.
nazgul+12312312(_at_)example(_dot_)com). Then at least a human could
reconstruct the original contact address. Or do you consider that
too much of an opening for spammers?
Then too, I have a bias towards long term identities. I'm virtually
certainly the only person in the world with my name. Everything I
say is directly traceable back to me, so I don't say anything online
that I'm not comfortable having traced back to me, and I assume that
anyone can contact me. Now if the Eudora/PGP plugin would come back,
I'd go back to signing all my messages as well.
> But the average user isn't going to understand it at all.
That's the problem. It has to be implemented in a way that makes
it easy to use. This is a long-term research group, right? :-)
Sure. But I'd rather see all that effort put towards something more
obviously useful--like authentication.
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg