On Mon, Mar 10, 2003 at 09:41:29AM -0500, Paul Judge wrote:
While at first glance, this model sounds interesting, I don't believe that
it offers enough structure to allow us to compare anti-spam systems. For
example the second stage of your taxonomy asks "is this message
spam?".
I've put that question not at the top of the taxonomy but in
one of several stages intentionally. Several methods were discussed
which don't focus on "Is it spam?" and objections were made because of
that. Therefore I came to the conclusion that there should be a layer
above that question and to invent additional steps in the process to
cover those methods.
So, I would not move to this four stage model because the first two stages
are too broad and do not provide any real classification. However, I will
use this note as a reminder that we should also provide a classification of
spam response systems. I will follow-up with an outline of such. I would use
what you have sent, but it only lists examples and does not classify them.
Of course, I didn't want to go too deep into a taxonomy in the very
first proposal. I have several layers below that four stages in mind,
but that would have been to much for the first proposal and would
require further discussion.
It is true that my proposal yet lists only examples, that's why I
called them "examples". The next step would be to build the
subclassification in order to build a taxonomy tree.
The reason to propose a different structure was that I see several
shortcomings in the original taxonomy design:
- Fail-Open/Fail-Close should not be a top-level to Prevention
Approaches. That's the wrong level. That's a question of
response or implementation, but not a top level principle of
prevention.
- The question who/what/how are much more important and should
be on a higher level than at the fourth level.
- The distinction of Human/System Determination is to be put
on a lower level, because it is not a principle but an
implementation detail in my eyes.
- Authentication is not a form of Deterrence. That's just wrong.
Threaten spammers with a law-suit after successful authentication
is, but not the authentication itself. Authentication is a
method to answer "who sent?"
- Same with tracking
- Non-repudiation is a special form of authentication.
Methods like non-repudiation and zero-knowledge-methods are
subclasses of authentication.
- Spam reduction is a little bit difficult to handle.
From a theoretical point of view this is an esoterik method
of authentication: Split all possible senders into two groups:
Those who are so interested in sending me that particular message
that they'd even would pay to do so, and those who don't.
The sender is required to authenticate to belong to the first group.
Implementations:
- Real cash (e.g. any kind of e-commerce/microcash: Sell a real
ticket which allows to send a message)
- Pseudo cash (e.g. hashcash)
In my model, those methods would be subclasses of the first
oracle.
You said you're uncomfortable with the placement of spam reduction
in your model. Maybe that shows that the model is not fully correct.
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg