-----Original Message-----
From: Kee Hinckley [mailto:nazgul(_at_)somewhere(_dot_)com]
Sent: Tuesday, March 11, 2003 4:52 PM
To: Jason Hihn
Cc: asrg(_at_)ietf(_dot_)org
Subject: RE: [Asrg] Several Observations and a solution that addresses
them all
At 2:54 PM -0500 3/11/03, Jason Hihn wrote:
I don't need or care that 90% (by domain? by email addr?)
haven't deployed
it.
By whichever the proposal needs to be deployed.
If Yahoo!, aol, MSN, hotmail, and comcast were to implement it,
90% of whom
I correspond with would be covered, excluding my mailing list buddies of
course! Also, there would be no messages from fake yahoo.com addresses
littering my mail box.
If you authenticate on envelope from there'd be no email messages
with a fake yahoo.com email address in the envelope. What goes in
the Return-Path: and From: is an entirely different matter. If you
authenticate on the headers you've got a major problem with
acceptance. I suspect Hotmail and Yahoo would actually fight the
system, since a large percentage of their users are probably sending
from their ISP, but using the web mail address as the return address.
But the fact that majority of your correspondents would be covered
does not mean that any of those sites can stop blocking email from
anyone who doesn't respond. So the spammers just use different
addresses. Furthermore, even you can't block based on
non-authentication--because those few emails you get from outside of
those systems are probably from ecommerce sites. You've got to get
them on board as well.
> work and pay the cost. That's why I'm focused on the idea of
requiring authentication only for bulk mailers, and using existing
tools to identify what messages are bulk. I'm not convinced that it
will work. But I am convinced that it applies the changes in the
places where people are incented to make them.
The problem is, who is a bulk mailer? I can change my identity. What
messages are bulk? There are a lot more holes in that tin can
than my idea.
I can vary the message a little for each destination. I can inter-twine
several different messages (porn, penis enlargement, fat
reduction, repeat)
to throw off your detection. How are you going to force me to
play by your
rules? Why should I care to play by them in the first place if
my messages
end up in the trash can?
The mechanism assumes that we can successfully defeat checksum
breakers for long enough to bring more complete authentication on
board. I'm not sure if that is true or not.
My method answers that last one nicely. If you don't play by my rules, I
WON'T ever see it. If you do play, you at least have some chance that I
might see it, but it's still not likely.
That's correct. Or to put it another way. Your system penalizes the
early adopters, because they will miss lots of important email.