ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Whitelisting issues

2003-03-13 08:16:32
from [Kee Hinckley] [Permanent Link] 
At 8:16 PM -0800 3/12/03, Chuq Von Rospach wrote:
Which sounds awfully like a whitelist system to me. Implementable today, no protocol enhancements, minimal training, and decent systems can be pre--programmed to minimize the hassles to people you WANT sending to you....
the big issue on whitelists seems to be the social issue, the "jumping through hoops" issue. But I haven't yet seen a suggestion I thought didn't require at least that much hassle/work/retraining/etc and most require a lot more. So why not whitelistings as part of a solution as a lesser evil to all this other stuff?
Whitelisting works well for people who use mail for social communication. They have a limited set of people they communicate with regularly. My only real issue with it in that context is that it's a virus-writer's dream--lots of addresses to send viruses to, and they'll all work. But that's really a different problem.
Whitelisting doesn't work at all for inbound company email. I regularly get email addressed to me from people that I don't know and have never heard of before. There are people on this list who are using challenge-response whitelists, and the complaints have been pretty loud. 

However to be a true spam deterrent, whitelisting needs to do two other things.
1. It needs to *block* non-whitelisted email. Anything that just puts them in a junk folder isn't a long term solution because you still have to read the spam every day. It's a helpful tool, just as any filtering tool is--but it's not a solution, and it won't stop the spammers. If it blocks the email, then you're back to the question of how you get past it. Challenge response? Assume that anyone who tries again is okay? And how you deal with commercial mail systems that either don't read bounces, assume that the bounce is fatal, or don't have a system for retrying. So you need some kind of standard there.
2. It needs authentication. Otherwise the spammers just start forging email more than they already do. This is a weaker need, because it more clearly puts spam on the illegal side of the fence, and greatly reduces the chance that legit companies will spam.
P.S. Note that I'm changing the subject line. People have complained about wading through the volume, so I am hoping it will be helpful if people are more aggressive than usual about changing subjects to reflect the specific content of the message when the thread topic forks. 
--
Kee Hinckley
http://www.puremessaging.com/        Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Who is most incented to make anti-spam changes?, Kee Hinckley
Next by Date:  [Asrg] Proxy your address (Was: Random thought), Jason Hihn
Previous by Thread:  Re: [Asrg] Random thought, Chuq Von Rospach
Next by Thread:  [Asrg] deautomation is the key?, Scott A Crosby
Indexes:  [Date] [Thread] [Top] [All Lists]