-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of David
F. Skoll
Sent: Thursday, March 13, 2003 9:34 PM
To: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] Thoughts so far
This forum has been pretty depressing, actually. :-(
I have a few thoughts about the spam problem after reading the postings.
1) Time is of the essence
If Alan DeKok and Chris Lewis's domains are harbingers of things to
come, we really need to act fast. Some of the protocol proposals on
this forum will take years, if not decades, to become widely-used
enough to have any effect. If spam increases to "striker" levels, the
'Net will collapse before then.
Perversely, the spammers have given Alan DeKok an awesomely-powerful
weapon: With a few edits of his DNS zone file, he can direct a
powerful DDoS attack at the server of his choosing. Perhaps rotating
this traffic among various government mail servers will convince
lawmakers there's a problem. (They'll probably pass legislation making
redirection of mail to servers outside your control a felony.)
2) Legislation is needed, soon
Technology alone won't solve this problem. Laws with real teeth
are required.
However, I'm not holding my breath.
It's technology's problem. Tech created it, tech will have to fix it. As
long as it is technically possible to do, you can bet we'll have it. We are
going to have to replace the email delivery system sometime.
3) In the mean time, we must do whatever we can to force behavior on
spammers
Filtering works -- for now. DCC works -- for now. But both are easily
defeated. The DCC fuzzy checksum, for example, is an astonishing piece
of work, and I can't imagine how many hours of development and testing
went into it. Unfortunately, the effort required to defeat it is no more
than half an hour of a creative person's time. Similar comments apply
to Razor, content-filtering and Bayesian analysis. Even Razor's
clever (but not very scalable) "Ephemeral Signatures" can be defeated
with appropriate message mutations (left as an exercise for the reader.)
Filtering works now, and is immediate. No one (even close to a mesuarble
percentage uses it) Plus it only hides the problem. The bandwidth is still
wasted. Not enough email clients do a good enough job. Maybe we need a
intermediate peice that will filter it on the server before the client pics
it up? But it'd have to be under user control. Defaulting to on I think
would be ok.
Filtering can buy us time though, and I think we should only see it as a way
to buy time and not as an end.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg