On Thu, 13 Mar 2003 10:09:20 -0500, Kee Hinckley
<nazgul(_at_)somewhere(_dot_)com> writes:
However to be a true spam deterrent, whitelisting needs to do two
other things.
1. It needs to *block* non-whitelisted email. Anything that just puts
them in a junk folder isn't a long term solution because you still
have to read the spam every day. It's a helpful tool, just as any
filtering tool is--but it's not a solution, and it won't stop the
spammers. If it blocks the email, then you're back to the question of
how you get past it. Challenge response? Assume that anyone who
tries again is okay? And how you deal with commercial mail systems
that either don't read bounces, assume that the bounce is fatal, or
don't have a system for retrying. So you need some kind of standard
there.
2. It needs authentication. Otherwise the spammers just start forging
email more than they already do. This is a weaker need, because it
more clearly puts spam on the illegal side of the fence, and greatly
reduces the chance that legit companies will spam.
And a third thing:
It must not be possible to automate the whitelisting service. If
there's a way I can be whitelisted through, say a challenge&response,
then thats good for a user, I can program a robot to do it for me,
secondly, and much more problematic, if its automatable, it will be
automated and someone else will eventually write a program to
auto-reply. Although, CAPTCHA could make this work. CAPTCHA (carnegie
mellon) is an idea to have an automated challenge that a computer can
give to a human, but only humans can correctly reply; a machine
cannot. Its done currently on Yahoo, its that swirly text image thats
designed to be difficult to OCR.
Perhaps thats a key idea: What makes unsolicited commercial email
possible is because of extreme automation. If we can de-automate the
sending of email, we win. A computer is cheap; for $30k, which is one
worker for one year, we can put in 100GHZ of computing power. Human
labor is not cheap. If something requires a sender to be forced to
spend 3 seconds of their time, thats 8k email/worker/day, tops.
Hash-cash doesn't de-automate email sending, it just slows it down a little.
How about something like a CAPTCHA-stamp, where you 'prove' to a
trusted machine that you are a human, then you get a stamp that you
may attach to email. Some policy on how many times a stamp you may
reuse, or how many stamps you recieve. And, at any time, a stamp may
be checked to see if its been used too many times and the email
rejected.
How else may we slightly de-automate email sending?
Scott
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg