From: Hans Spath <ml-asrg(_at_)hans-spath(_dot_)de>
...
If you sign up for C|Net's daily newsletters, who do you whitelist?
*(_at_)cnet(_dot_)com? *(_at_)news(_dot_)com?
Or do you have to wait for the newsletter to come in before you can create
a whitelist entry for them?
I ask because C|Net's newsletter doesn't come from anywhere you might
expect it to come from.
Users of the DCC have mentioned that problem.
I suppose average users would soon become annoyed if they had to whitelist
every newsletter they subscribe to.
Judging from the actions of the ISPs using the DCC, that does not seem
to be a problem. Users are amazingly tolerant of false positives on
bulk mail. It seems to be the non-bulk mail that they must receive.
However, there are schemes that could without any user action whitelist
every legitimate newsletter, or every newsletter that does not offer
unsolicited "gift subscriptions" and "sample issues." (Those with
experience as spam filter wranglers on behalf of well known users has
probably had the pleasure of arguing with newsletter publishers about
"gifts" and "samples;" I have.) Those schemes involve third parties
that attest bulk mail legitimacy. For example, if you think spammers
would respect legal threats, then the scheme of http://habeas.com/
would work. Spammers have so far, and Habeas claim that it's header
whitelists mail for about half of all Internet mailboxes in
http://habeas.com/about/debunk.htm sounds like a powerful tempation.
If not, then you could replace Habeas's haiku with a public key.
That does not resolve all problems, as witness the recent controversy
about Habeas headers in some unsolicited bulk mail from Topica, but
problems like that would be tolerable if only most legitimate bulk mail
were marked. Of course, the major problem for such a solution is
the transition. Until almost all legitimate bulk is marked, there's
no reason for legitimate bulk senders to pay Habeas or whomever would
bond (http://www.google.com/search?q=bond+spam ) or certify their mail.
....
About central whitelists: yes, many users have had many addresses,
and some of us have not abandoned them to spammers. However, if there
were a central whitelist, what would you do? I would abandon and wire
as spam traps many of my extra or old addresses and do whatever is
necessary to whitelist the rest. Fuzzy name matching, whether sendmail's
ancient or newfangled LDAP, would be turned off for senders outside
your corporate firewalls, as is already often the case.
Central whitelists could be enforced with marking (e.g. Habeas or
public key) or bonding or with laws. Without laws, they have the
major transition problem.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg