From: J C Lawrence <claw(_at_)kanga(_dot_)nu>
...
in pre-paid envelopes. The only defenses against that sort of spam
that I know of are automated body filters such as the DCC.
While true, I do not see that as a problem that can be solved by
technical constraints. To get noticeable traction on that larger
problem needs non-technical methods; legal supports, DMA opt-out lists
with penalties, etc. Its not resolvable purely at the transport or
protocol level.
I may be biased, but I disagree. The DCC is works best against
unsolicited bulk email from corporations and others that don't try to
hide or fail to hide sufficently. It is currently working to the tune
of millions of spam/day and at what some users claim is better than
95% effectiveness. If you don't know what I'm talking about, then if
I could suggest that you look around for technical mechanisms including
Brightmail, Postini, Cloudmark, Pyzor, and the DCC without being
offensive, I would.
However the problems of rogue spammers who forge,
exploit, and cheat can be better far constrained and defined than is
allowed by the current system, which in turn allows the application of
non-technical problem resolutions (law suits, public lynching, nuclear
weaponry, etc), and its that latter space I'm interested in.
I have not seen in this list or elsewhere any useful technical mechanisms
to deal with "rogue" spammers that really forge headers (as opposed
to using temporary drop-boxes) or do other illegal things (illegal in
many jurisdictions).
- Mechanisms that involve new authentication or authorization
mechanisms cannot and will not work any better than the old and
well established mechanisms based on IP addresses, domain names,
PGP keys, and commercial and self-signed certificates.
- mechanisms that are less than X% effective until at least X% of
users utilize them for X >= 0.2% are hopeless. It will always be
extremely difficult to get 1,000,000 people to use any new anti-spam
or email mechanisms that do not benefit them significantly. If I
didn't already know, I would have learned from the DCC that the
first million users are hard even for a system that is 80% effective
from the first. Once you have a million users, you have only 0.2%
of the on-line population. If your threshold of effectivenewss is
10%, not even getting AOL to apply your mechanism will work.
- almost all spammers are easily identifable to people with minimal
technical clues. That fact has not helped us use lynching, bombs,
etc. against them.
What good have lynching and so forth been so far?
How are they relevant to this mailing list?
More simply: If we do wish to resolve those non-technical problems, then
this list has the wrong audience and wrong membership.
That's true, but it is also true that it is a waste of time to consider
technical solutions that are obviously useless because of non-technical
issues such as thresholds. Design by wishful thinking was popular in
the Dot-Com era and has always been popular in Usenet, but it is
always useless and less profitable than other autoerotic exercises.
...
The DMA will soon finish passing laws in all major jurisdictions that
criminalize header forgery as the first step in saving "push
advertising". (The other jurisdictions can be blacklisted by IP
address.)
Sadly the other jurisdictions can be fairly accurately defined as
!=America (tho in a few years that may expand to != (America +
EuropeanUnion). While I'm glad that some find that an interesting
problem space, I'm not one of them.
I'm not sure what you're saying. If you are saying that no progess
is being made on laws against spam in Europe and the U.S., then you
are mistaken. The progress is slow, but quite significant.
See http://www.spamlaws.com/
If you agree that laws in Developed World are arriving, then are you
saying that stopping spam from organizations in the Developed World
would not be a major improvement? Note that as far as the law is
concerned, spam sent via distant computers or networks is still "from"
the developed world if it is on behalf of Developed World outfits.
Lawyers and congresscritters don't know about and so aren't fooled by
IP routing, TCP proxies, or SMTP relays.
I certainly do not find working on laws an "interesting problem space."
It's possible the IRTF could effectively recommend laws, but I doubt
it. I know I'm not lawyer enough (or at all) to write laws.
They may be much better than email, but they are irrelevant and
off-topic here.
I'll merely note that recognition and analysis of protocols that do not
exhibit or allow the problem we see under SMTP can be useful.
Many things are useful, but most of them have nothing to do with stopping
email spam. This mailing list is about stopping email spam. Until
someone proves that requires stopping SMTP email, we are constrained
to deal with STMP. It might be right that SMTP must be replaced because
of spam or other reasons (I don't agree), but such discussions are more
irrelevant and off-topic here than whether SPEWS ever blocked all of
UUNET (never happened) or whether I influence SPEWS (I don't).
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg