ietf-asrg
[Top] [All Lists]

Re: [Asrg] define spam

2003-03-30 22:42:16
On Sun, 30 Mar 2003 13:24:03 -0700 (MST) 
Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com> wrote:
From: J C Lawrence <claw(_at_)kanga(_dot_)nu>

While true, I do not see that as a problem that can be solved by
technical constraints.  To get noticeable traction on that larger
problem needs non-technical methods; legal supports, DMA opt-out
lists with penalties, etc.  Its not resolvable purely at the
transport or protocol level.

I may be biased, but I disagree.  

I don't consider a "solution" which defines and validates an arms race
as either a valid solution, or "traction".  That's a leaky bandaide at
best and bucket with a hole with 'Liza aboard a lifeboat at worst.

The DCC...

The DCC is a fine and respectable tool.  It, like SpamAssassin, bayesian
filtering, etc, are bandaides.  They might be very good bandaides (I'm
rather pleased with some of my own bandaides), but that doesn't change
what they are.  Heuristics do not make a protocol definition, they make
for better guesses, in this case against a target which doesn't want to
be guessed and has full transparency into the guessing methods and
criteria.

If you don't know what I'm talking about, then if I could suggest that
you look around for technical mechanisms including Brightmail,
Postini, Cloudmark, Pyzor, and the DCC without being offensive, I
would.

Sure, I'm familiar with them and even use a few today.  None of them
change the rules of the game.

However the problems of rogue spammers who forge, exploit, and cheat
can be better far constrained and defined than is allowed by the
current system, which in turn allows the application of non-technical
problem resolutions (law suits, public lynching, nuclear weaponry,
etc), and its that latter space I'm interested in.

I have not seen in this list or elsewhere any useful technical
mechanisms...

"Useful" is a subjective adjective.

... to deal with "rogue" spammers that really forge headers (as
opposed to using temporary drop-boxes) or do other illegal things
(illegal in many jurisdictions).

That's hardly a promise of future behaviour.

  - Mechanisms that involve new authentication or authorization
mechanisms cannot and will not work any better than the old and well
established mechanisms based on IP addresses, domain names, PGP keys,
and commercial and self-signed certificates.

Then perhaps the correct approach is to extend those methods.

  - mechanisms that are less than X% effective until at least X% of
users utilize them for X >= 0.2% are hopeless.  It will always be
extremely difficult to get 1,000,000 people to use any new anti-spam
or email mechanisms that do not benefit them significantly.  

There are levels of probability and realism.  Its a scalar function.  If
you wish to stay with the 100% gang please state so up front

AOL and Co are the 800lb gorillas.  SPAM is a many multi-million dollar
a year problem to them,; in operational costs, in customer churn costs,
in customer retension costs, etc.  Were we to come up with a reasonable,
well defined and demonstrably effective address I suspect we might find
them flexing their standards enforcement muscles.  Its certainly to
their advantage to, and could easily be argued as being part of their
responsibility to their stockholders...  (The idea of AOL being in the
actively driving seat is scary)

If your threshold of effectivenewss is 10%, not even getting AOL to
apply your mechanism will work.

<shrug>  So all is useless?

 - almost all spammers are easily identifable to people with minimal
technical clues.  

I've not found that true, not in the network sense, not in the sense of
containment of injection and not in the sense of prevention of receipt.
Perhaps I'm missing clues.

That fact has not helped us use lynching, bombs, etc. against them.

We may know who the human is.  That will help when and as the laws you
later mention progress.  What we don't recognize are the messages as
specifically his or specifically forged that human injects at the time
of injection, those messages as they are wandering the network, or even
(generally) as they hit an LDA.  If we could recognise any of those
things in a machine auditable and verifiable fashion we'd be in a
considerable better position.

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw(_at_)kanga(_dot_)nu               He lived as a devil, eh?           
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>