ietf-asrg
[Top] [All Lists]

Re: [Asrg] New take on emerging idea. (yet another C-R system?)

2003-04-10 14:24:44

On Thursday, April 10, 2003, at 01:57  PM, Kee Hinckley wrote:

At 12:52 PM -0700 4/10/03, Chuq Von Rospach wrote:
pull out a pen and make a minor change to the card, and the user now has an address that's pre-whitelisted.

If you can do that in your head, then the spammer can certainly figure it out. No?

Depending on how it's done, it could be open to dictionary attacks. You wouldn't want system-defined standards here, just a way to create layers of addresses. Still better than what we have now, but there's clearly a tradeoff between ease of use and how secure it is. Details TBD.

Also, keep in mind the sender's system. When you give people an address, they have this nasty habit of actually remembering it. They put it in their address book, they put in their paper note taking system. They put it in their database. If I need to shunt them to a permanent address, I need an easy way to do it.

noted for later reflection.

register for Apple eNews with only whitelists the apple.com domain, the first time you get email using that registration token, it changes the whitelist to that address, not the entire domain.

Would that actually work? I know a lot of my Apple email seems to come from different addresses, but I couldn't swear as to which subscription caused which one.

It would, I think, and the confusion you bring up is one reason why I mentioned this. It goes back to the layers of consent. Subscribing to one newsletter doesn't imply subscribing to all, or to other marketing stuff, or... So once you know what addresses what you asked for are coming from, you want some way to know if you're getting other stuff, too.

set up your amazon.com account that accepts email from all of amazon.com, but only if the email relays in from a defined netblock.

Great until they contract something out to mx0.net or some such.

again, it's the company's responsibility to deal with this, IMHO. set the expectations, warn about changes, or deal with the consequences of not informing users what's going on. I consider this a feature in that it tells you what is being done so you can make a decision whether to accept it. It makes it harder for companies to do "consent creep" on you, because you can, to the level you care, set up your permissions to enforce it.

the nice thing is a system like this can be built simple enough for MY MOM,

As you just described it I'd be real reluctant to try and pitch that one to my mother.

As I have it in my head, I would. but there's a lot to be noodled out. But my model is basically how mail.app on OS X does spam processing. For the individual on a cable modem or home DSL, it doesn't have to get too fancy or complex. So for the "individual" system, the idea would be to generate functionality that could be used within the context of a GUI MUA without lots of geekiness. Worrying about more complex stuff will go into the organizational whitelisting system, or some hidden wizard mode for some stuff.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>