Perhaps we could get to some minimal requirements for any proposed solution:
0A) MUST actually reduce the amount of spam.
0B) MUST NOT cause wanted messages to be lost.
1) MUST be acceptable to end users, both senders and receivers.
2) MUST be acceptable to all parties required to deploy infrastucture in
order to support it.
3) MUST be robust in the face of minimal effort couterstrategies on the part
of spam senders.
The 'minimal effort' clause meaning that a proposal need not be completely
foolproof but should certainly not increase costs for the defender that are
higher than those of the attacker. So proposals for legislative and
litgation based approaches are acceptable even though there is a well known
counter-strategy 'move abroad' since that is actually a high cost
counterstrategy.
So far the commonly proposed solutions that we keep seeing fail as follows:
Challenge/Response
Fails criteria #1, this proposal is simply unacceptable to many
senders who receive unwanted messages. It is also unacceptable to many
receivers since the wanted mail loss rate is very high - at least on the
anecdotal evidence we have to date. I would like to propose that any further
proposals on this topic be acompanied by empirical measurement of that
point.
Fails criteria #0B, This proposal is actually very unreliable when
both the sender and receiver deploy the same scheme. Challenges from one are
in turn challenged by the other, or silently discarded, or provide a way of
circumventing the scheme.
Fails criteria #3, there is a simple couter attack that has been
used already, simply scan archives of mailing lists and forge the from
address and to address so that the messages appear to come from that list,
or from a list member.
Fails criteria #3, another simple counter attack is to simply
install a responder tha automatically replys to to challenges. This can be
countered by use of a turing test type approach which then creates serious
accessibility issues. While these do not trouble many proponents they are a
concern to many, they are also a concern to the users of RIM and pocket PC
devices where this type of challenge is simply not possible to match.
Sender Pays,
Fails Criteria #0, There is no evidence that suggests that the spam
senders have less motivation to send email than other parties. While it is
clear that spam becomes unecconomic at some price point it is far from clear
that this price point is lower fro spam senders than other senders.
Fails Criteria #1, This proposal is unacceptable to the vast
majority of people who host IETF mailing lists or any other legitimate bulk
email solution.
Fails Criteria #1, There is a built in incentive to cheat and be the
last to pay the sender charge since recipients are forced to accept email
Fails Criteria #2, There is no major ISP that is interested in
supporting such a scheme, in public or in private.
Fails Criteria #2, Financial transfer systems are expensive to
maintain, whether or not the charge is convertible or not. The DNS system
currently costs 0.005 cents per read-only transaction, this amount is
several orders of magnitude less than those charged in the telephone system.
This charge is subject to a significant level of complaint. A transfer
system would cost at least double to maintain and likely an order of
magniture. The lowest realistic cost that could be charged for maintaining a
simple ledger based system is $0.05 cents, a level that would render many
existing Internet uses impossible. It would cost $350 a year to run a
mailing list with 100 subscribers with 20 posts a day.
Fails Criteria #2, The above calculations are for a system that has
no protection against fraud. Digital signatures etc significantly increase
the cost of any solution, whether or not secure hardware is used.
Fails Criteria #2, There are well over 1 billion emails sent per day
to AOL alone. At the above chaging rate that would mean a cost of $180
million per year.
Fails Criteria #3, There is a simple method of counterattack, simply
pay the money.
Fails Criteria #3, Financial tranfer systems are likely to be the
target of fraud, both to obtain stolen credits and for direct financial
gain.
Blacklists
These also fail, but we all know that, that is one reason that spam
has suddenly become a live issue again, the spam senders are simply to big a
problem and the scaling problems of blacklists are significant.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg