From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
...
- A definition of the spam problem based on 89 messages received by
...
I don't think the sample size is the biggest problem, the fact there
is only one sample source and thus a huge bias is a bigger problem.
The point is that we should do some actual studies. We have some spam
traps going and we are collecting data for a bigger study. However
someone somewhere must be doing this in an academically rigorous way
surely?
I am bothered by the facile talk from many quarters of a spam corpus
of a few thousand messages collected over months or years. Characterizing
spam in an academically rigorous way is hard and I heard of no serious
efforts in that direction. If one doesn't have many current samples
from many addresses at many different kinds of domains, I do not see
how one could claim to have more than mildly interesting anectdotes.
We're talking about a population of 1,000,000,000s of messages sent
daily to 100,000,000s of addresses. Any sample of fewer than 0.1% or
1,000,000s of messages/day (millions per day!) requires convincing
arguments that it is representative instead of mere anectdotes.
There have been major shifts to and fro in various characteristics of
spam in my traps. For example, base64 encoding is much less common than
it was a few months ago. Before that, it was less common than it is
now. Those characteristics are representative, but only of what my
traps see, which is to say they are mere anectdotes.
...
- The section about blacklists in the document describes actions by
minor blacklists such as attempted extortion as if they were
representative. They are not.
The extortion issue is a minor one, ...
Overstated or misleading rhetoric is not good when trying to convince
people of things they don't already believe. Besides, I think you
mischaracterized those particular trivial incidents. It is more
accurate to say anything from Verisign is the work of the devil because
of Verisign's history than to point at requirements for payments for
investigations by operators of what were in effect private blacklists
or to reason that the major blacklists are vigilantism because the
Rhyolite Software list of unwelcome domains is kooky.
...
- On page 10, the document mischaracterizes NNTP as using a
"pull model."
NNTP is a pull model, both at the client to server and server to
server levels. Each server queries the others as to what is new
within a particular set of newsgroups. Then individual messages
are requested on an individual basis.
The NNTP "ihave/sendme" server-server mechanism is not a "pull model"
similar to "pull" for email. If the NNTP client-server or reading
mechanism is involves a "pull model", then so does email because of
IMAP and probably POP. Besides, the "pulling" of NNTP had nothing
to do with controlling netnews spam.
- Page 13 seems to mischaracterizes the DCD as using 'honey-pots' or
other automated or manual spam sampling techniques and
"fingerprints"
of "known spam messages." That is not what the DCC is about.
I sent you spome questions in that respect and you bounced them.
Descriptions of the DCC are easily found with
http://www.google.com/search?q=dcc
I think verisign.com has not received any "bounces" from my SMTP server.
However, there have been SMTP rejections. As has been repeated
pointed out by others here, the distinction is significant.
Private conversations require minimal trust and mutual regard.
- Page 23 seems to deny the existence of SIEVE.
Does SIEVE have the buy in of the major email MTA and MUA software
vendors? Standards, shmandards, the test of a standard is support.
The road to hell is paved with Internet Drafts...
...
Do Verisign's ideas "have the buy in of the major email MTA and MUA
software vendors"? The transition problem is real and cannot be
ignored for any mechanism. I'm not optimistic about the likely
deployement of SIEVE (or its utility). However, its prospects are
incomparably better than any proprietary offering, particularly from
Verisign. It is not only that experienced and thinking people are
rightfully skeptical of proprietary solutions. SIEVE could be useful
to the first user of the first implementation, while any authentcation
mechanism is useless until a significant fraction of the 500,000,000
Internet users sign up (and I think useless against spam even if that
were to happen).
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg