From: Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com>
> From: "John Fenley" <pontifier(_at_)hotmail(_dot_)com>
> Someone mentioned writing some guidelines for responsible
Challenge/Response
> systems. Any chance we could officially ask Earthlink to hold off
deployment
> for a month so we can get something together to guide them?
Who is we, Kemo Sabe? As I keep saying, the IETF is about increasing
the likelihood of interoperation, not policing the network. What
consenting parties do with IP packets is their private business.
Earthlink and Earthlink's customers are consenting parties minding
their private business.
But set that asside and also the fact that this is an IRTF instead of
IETF group. If you were in charge of Earthlink and so probably had
a few minions who are familiar with the way the IETF works and know
that BCPs and standards track RFCs require at least months and sometimes
years to to get past the final last call, what would you do? If you
were an Earthlink stockholder, wouldn't you expect your board of
directories to fire CEO that delays offering something the market
wants because the IETF might someday say something about the best way
to implement it?
Don't you suppose that Earthlink had surely been testing their scheme
in fairly large scale trials for months before the public announcment?
Have you ever tried to tell people that what they've built and tested
for months must be delayed because some self-appointed experts like
us haven't commented on it?
Ok, good point, but I was mostly thinking about copycats. Who knows how many
other ISP's will copy what they do, but not put as much thought into it.
A list created by the ASRG to help all prospective copycats from making the
simple mistakes could save a lot of pain for everyone.
I see Challenge/Response as the final threshhold of Spam Blocking. If it is
done wrong on a large scale, it could sour the idea for everyone. Then when
a truly good way to impliment it comes, everyone will dismiss it as having
the same old problems.
> Perhaps even a list of fatal flaws and suggested best practices would
help.
>
> These are my suggestions for a beginning list of problems:
> 1. Avoid infinite loops.
Let's assume until contrary evidence arrives that Earthlink's designers
and implementors are not complete idiots.
Some groups of people are complete idiots. The people at Earthlink may have
a very good plan, but i havn't seen it, and I prefer not waiting for a
catastrophy.
> 2. Allow all Opt-in mail.
That is an impossible goal.
Not realy, just requires infrastructure that isn't available yet.
I think Choicelist could handle this problem. I created that system
specifically to solve this problem with C/R.
> 3. take steps to prevent spammer evolution.
That sounds impossible.
You just need to provide an incentive to behave in a certain way.
Let people bypass the filters by using ADV, then all the ADV mail is easy
for a user to deal with.
Personaly it isn't the volume so much as the effort required to deal with
it.
If I could delete all the ADV mail with one click, I realy wouldn't care how
many I got. 1000 is just as easy as 1, and the spammer has gotten through
the filters without needing to innovate.
They get lazy, we just delete their junk. simple.
> 4. Provide proof that the challenge is legitimate.
Why except as eyewash? And what would it be?
Spammers have already started spoofing challenges to try to get through. I
didn't expect this, but it needs to be addressed immediately.
I don't know what form it would take yet.
> 5. Avoid simple reply style challenges that are easy to autorespond to.
That is a design trade-off. If you do that, you also prevent some
legitimate responses. Not all mail involves HTML. If it's text,
it' at least practical to parse.
I meant require a turing test of some sort. Earthlink already has that, but
copycats my not realize that this is important.
> 6. Use generous auto whitelisting.
That also involves design trade-offs that can argue to the contrary.
Then argue them if you feel inclined, but don't make me guess what they are.
> 7. support all types of identity proofs including new ones.
We don't want much, do we?
I feel it is important that any fledgling system at least have the ability
to adapt to later standards.
if your gonna change the whole thing anyway, you might as well at least
aknowledge that spoofing will be a problem and leave an avenue to deal with
it. so i'll change that last one to:
7. Leave room for authentication mechanisms.
> 8. Don't just delete everything that doesn't respond correctly, perhaps
> reward correct challenges by placing them at the top of the inbox.
Spam that you see is not really filtered. Which of your time is wasted
on spam matters less than than the fact that your time is stolen.
This was from a suggestion by someone else, it helps limit false positives.
Use the C/R as a helper, not a blocker. I thought that was a great idea.
I hope I've at least demonstrated that a challenge-response BCP is
not as simple as it sounds and that it would be unwise for Earthlink
to wait for an Internet ***RESEARCH*** Task Force to speak before
responding to the marketplace.
I guess your right, but that doesn't mean we shouldn't make the list to
guide others. there will be stupid copycats. Earthlink is just going to be
testing now anyway, they are in beta, they would probably like a little free
help seeing problems.
John Fenley
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg