From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>
...
Why? If envelope and headers are not forged, then when you decided
you want blue pills that grow loans from deals4u2buy.org you can
whitelist mail from deals4u2buy.org by pointing and clicking purely
on your own system. At worst you can start watching your logs of
rejected mail and click on a caught sample to whitelist it.
That's not where I want them to communicate. I think we all agree
that we don't want to spend time wading through our spam mailbox to
see if there's anything good. It's better than wading through our
normal inbox to see if anything's good, but not by a lot. So I want
to whitelist *before* I get the email. Which means that I need to
know what address is going to be sending. Imagine all the
complicated instructions some web site has to provide. "We will be
sending you email from this address for the main stuff, and from this
address if there are administrative problems.
Why would you need to white-list the administrative address? Why
would adminstrative messages have ADV tags? They shouldn't be bulk
and they're argueably not "commercial."
In order to add these
addresses to your whitelist, if you are using Eudora on the Mac, do
this, if Eudora on the PC, do that. If you are using the third party
whitelisting product xxx, do such and such. If...."
That argues for common user interfaces, not protocols for computers to
talk to each other.
... (Some
commercial mailings use a different one for each user--since the
bounce information encodes the recipients email address.)
Some people are unclear on the concept of X, for any value of X.
Confusing cute ideas with solutions to real problems is a common
way that happens. The mailing list package that does that is a
classic example of that syndrome.
- that Deals4u2buy.org will use N-different addresses. On the
contrary, they'll good reasons to tell you their sender domain name
and to keep it constant.
Domain, sure. But whitelisting by domain is asking for even more
trouble than whitelisting by full address.
I meant full address.
But if you want to
whitelist by address, you definitely need to deal with more than one.
Even the typical mailing lists uses at least two addresses. (Some
commercial mailings use a different one for each user--since the
bounce information encodes the recipients email address.)
There is RFC 2919.
The DCC detects bulk mail by protocol and unsolicited bulk mail by
adding local whitelists. The DCC source includes a sample whitelist
and I hear from the thousands of installations of DCC clients. Because
of that, I claim some direct and second hand experience whitelisting
mailing lists. From tha experience, it seems to me that those lists
that don't suffer the cute idea syndrome are easy to white-list.
After lists using that system, the problems I've heard of are desires
to white-list all lists of some brand like Yahoo Groups.
On the other hand, doing whitelisting by address just defers the
inevitable forgery a little longer. So without authenticated sender,
I whitelisting seems doomed. And since virtually every "make a major
change to SMTP" system out there seems to depend on whitelisting as a
transition tool, there's going to be a very interesting race.
I don't see any deferring of inevitable forgery, because whitelisting
is already extremely popular.
You're also assuming facts not inevidence, that forgery of mailing
list senders is a likely problem. If it is likely then why haven't
the spammers already been forging mail with practically universally
whitelisted markings, such as CERT.org advisories and Habeas's mark?
...
- Why can't people understand ADV tags and whitelisting? I don't recall
encountering anyone who couldn't but who could handle email. Proof
I don't understand ADV tags. Does Amazon have to send me my purchase
receipts with an ADV tag? Does an opt-in list have to use an ADV
tag--or just the people who randomly spam me? I don't know what it
means. And it seems to me that it was you who berated me for trying
to differentiate between different types of content from the same
sender when I tried to differentiate between transactional email and
advertising email. You had some good points. But isn't that what an
ADV tag tries to do? If not, then I don't dare block it.
I don't like ADV tags because the laws that mandate them seem as
muddled as the noise about spam in the main IETF list. In this thread
I've assumed for the sake of discussion that ADV tags make sense,
despite my lack of understanding. I think ADV tags could make sense.
I'd put them on all messages in a bulk mailing which includes or might
include some unsolicited copies--in other words on "opt-out" spam.
Whitelists are hard to understand not because of the concept, but
because of the plethora of email addresses that need to be
whitelisted, and because people don't understand how easy forging is.
And on top of that--the plethora of (as yet non-existent... but give
them time) whitelisting interfaces.
There's no plethora that needs whitelisting.
There are plenty of existent whitelisting interfaces, but that is a
problem.
- we already have standardized mechanisms for identifying mailing lists.
RFC 2919 is on the standards track.
Okay. But I'm not sure where that ties into this issue.
List-ID headers are an obvious and good solution for identifying mailing
lists. Instead of white-listing sender FQDNs or SMTP client IP addresses
or host names, you could white-list List-ID strings.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg