At 6:31 PM -0600 5/26/03, Vernon Schryver wrote:
> complicated instructions some web site has to provide. "We will be
sending you email from this address for the main stuff, and from this
address if there are administrative problems.
Why would you need to white-list the administrative address? Why
would adminstrative messages have ADV tags? They shouldn't be bulk
and they're argueably not "commercial."
Well, as we've both said. The ADV proposals are confusing.
> addresses to your whitelist, if you are using Eudora on the Mac, do
this, if Eudora on the PC, do that. If you are using the third party
whitelisting product xxx, do such and such. If...."
That argues for common user interfaces, not protocols for computers to
talk to each other.
Sure. And all Window's users should adopt the Mac interface--but
we're talking about the real world. Go read an ISP's support page on
configuring your email product to talk to their mail server. I've
had to write those things. It isn't fun. And I have users who call
me at least once a year because they got a virus and had to wipe
their disk and they've forgotten how to do it, could I please tell
them again.
> commercial mailings use a different one for each user--since the
bounce information encodes the recipients email address.)
Some people are unclear on the concept of X, for any value of X.
Confusing cute ideas with solutions to real problems is a common
way that happens. The mailing list package that does that is a
classic example of that syndrome.
Yes. But they do, and it will be a problem.
> But if you want to
whitelist by address, you definitely need to deal with more than one.
Even the typical mailing lists uses at least two addresses. (Some
commercial mailings use a different one for each user--since the
bounce information encodes the recipients email address.)
There is RFC 2919.
Which does not, as far as I can tell from reading it, indicate
whether administrative mail sent to an individual user (e.g. "your
email address has been bouncing frequently" or "please turn off your
vacation program") should have a list identifier. Nor does it
address non-list commercial email that comes from numerous addresses
(for perfectly valid reasons).
mailing lists. From tha experience, it seems to me that those lists
that don't suffer the cute idea syndrome are easy to white-list.
After lists using that system, the problems I've heard of are desires
to white-list all lists of some brand like Yahoo Groups.
Which could in theory be done using RFC 2919's sub-groups. But then,
lots of things would be easier if lists followed recommendations more
often.
I don't see any deferring of inevitable forgery, because whitelisting
is already extremely popular.
Whitelisting is popular among techies. I'm not aware that any of the
major email clients support it--which means that it's not in use with
most users. (Some mailers do support filtering based on whether
someone is in your address book--but my experience has been that the
average user has never created any filters.)
You're also assuming facts not inevidence, that forgery of mailing
list senders is a likely problem. If it is likely then why haven't
the spammers already been forging mail with practically universally
whitelisted markings, such as CERT.org advisories and Habeas's mark?
Because I'm making the assertion that the number of people who
whitelist is tiny. As evidence I'd offer a) that the majority of
users have a major spam problem, and b) my experiences with sending
mail to wormalert hoaxed folks using a different email address, yet
getting through fine.
I'd put them on all messages in a bulk mailing which includes or might
include some unsolicited copies--in other words on "opt-out" spam.
Have you ever met a bulk-mailer who thought they had any of those :-).
> Whitelists are hard to understand not because of the concept, but
because of the plethora of email addresses that need to be
whitelisted, and because people don't understand how easy forging is.
And on top of that--the plethora of (as yet non-existent... but give
them time) whitelisting interfaces.
There's no plethora that needs whitelisting.
Not if they are applied as you recommend. I agree.
List-ID headers are an obvious and good solution for identifying mailing
lists. Instead of white-listing sender FQDNs or SMTP client IP addresses
or host names, you could white-list List-ID strings.
Agreed.
In some respects, the (semi-articulated) proposal from the
bulk-mailing folks appears to be an attempt to provide a similar
identification mechanism for non-list, bulk mail.
--
Kee Hinckley
http://www.messagefire.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg