ietf-asrg
[Top] [All Lists]

Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)

2003-05-26 18:38:17
From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>

...
I don't see any deferring of inevitable forgery, because whitelisting
is already extremely popular.

Whitelisting is popular among techies.  I'm not aware that any of the 
major email clients support it--which means that it's not in use with 
most users.  (Some mailers do support filtering based on whether 
someone is in your address book--but my experience has been that the 
average user has never created any filters.)

I think you are mistaken.
  - I've seen users talk about using whitelisting with Hotmail
  - I think I've been told the Outlook can do something like whitelisting
  - Netscape 7's filters can be used to whitelist.


You're also assuming facts not inevidence, that forgery of mailing
list senders is a likely problem.  If it is likely then why haven't
the spammers already been forging mail with practically universally
whitelisted markings, such as CERT.org advisories and Habeas's mark?

Because I'm making the assertion that the number of people who 
whitelist is tiny.  As evidence I'd offer a) that the majority of 
users have a major spam problem, and b) my experiences with sending 
mail to wormalert hoaxed folks using a different email address, yet 
getting through fine.

That does not look like evidence for or against whitelisting to me.

It also does not address that evidence for the contrary position.
I believe Habeas's claim that most of the Internet has already
white-listed the Habeas mark.  So why aren't more spammers forging it?

And why don't you see forged spam supposedly from CERT or the IETF?

I don't really know how many people whitelist.  I suspect that as a
fraction of the Internet, they are a minority.  However 200,000,000
people is a minorty.  5,000,000 is a tiny, 1% minority but enough for
spammers to notice.  (I'm seeing evidence that some spammers are paying
attention to the ~5,000,000 mailboxes protected by the DCC.)


I'd put them on all messages in a bulk mailing which includes or might
include some unsolicited copies--in other words on "opt-out" spam.

Have you ever met a bulk-mailer who thought they had any of those :-).

Of course!  And from the start of the spam problem.  That they say
things like "gift subscription" instead of "spam" is irrelevant.

When the current tiny number of idiots are finally squashed by the
DMA and Congress, we'll have as "legitimate opt-out messages" as
we now have spam, because the current rate is only about 10 spam/user/day,
which is not quite or just barely at the threshold of pain...rather
like paper junk mail.

(I figure about 10 spam/user/day because many outfits with more than
a tiny handful of users report 5 to 50 total mail messages/user/day,
and 40-70% of all mail is spam.)


...
In some respects, the (semi-articulated) proposal from the 
bulk-mailing folks appears to be an attempt to provide a similar 
identification mechanism for non-list, bulk mail.

What is "non-list, bulk mail"?  As far as I can see, the bulk mail
from this mailing list is the same as any other bulk mail, except
that I trust no one is receiving unsolicited copies of this bulk
mail.  Whether the list is compiled with a proper opt-in handshake,
dictionary attacks, or any other mechanism is irrelevant.  This is
demonstrated by the unmitigated spammers that use ordinary mailing
list software.  All mailing list systems can be primed or extended
with 1 or 30,000,000 addresses.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>