From: Scott Nelson <scott(_at_)spamwolf(_dot_)com>
...
actually pay attention to message-ids are less confused. As more
people do it, the benefit increases. The message-ids are compatible
with the legacy system. The major cost is the cost associated
with any change. I wouldn't expect anyone to roll out a new
version just for this, but I hope that many will add it in and
roll it out with their next revision.
...
The major cost is the cost associated with any change.
I wouldn't expect anyone to roll out a new version just for this,
but I hope that many will add it in and roll it out
with their next revision.
What is the reasonable basis for your hope? Certain large vendor(s)
not only can't even get things like "out-of-office" messages right but
insist that their broken wrong why is the right and ony way. Why
would they generate your flavor of Message-ID, assuming it is all you
say it is and more? Then there are the people who use qmail despite
the fact that when qmail acts as an MUA (e.g. generates a DSN or when
fronting for a mailing list), it often does not generate any Message-IDs,
and these are exactly the early-adopters you would hope to use your
new flavor. As you say, the benefits for generating your message-IDs
start at zilch and with noticable costs (e.g. release cycle), and
slowly improve over the years. I'm not saying it can't happen, but
asking for a better reason than "it would be nice" and "maybe someday
it will help somewhat."
(I know that qmail often does not generate Message-IDs because detecting
their absense is one of my better spam filters. Qmail systems are
the only significant false positives for my mail and the most significant
false positives for the 1,000,000's of mailboxes protected by the DCC.)
...
All these things are changes, and changes take time.
But the costs are small, and the potential benefits large.
I'm made bazillions of low cost eventually high profit suggestions in
zillions of areas over the last 35 years. If even 10% of them had
been adopted, we would be in heaven...or something. I've long since
realized there are two kinds of changes, those that I can make personally
or that can be made by people I know and can convince, and very long
shots that are almost always wastes of time to even talk about except
while "shooting the bull." Convincing people you don't know at
addresses you can't even describe to do something like change their
message-ID generating code for a possible reward in several years is
one of the second kind. It could happen, but we better have a fall
back defense against spam.
Most spam isn't going to look like a challenge until challenges
are wide spread.
Yes, and C/R systems are unlikely to ever be widespread.
I wish the C/R advocates would get on with specifying their protocol
or whatever in an I-D and then RFC so that the world can move past
that chimera.
...
C/R systems depend on and will in practice devolve into whitelisting
systems. It would be good to finish the C/R protocols, IDs, or whatever,
and move on to the whitelisting mechanisms that C/R systems require.
That's where most of the utility will lie. You'll need protocols or
some sort of mechanical support to exchange self-signed certs, PGP keys,
or whatever to foil spammer attacks on the whitelisting system.
Even with a crypto-secure mail system,
I can't see any way to prevent someone on whom you're dependant
from abusing that and spamming through the whitelisted channel.
My best answer so far is "If spam only came from the companies
you dealt with, that's better than the current situation.".
On the contrary, junk mail from your correspondents "scales."
Practically no one's correspondents increase with the size of the
Internet (at least not this century). The melt-down problem of spam
would not apply if you only received junk mail from people and outfits
you know. Besides, when one of your whitelisted correspondents goes
over to the dark side, it takes only a moment to fix the problem
forever.
...
then almost all spam would be forged. I can see ways to prevent
forgery, but they all involve esoteric knowledge, trusted third
parties, and require large scale acceptance before any real
benefit is realized. Most people would balk at rejecting
a sender that isn't certifiable, even if 90% of the senders are.
Even Microsoft would have trouble achieving 90% penetration.
I agree with that, but others seem to have other views.
OTH, it might be possible to at least get "automated notice of
something important" messages to be digitally signed, sent from
trusted IPs or whatever whitelist mechanism becomes a standard
(assuming of course that there ever is a standard).
You keep saying things related to that notion of "important messages"
that I don't understand. All spam are important messages according to
their senders--no sarcasm intended.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg