ietf-asrg
[Top] [All Lists]

Re: [Asrg] Another criteria for "what is spam"...

2003-06-03 23:54:56
Folks,

Given the direction of this thread, here is a note I posted on the ietf
list's discussion of spam.

We really need to start appreciating the social impact that simplistic
definitions will have:


TH>  Spam
TH> is a social problem, not an engineering one. I contend that is why we
TH> already have a research group dealing with it (social problems are
TH> inherently difficult for engineers, thus requiring research to figure
TH> out). Focus the group on a tangible engineering problem, deployable
TH> authenticated email. Or as Vixie labeled the more generic, interpersonal
TH> batch communication system. 

The example of theft vs. locks provides a good perspective on both the
truth of your observation and the necessity that we take (appropriate)
action.

The key insight that comes from saying "social problem" is not that we
should do nothing, but that we need to have a shared agreement on the
details of the problem and the level of protection required.  And we
need to respond to it with appropriate, but limited, changes.

We are all quite comfortable making a distinction between the protection
needed for a home vs. protection for a facility holding a nuclear bomb.
We even are reasonably comfortable distinguishing what is needed for a
home in a idyllic "safe" environment versus one in a strife-torn
hell-hole.

No one believes that a house lock keeps out all intruders, and indeed
some do get in. But we *do* believe that house locks reduce the threat
to a socially acceptable level.

We have no such clarity or consensus about spam.

Worse, we *all* are seriously ignorant about solutions. Anyone who says
that they know the magic fix is blowing smoke.

First of all, there is not yet any existence proof for the reduction of
spam. Some interventions have reduced some aspects of spam, but the
total size of the beast has only been growing, and rapidly. There is a
key lesson here and it is mostly missed. The lesson is that spammers are
adaptable and -- as is true for all security threats -- raising the bar
keeps out the riff-raff but the truly serious attackers will develop a
different technique. In the case of spam, those serious attackers have
disproportionate leverage, because their software can be used by
less-serious drones.

More importantly, by saying "social problem" we are correctly implying
social *complexity*. Messaging touches core aspects of social processes.

No one knows how to "engineer" one property of a complex social process
without accidentally impacting others. And they key import of the word
"accidentally" is that these unintended consequences are typically
undesired.

This does not mean we should do nothing. Nor does it mean that there
should be no technical interventions.

It *does* mean that we need to treat this as an incremental systems
change process.

It *does* mean that we will need multiple types of changes, not just one
cure-all.

It *does* mean that we should approach those changes very cautiously,
even experimentally.

The place to start is with a modest, objective, operationalizable
definition of the thing we all agree needs to be handled differently.
So, let's not worry about the all-encompassing definition of spam. Let's
just -- hah! "just" he said -- target a single type of spam that is
massive and is massively offensive.

My personal favorite definition, these days, is

   Unsolicited Bulk Mail (UBE)
   
("Commercial" is too constrained, for me. I do not care whether the
message asks me for money, my vote, my religious affiliation, or simply
wants to share a bit of personal silliness with me.  In other words, the
detail of the content is irrelevant to me.  It does not even need to be
soliciting.)

Not all unsolicited mail is bad.  Not all bulk mail is bad.  But the
combination is universally reviled.

So we then need to define unsolicited properly. We must make sure to
permit me to make contact with someone for the first time. Not all cold
calls are bad; in fact they are essential to many desirable aspects of
social intercourse. We need to make sure that we define "permission"
properly -- as a kind of opposite to unsolicited -- and so we can then
enjoy wonderful debates about details such as double opt-in. And so on.
Still, I think the question of "unsolicited" is well-enough understood
to make it possible to get community rough consensus on a technical
definition that the engineering community can work with.

And we need to define bulk properly. This will be difficult. If I send
an unsolicited message to 2 people, does it qualify? What about 10
people, 100, 1000? Why? Why not?

The problem, here, is that I believe the qualifier "bulk" captures an
essential aspect of the problematic mail, so we can't simply drop the
term or say "anything greater than one".  Worse, the instant we choose a
number, the spammers will simply send batches that are one addressee
fewer than that maximum.

For that matter, the number of addressees per message might not be a
useful attribute, as marketeers have become good at tailoring content to
individual recipients, thereby producing one addressee per message. So
"bulk" requires considering behavior across multiple postings. Oh boy...

And that's why this is a research topic, no matter how essential it is
to to engineer some mechanisms sooner rather than latter. Let's do the
engineering and deployment, and let's do it quickly, but let's
appreciate that it is really research.





d/
--
 Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
 Brandenburg InternetWorking <http://www.brandenburg.com>
 Sunnyvale, CA  USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg