ietf-asrg
[Top] [All Lists]

Re: [Asrg] Introduction and another idea

2003-06-19 14:57:31
On Thu, Jun 19, 2003 at 02:21:45PM -0600, Vernon Schryver wrote:
I maintain a number of mailing lists which the members of various
(non-technical) organizations use to communicate with each other.  The
volume of legitimate HTML email on these lists is quite high.

Is it high because those people use bold, italic, and so forth or
because their MUAs send in HTML by default and they are not savvy
enough to fix that problem?

I'm not sure, but my impression is that there's a fair amount of both.

What I find bizzare is the persistent equating of turning off HTML by
default with banning HTML.

Fair enough.  But even if all MUAs turned off HTML by default, spammers
would continue to use HTML.

Getting back to Gordon Peterson's proposal, he suggests a mechanism which
would discourage the use of HTML and attachments, by forcing people to
explicitly give others permission to send them those types of messages.
This is meant to reduce the effectiveness of spam and address-harvesting
techniques, and increase the effectiveness of content filters.

Unfortunately, I think the vast majority of computer users have absolutely
no idea what HTML is.  As a sysadmin, I've tried to explain it to people,
and their eyes glaze over. They also have trouble grasping the notion of
'plain text', i.e. a format that doesn't support all the things they
normally think of as being available in 'text' (which for them means what's
available in Microsoft Word).  Once they understand the severe limitations
of this wonderful 'plain text' format which I'm encouraging them to use, the
first thing they want to know is how to make sure that they never use it.
They *like* the fact that when you reply to a message, Outlook puts the
quoted text in a different colour; they feel that it makes messages easier
to read.  To them, right angle-brackets look like something out of the Stone
Age.

Imagine Sally User, who is a customer service representative, or a
freelancer.  Her ISP starts offering the proposed permissions service.  She
has no idea what HTML is, but she gathers that it's something about reducing
spam, so she accepts the default permissions, which are quite restrictive.
Suddenly people who write to Sally find that their messages bounce, with an
automated reply saying: 'Please send me a plain-text message asking for
permission to send me HTML email or attachments.' These correspondents have
no idea what this means (remember, they don't know what HTML is, either),
and are put off by the fact that their email was rejected.  So they simply
take their business somewhere else, to another company or freelancer who
doesn't reject their email.  When Sally finds out, she's horrified, and
quickly sets her permissions to accept anything from anyone.

I suspect that most people, if they understood that restrictive permissions
would cause legitimate messages to bounce, would opt for giving full
permissions to all senders.

As for making content filtering more effective, it would be easy for content
filters to strip out all the HTML tags, comments, JavaScript, etc. from a
message before filtering.  No need to actually parse the HTML.  (I'd be
surprised if there weren't content filters that do this already.)

Finally, even if this proposal worked exactly as planned, why couldn't
spammers do just fine with ASCII?  The Nigerian 419 spammers and their
imitators have been using ASCII all along, and if they were a bit more
clever about their wording, it would be quite difficult to filter.

Again, I think this is all really beside the point.  We're here to come up
with a mechanism to stop unsolicited bulk email.  Gordon's proposal is
concerned with some superficial properties that much spam currently has, but
doesn't deal with the core issues: 'unsolicited' and 'bulk'.

Ben

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg