HTML email is also used by many companies for legitimate purposes.
True enough, but they CERTAINLY don't need to send such HTML-burdened E-mail to
users who have not indicated their ability to handle it, and their willingness
to receive it. When they grant such permission to the sender, they can also
update their sender-specific whitelist to also let it (for approved senders)
pass through their ISP.
2) graphic-mode-text (likewise);
Same comment as above.
Please give a good, compelling example of why a sender would need to send
(without prior agreement with the intended recipient) unsolicited graphic-mode
text.
And in particular, things like cellphones, WebTV, pocketPCs maybe, SMS
messaging
units and so forth are probably not going to be able to handle such unsolicited
mails. Senders should NOT blithely send such stuff to users not specifically
authorizing such transmissions in advance.
3) links which purport to be one thing but where the actual hyperlink
in fact (and usually invisibly) points somewhere else;
Many spammers own their own domains and will not lose out from this.
The issue is for example when a hyperlink DISPLAYS "www.paypal.com" but
actually
goes to "www(_dot_)paypal(_dot_)com(_at_)34(_dot_)125(_dot_)19(_dot_)6" (or
whatever) instead. I've received
examples of such fraudulent E-mails. It will be less likely when the recipient
has to VISIBLY copy-and-paste the (real) URL into their browser. They'll be
far
more suspicious of complicated/obscured URLs than when they can't readily see
them.
4) scripting where the message displayed only can be viewed as a
result of
the computational process, again to make things difficult for content filters.
Attachments (especially in unsolicited E-mails) tend to frequently contain
viruses, worms, "background music" that's actually a PIF or EXE file, and
things
of that sort. Getting attachments from someone who doesn't ordinarily send
those is a warning sign that it might well be malicious.
Not all attachments are bad.
No, of course not. But it's VERY rare that anyone legitimately needs to send
an
attachment to some recipient without prior arrangement or consent. And with
such prior approval, they CAN still send attachments without restriction. They
just have to get permission (and approval) first. (And once that's done, they
can presumably send them on an ongoing basis without any further hassle,
either).
By enabling a user to simply t-can any unexpected HTML-burdened (or
attachment-carrying) incoming message (and ideally as soon as it got to their
domain provider or ISP), spammers would be denied many of their most
cherished
and valuable tricks. Content filters would be far more useful and
efficient.
And much more of the remaining unsolicited spam that WOULD still be sent
would
be sent in plain ASCII text (knowing that sending unsolicited HTML E-mail was
the kiss of death...) meaning it would reduce wasted bandwidth for such
remaining spam mail net-wide by at least a factor of three to five.
Thus proposal addresses many of the tricks that are used by spammers TODAY.
Yes, exactly.
As Vernon and many others mentioned on the list before spammers change very
quickly and can adapt their practices very quickly as well.
True enough, but it's surprising how many of those tricks merely exploit OTHER
peculiarities of attachments, HTML, scripting (based on HTML) and encoding. I
think those are the ENABLING technology for the great majority of their tricks
and deceptions.
It's POSSIBLE that they'll come up with more techniques, suitable for plain
ASCII text E-mails (I've seen spams that display the chutzpah to urge their
recipients to enable scripting so the spammer can abuse that... although I've
not seen such in a while, so maybe it turned out to not be a very successful
ruse).
In any case, this technique will put a MAJOR crimp in their techniques, as well
as come down hard on MOST viruses/worms/trojans.... then, I suppose, we can see
what they come up with next, and deal with that as needed. :-)
This scheme would be just a band aid to block some forms of spam until
spammers will figure out a way around it just like many other proposals..
Certainly, but I think it's a VERY cheap and effective bandaid which blocks THE
GREAT MAJORITY of spam, and is effective virtually from day one of the
implementation. I haven't seen anything as cheap, as readily implementable,
and
as effective, let alone an anti-spam technique that would also be so effective
against virtually all viruses/worms/trojans.
Additionally, many of the "Nigerian Scams" arrive as plain ASCII emails
already and this scheme will not stop them.
Absolutely, but content filters usually can make pretty short work of most of
those. The permission-based filter (by essentially blocking most of the
tricks)
make the remaining stuff pretty easy and straightforward for content filters to
then take over the bulk of the residual.
I don't think ANY of these will eliminate ALL fraudulent E-mails, but they'll
certainly go a long way towards putting the kibosh on the all-too-familiar
recurring ones.
Again, we don't HAVE to eliminate ALL spam. We just have to give it a success
rate below the threshold at which it is profitable and worthwhile for
spammers... below that critical mass, much of the rest may well just wither
away
on its own.
Another concern with this sceme is the fact that email will go back to the
dark ages with no support for attachments and no HTML support.
There is FULL support for attachment and HTML support... but ONLY for senders
who have made arrangements in advance with their recipients to authorize that.
Some of us have preferred E-mail clients which don't support HTML anyhow... we
should NEVER have that crap foisted upon us without wanting it.
Again, remember that HTML-burdened E-mail is typically 3-5x bulkier (and thus
more costly) all the way along the line... not to mention filling up my Inbox
to
overflowing 3-5x sooner than it would otherwise. That's a cost that is real
and
genuine, and I'm very unconvinced that (for MOST people) the incremental value
of the information thus received is "worth it".
But if it IS, it would be easy to authorize it, based on the senders you want
to
get it from.
This may increase people's use for email which is already under attack by
spammers. Is the medicine as bitter as the problem?
I certainly think not!!!! All you do is to grant such trusted senders the
ability to send (or continue sending) the mail you trust them with. While
blocking such risky/bulky/suspect stuff from everybody else.
Also, blocking base64 encoding would block email schemes where digital
signatures are used.
Again, there is no point in sending digital signatures before you've made
arrangements with the recipient to be able to receive and deal with those. I
don't think it's ever needed to send those unsolicited, as a primary contact
with a given recipient.
Once you've established a relationship with those recipients, they can enable
such encoding from you and there's NO further restrictions for YOUR exchanges
of
those types of E-mails.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment! Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg