ietf-asrg
[Top] [All Lists]

Re: [Asrg] Introduction and another idea

2003-06-19 15:13:35
HTML email is also used by many companies for legitimate purposes.

True enough, but they CERTAINLY don't need to send such HTML-burdened E-mail to 
users who have not indicated their ability to handle it, and their willingness 
to receive it.  When they grant such permission to the sender, they can also 
update their sender-specific whitelist to also let it (for approved senders) 
pass through their ISP.

  2)  graphic-mode-text (likewise);

Same comment as above.

Please give a good, compelling example of why a sender would need to send 
(without prior agreement with the intended recipient) unsolicited graphic-mode 
text.

And in particular, things like cellphones, WebTV, pocketPCs maybe, SMS 
messaging 
units and so forth are probably not going to be able to handle such unsolicited 
mails.  Senders should NOT blithely send such stuff to users not specifically 
authorizing such transmissions in advance.

  3)  links which purport to be one thing but where the actual hyperlink 
in fact (and usually invisibly) points somewhere else;

Many spammers own their own domains and will not lose out from this.

The issue is for example when a hyperlink DISPLAYS "www.paypal.com" but 
actually 
goes to "www(_dot_)paypal(_dot_)com(_at_)34(_dot_)125(_dot_)19(_dot_)6" (or 
whatever) instead.  I've received 
examples of such fraudulent E-mails.  It will be less likely when the recipient 
has to VISIBLY copy-and-paste the (real) URL into their browser.  They'll be 
far 
more suspicious of complicated/obscured URLs than when they can't readily see 
them.

  4)  scripting where the message displayed only can be viewed as a 
result of
the computational process, again to make things difficult for content filters.

Attachments (especially in unsolicited E-mails) tend to frequently contain
viruses, worms, "background music" that's actually a PIF or EXE file, and 
things
of that sort.  Getting attachments from someone who doesn't ordinarily send
those is a warning sign that it might well be malicious.

Not all attachments are bad.

No, of course not.  But it's VERY rare that anyone legitimately needs to send 
an 
attachment to some recipient without prior arrangement or consent.  And with 
such prior approval, they CAN still send attachments without restriction.  They 
just have to get permission (and approval) first.  (And once that's done, they 
can presumably send them on an ongoing basis without any further hassle, 
either).

By enabling a user to simply t-can any unexpected HTML-burdened (or
attachment-carrying) incoming message (and ideally as soon as it got to their
domain provider or ISP), spammers would be denied many of their most 
cherished
and valuable tricks.  Content filters would be far more useful and 
efficient.
And much more of the remaining unsolicited spam that WOULD still be sent 
would
be sent in plain ASCII text (knowing that sending unsolicited HTML E-mail was
the kiss of death...) meaning it would reduce wasted bandwidth for such
remaining spam mail net-wide by at least a factor of three to five.

Thus proposal addresses many of the tricks that are used by spammers TODAY. 

Yes, exactly.

As Vernon and many others mentioned on the list before spammers change very 
quickly and can adapt their practices very quickly as well. 

True enough, but it's surprising how many of those tricks merely exploit OTHER 
peculiarities of attachments, HTML, scripting (based on HTML) and encoding.  I 
think those are the ENABLING technology for the great majority of their tricks 
and deceptions.

It's POSSIBLE that they'll come up with more techniques, suitable for plain 
ASCII text E-mails (I've seen spams that display the chutzpah to urge their 
recipients to enable scripting so the spammer can abuse that... although I've 
not seen such in a while, so maybe it turned out to not be a very successful 
ruse).

In any case, this technique will put a MAJOR crimp in their techniques, as well 
as come down hard on MOST viruses/worms/trojans.... then, I suppose, we can see 
what they come up with next, and deal with that as needed.  :-)

This scheme would be just a band aid to block some forms of spam until 
spammers will figure out a way around it just like many other proposals.. 

Certainly, but I think it's a VERY cheap and effective bandaid which blocks THE 
GREAT MAJORITY of spam, and is effective virtually from day one of the 
implementation.  I haven't seen anything as cheap, as readily implementable, 
and 
as effective, let alone an anti-spam technique that would also be so effective 
against virtually all viruses/worms/trojans.

Additionally, many of the "Nigerian Scams" arrive as plain ASCII emails 
already and this scheme will not stop them.

Absolutely, but content filters usually can make pretty short work of most of 
those.  The permission-based filter (by essentially blocking most of the 
tricks) 
make the remaining stuff pretty easy and straightforward for content filters to 
then take over the bulk of the residual.

I don't think ANY of these will eliminate ALL fraudulent E-mails, but they'll 
certainly go a long way towards putting the kibosh on the all-too-familiar 
recurring ones.

Again, we don't HAVE to eliminate ALL spam.  We just have to give it a success 
rate below the threshold at which it is profitable and worthwhile for 
spammers... below that critical mass, much of the rest may well just wither 
away 
on its own.

Another concern with this sceme is the fact that email will go back to the 
dark ages with no support for attachments and no HTML support. 

There is FULL support for attachment and HTML support... but ONLY for senders 
who have made arrangements in advance with their recipients to authorize that.

Some of us have preferred E-mail clients which don't support HTML anyhow... we 
should NEVER have that crap foisted upon us without wanting it.

Again, remember that HTML-burdened E-mail is typically 3-5x bulkier (and thus 
more costly) all the way along the line... not to mention filling up my Inbox 
to 
overflowing 3-5x sooner than it would otherwise.  That's a cost that is real 
and 
genuine, and I'm very unconvinced that (for MOST people) the incremental value 
of the information thus received is "worth it". 

But if it IS, it would be easy to authorize it, based on the senders you want 
to 
get it from.

This may increase people's use for email which is already under attack by 
spammers.  Is the medicine as bitter as the problem?

I certainly think not!!!!  All you do is to grant such trusted senders the 
ability to send (or continue sending) the mail you trust them with.  While 
blocking such risky/bulky/suspect stuff from everybody else.

Also, blocking base64 encoding would block email schemes where digital 
signatures are used.

Again, there is no point in sending digital signatures before you've made 
arrangements with the recipient to be able to receive and deal with those.  I 
don't think it's ever needed to send those unsolicited, as a primary contact 
with a given recipient.

Once you've established a relationship with those recipients, they can enable 
such encoding from you and there's NO further restrictions for YOUR exchanges 
of 
those types of E-mails.

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg