From: Matthew Elvey <matthew(_at_)elvey(_dot_)com>
Boy, it seems like an increasing number of the posts I've seen since
this list started come from posters who seem to be gravely misinformed
or deliberately spreading misinformation. (General comment, not directed
at Kee or Howard!) I hope this is something the ASRG reorg will try to
address. It seems like the discussion of the most promising proposals is
exceedingly rare. :-(
We agree about some of that, but we may disagree about which is
the information and which is the misinformation.
Other IRTF mailing lists have been effective or at least interesting.
ASRG has been none of the first and little of the second so far. For
example, end2end has long suffered the noise of those who wish that
research would consist of advocacy instead of doing one's own
measurements, simulations, coding, tests, trials, and even deployment.
Howver, end2end has also had people who are not only would be gurus
or leaders.
The most reasonable ASRG thread concerned Graylisting. That report
was of measured results from real code in the real world, unlike
the white papers about RMX, consent, and the rest.
Various spam filtering is done on at least 50% of all mailboxes.
(Doesn't Brightmail claim 40%?) If those filters are at least 50%
effective, then more than 25% of all spam in the Internet is already
being handled. That's consistent with the reports of many that
their personal spam loads are lower than they were years ago. Many
mailboxes are like mine, suffering an entirely tolerable load of
spam of fewer than 1-4 spam/week.
Contrast that fact with the positions of advocates for various silver
bullets. They talk as if public, long term mailboxes like mine must
receive many spam/day and about stopping practically all of that spam
with their wonderful solutions. None advert to the fact that at least
half of the field has alreading been taken by others who range from
silent (e.g. Postini, and SpamPal) to practically silent (Brightmail
and Cloudmark) to extremely quiet (SpamAssassin).
That's not to say that the current solutions are sufficient, but that
anyone who claimsto have a sliver bullet is spreading misinformation.
Dealing with spam today is about like networking 15 or 25 years ago.
NCP and TCP before congestion control and avoidance were useful. The
claims of the ISO OSI, Appletalk, NETBUI, and other silver bullet
mongers and research framework leaders eventually came to naught.
There is still good research to be done on TCP, and so I continue to
read end2end. I try to ignore the wannabe leaders and would be gurus,
some of whom who are still pitching x.25.
...
Result: the Internet is RMX ready
for any domain that wishes to do so to roll out and have it be highly
effective.
Effective in what way? The most commonly used sender domain names in
spam are those of the free providers. (My measurements on ~30K recent
spam imply >40% of spam currently involves free provider sender
domains.) Please offer some evidence that the major free mail providers
would go along any sort of RMX system. Outblaze is widely seen as
one of the most anti-spam free providers. Please point out the words
in a web page (perhaps starting at http://outblaze.com/index.php )
where the owners of the 30,000,000 Outblaze mailboxes are told to send
only through Outblaze's servers. Feel free to point out such words
in Hotmail's, Yahoo's, or some other major free (or non-free) mail
service provider's terms of service.
Trying to get the majority of the world's MUA end users to
upgrade is much more difficult, IMO.
I had cisco.com and some other major domains whitelisted for a while,
but had to remove 'em due to repeated spam 'From' them.
abuse@<trademark>.com seemed uninterested in pursuing abuse of their
trademark.
That's interesting when you think about it. Please offer some evidence
other than your personal assurances that Cisco would restrict employees
from sending mail with cisco.com sender addresses from random locations
including their homes, customer sites, hotels, and even airplanes in
order to stop that abuse of their trademark.
...
The issue is that people send mail "from" one domain while using the
mail servers of another. This is done all the time for perfectly
legitimate reasons. Not only is it done on an individual level, it is
also done regularly in mass commercial mailings (which are sent by one
company on behalf of another). Using the "reply to" to authenticate
breaks all of that. Yahoo users can only send mail using Yahoo's web
mail. Macromedia can't send mail from "support(_at_)macromedia(_dot_)com"
using
mx0's mail servers, and so on.
This capability is NOT broken with the RMX proposal. Any legitimate
users WILL be able to use the domain of their choice. There are at
least 3 ways yahoo users could continue to use their own servers in an
RMX-compatible world.
That is so wrong that it qualifies as what you called "misinformation."
Why didn't you touch on those three ways Yahoo uses could use "their
own servers"? Was it because expecting users to adjust the DNS
records for the IP addresses from which they are sending mail at
the moment would sound so completely unrealistic?
Some RMX-like proposals require adjusting among the RRs of the SMTP
client based on its IP address. Those are merely grossly implausible.
Other RMX-like proposals that use RRs in the envelope sender zone
domain are worse, given the fact that free providers show no signs of
objecting to their users sending from elsewhere.
...
In an RMX world, domain-based DNSRBLs can be highly effective, with low
false positives and low false negatives.
Domain and IP address based DNS based blacklists can be highly effective
with quite low false positive and a usefully low false negative rates
outside RMX worlds.
The reason that there are so few domain based DNS blacklists is
that the easy choices fairly static, and because the legal liabilities
sound worse.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg