Re: [Asrg] Consent Proposal
2003-06-30 11:00:19
At 05:06 PM 6/30/2003 +0000, Mark McCarron wrote:
Thankyou for your reply. I have not been posting this conversation to the
group. You can if you wish, you have my full permission to do so.
Sorry, I wasn't refering to you personally about selling anti-span
solutions, that was just a general comment. 'The Ultimate Spam System'
may be too hard to handle, but that is an accurate description of the system.
There are numerous other proposals that seek to change the underlying
infrastructure - YOU ARE NOT ALONE. Example of this would be Walter Dnes's
proposal, another example would the AMDP protocol
(http://www.amdpmail.com/), MTP protocol
(http://www.danisch.de/tmp/draft_mtp.txt), etc. Also take a look at this
list message
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg00882.html)
that lists objection to new systems.
Also, as you learn within the next few hours, the system will be near
impossible to hack based upon its architecture. I have complete the
overview today, and it will be released in the next coming hours to the
mailing group.
I feel that change to the architecture is the magic bullet solution. I am
not claiming this will be easy, but it is certainly far from impossible.
We know as a group that changing the architecture will significantly reduce
the spam problem. However, moving over and implementing such change is
extremely hard as Alan DeKok and many other pointed out. Our goal is to
create a cohesive framework for anti-spam solutions with short, medium and
long term solutions.
This will not be an alternative email system that will reside along side
the current one. It will replace it completely making it entirely redundant.
However until it does, it will operate side by side with the regular SMTP.
Thus, its alternative.
The US military is instigating a change to IPv6 in mid 2004 or 2006 (I'll
clear that date up, the source is at Reuters, I read it a few days ago).
This will have a global impact, I believe that 'GIEIS' would be
implemented at this stage also.
IPv6 is backwards compatible with IPv4 UNLIKE your system, Walter Dnes's
proposal and many others have accounted to backwards compatibility, you
have not yet as seen from this quote:
"What would happen if this system was implemented and I tried to send spam
or even an email from an older server?
The message would not be received by those protected by 'GIEIS'."
Also, my system would inform users when a limit was reached. Users would
know if they sent this volume of email and the system would have
information of those who suspect their machine was infected or hacked.
This idea has been proposed before by Mike Rubel
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg04616.html).
Mark McCarron.
From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
To: "Mark McCarron" <markmccarron_itt(_at_)hotmail(_dot_)com>
Subject: [offlist] Re: [Asrg] Consent Proposal
Date: Mon, 30 Jun 2003 12:29:09 -0400
The consent framework is not a specific solution - its a framework.
Various anti-spam tools and proposals including yours will fit into this
framework. It is more of a bird-eye view of all anti-spam solutions.
As for your specific proposal, first of all my company does not write or
distribute anti-spam software so I do not have "financial considerations"
here. I also do not like the name calling between different group members
- it causes a feeling of discord. Additionally, calling your system "the
ultimate anti spam system" is a bit too much for most members to handle.
I would like to see everyone to stay away from name calling while keeping
in mind that this is a technical list.
As for the technical considerations of your proposal, what you are
proposing essentially is an alternative email system along side of the
current one. This is similar to the system being proposed by Walter Dnes
except that his system does not rely on cryptographic methods (see
https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg05683.html).
The problem with this system is three fold - one is the fact that
everyone has to change in order to use it which is also a problem with
Walter's proposal. The second problem is privacy - what you are
essentially proposing is that every single email message will have a
tracking number that can be traced to the sender. This creates potential
for abuse. Third, inter-operability with existing email is a big problem
as well since no one would want to use an alternative system unless many
people will switch over to it and many people will not switch to it until
others use it. If you look through the mailing list archive somewhere
there is a list of requirements by Eric Williams. I asked him to email me
the most recent copy which I will forward to you. Among those
requirements, deployment and inter-operability rank pretty high up.
It is obvious that creating an alternative email system will cut down on
spam since its the open nature of the Net that causes it. But as I
mentioned before, cell phone companies build their SMS systems based on
email (at least in US) and SMTP, so you can see how pervasive existing
standards are. Additionally, as Barry Shain has mentioned many times
before, much of spam is being sent via hacked computers. Even with your
rate limits in place, spammers can probably be able to coordinate many
hacked computers to send spam from legit GEIS/EAS senders.
Among the various discussions over the last few months, many of the group
members have reached a conclusion that there is not magic silver bullet
that will stop spam overnight. Rather, a combination of various solutions
and proposals will start cutting into the spam flow until it stops.
Yakov
P.S. I am replying to you off-list since the message that you sent me was
not CCed to the group list. Please let me know if this is correct because
I would rather have discussions in public so we can get comments from
other people.
At 03:23 AM 6/30/2003 +0000, Mark McCarron wrote:
Paul is an excellent poster, he has the subject matter clearly
defined. I see he has broken the issue down to two major catagories,
local and global.
The consent system is going to be difficult to implement, I haven't seen
anything that actually deals with issue of how to prevent sending spam.
The 'GIEIS' system would be on the middle ground in terms of consent and
its application would be global. It forces the erasure/stoppage of all
fraudulent email but also allows the end-user the whitelist options.
There has been a lot of confusion on the system and I have been
compiling all the postings in one file so that I can clearly address all
concerns.
Also, there seems to be quite a bit of opposition to the idea of a
centralised angency and a lot of paranoid responses to it. The more I
post on the subject, and the clearer the system has become, concerns
have dwindled. The main opposition now comes from those advocating
'anti-spam software' and this is just to protect financial considerations.
'GIEIS' is the only proposal I have ever seen that can stop all
fraudulent email. Are you aware of any others?
I'm am in the process of designing an Internet draft of the system. It
is a major task as there is a lot to go through. I have 30 pages of
comments alone to address, however, all the comments have a resolution
within the 'GIEIS' system. I will post a complete accurate proposal of
the system in the next few days once I have compiled all the information
together. It will refer to both local, global, consent and forced issues.
Mark McCarron.
From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
To: "Mark McCarron"
<markmccarron_itt(_at_)hotmail(_dot_)com>,research(_at_)solidmatrix(_dot_)com
Subject: Re: [Asrg] Consent Proposal
Date: Sun, 29 Jun 2003 22:52:34 -0400
Take a look at today's message from the chair, Paul Judge, on this
subject
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg05968.html).
The consent framework that we are discussing is not limited to
end-users only. The generic proposal that I put forth concentrated
specifically on the end-user and this is probably what is throwing you off.
Yakov
At 02:46 AM 6/30/2003 +0000, Mark McCarron wrote:
This I understand very well. What I am asking is, have you been able
to overcome any of the limitations I mentioned?
Mark McCarron.
From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
To: "Mark McCarron"
<markmccarron_itt(_at_)hotmail(_dot_)com>,asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Consent Proposal
Date: Sun, 29 Jun 2003 22:41:54 -0400
First of all take a look a the group's charter
(http://www.irtf.org/charters/asrg.html). As the charter states we
are seeking to define an overall consent framework and fit in all the
different spam proposals into it. The proposal below was put forth to
solicit opinions and ideas from people on consent in general and the
consent framework in particular.
Yakov
At 01:20 AM 6/30/2003 +0000, Mark McCarron wrote:
Yakov,
This system is very similar, in fact almost identical, to the
current one employed by Hotmail. It is not effective in eliminating
spam, the end user still recieves it and has to deal with it. Also,
it does not address the main issue about spam and that is the
roughly 30% band-width absorbed across the Internet by it. All this
seems to do is sort it at the recieving end.
I also read something about a confirmation being sent back from the
server, this is just an adaptation of challange response.
It also does not address the issue of spammer's who use their own
mail servers.
Can you clear any of these problems up?
Mark McCarron.
> > > > -----Original Message-----
> > > > From: Yakov Shafranovich [mailto:research(_at_)solidmatrix(_dot_)com]
> > > > Sent: Thursday, June 26, 2003 11:23 AM
> > > > To: asrg(_at_)ietf(_dot_)org
> > > > Subject: [Asrg] Consent Proposal
> > > >
> > > >
> > > > I would like to provide a generic proposal for
> > consent-based system
> > > > as per
> > > > charter:
> > > >
> > > > 1. Users and/or ISP define rules and filters to=20
filter incoming=20
> > > > email. Rules/filters are decided by end users and ISPs,
> > and are not
> > > > mandated.
> > > > Every user/ISP can define its own policies ranging=20
from banning=20
> > > > all email not digitally signed to blocking HTML.
> > > > 2. For each email user, the MUA or the ISP maintains a
> > > > whitelist of trusted
> > > > senders, blacklist of blocked senders and a graylist of
> > > > unknown senders.
> > > > Whitelisted senders go the inbox, graylisted senders go to
> > > > the bulk folder,
> > > > and blacklisted senders are either in the spam folder or
> > > > erased. 3. Whitelists are not only a list of email addresses
> > > > of trusted senders,
> > > > but to avoid sender spoofing also have additional features
> > > > such as digital
> > > > signatures, certificates, passwords, tokens, etc.
> > > > 4. Additional automatic whitelist rules are defined as such
> > > > email from
> > > > trusted senders (e.g. Habeas) is automatically goes to the
> > > > inbox unless
> > > > blacklisted, etc. C/R systems are also integrated and upon
> > > > receiving a
> > > > positive response automatically whitelist the sender.
> > > > 5. Additional automatic blacklist rules are defined such as
> > > > email coming
> > > > from known open relays is blocked.
> > > > 6. Whitelists, graylists and blacklists are stored hashed or
> > > > encrypted to
> > > > protect privacy.
> > > >
> > > > Any thoughts?
> > > >
> > > > Yakov
_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: RE: [Asrg] Consent Proposal, (continued)
- Re: RE: [Asrg] Consent Proposal, Yakov Shafranovich
- RE: [Asrg] Consent Proposal, Peter Kay
- RE: [Asrg] Consent Proposal, Yakov Shafranovich
- RE: [Asrg] Consent Proposal, Peter Kay
- [Asrg] Consent Proposal, Mark McCarron
- Re: [Asrg] Consent Proposal, Yakov Shafranovich
- [Asrg] Consent proposal, gep2
- Re: [Asrg] Consent Proposal,
Yakov Shafranovich <=
- Fwd: Re: [Asrg] Consent Proposal, Yakov Shafranovich
- Re: [Asrg] Consent Proposal, Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal, Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal, Yakov Shafranovich
- Re: Fwd: Re: [Asrg] Consent Proposal, Yakov Shafranovich
|
|
|