ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Two ways to look at spam

2003-06-30 19:27:28
from [Yakov Shafranovich] [Permanent Link] 
At 03:35 PM 6/29/2003 -0400, Paul Judge wrote:


> -----Original Message-----
> From: Yakov Shafranovich [mailto:research(_at_)solidmatrix(_dot_)com]
> Sent: Sunday, June 29, 2003 2:12 AM
> To: asrg(_at_)ietf(_dot_)org
> Subject: [Asrg] Two ways to look at spam
>
[..]

> 2. Consent - these proposals do not try to block the email at
> the sender's
> end, or as at being transferred over the network. Instead,
> they concentrate
> solely at the receiver's point.

This is not the case. It is most desirable to block unwanted traffic as
close to the source as possible. There is some difficulty in moving the
solution closer to the source in that you are enforcing a policy for all
downstream receivers. Careful policy expression helps here.


Can you elaborate on this point?


Overall, I think that consent-based communication as referred to in the
charter includes what you have referred to here as 'consent' and 'network
abuse' models. What I think you are touching on here with these two models
is what I refer to as local vs global spam solutions. A local solution
refers to controlling spam for some individual or organization. I also think
of this as providing symptom relief rather than a real cure. This is
commonly done today with anti-spam tools deployed at the desktop, server, or
gateway. There are a number of commercial and non-commercial solutions that
are quite effective at 'solving the problem' for local environments.

While many individuals and organizations have deployed such solutions, the
spam problem continues to exist globally. It is even suggested that these
local solutions have increased the global problem since spammers are sending
more. The solution to the global problem requires an understanding of the
adversaries and their motivation. As many have suggested, controlling spam
globally requires reversing the spammers profit model. What I suggest that
is different is that this does not require directly associating a cost with
sending email.

Just as in any other business, the profit in spamming is equal to revenues
minus costs. In spamming, revenue is equal to the number of spam messages
received times the response rate times the profit per item. Expenses include
the cost of obtaining the lists of email addresses and the cost of sending
the messages. The difference between the amount of spam messages sent and
the number received is a factor of the effectiveness and deployment rate of
anti-spam technologies. User education is able to affect the response rate
as well as the difficulty and costs of obtaining email addresses. Besides
providing a strong deterrence, anti-spam legislation is able to introduce
overhead in the form of the expenses of litigation.

The consent-based communications paradigm considers this and directly
affects both the number of spam messages sent and the number received. If
you consider this along with the taxonomy that looked at spam prevention,
spam detection and spam response approaches, then the relationship can be
seen between the various anti-spam system proposals, the consent-based
communications paradigm, and global and local spam solutions.

With that said, I do agree that we need to further document this framework
to provide a clearer view as we deal with this large number of individual
proposals. It seems that without this clarity, many are having trouble
putting everything in context. All, please share your thoughts on this view
of the overall framework.
The consent framework on a local level seems simpler to understand than on the global level. Locally the consent framework may consists of various components that will keep track of what the user has consented to, and what email he did not consent to. Some of these consent decisions may be made automatically based on various pieces of information such as RBLs, message content, C/R, etc. Some of them maybe be made manually by the user. However, on the global level how does is the consent framework relevant? Are we talking about different hosts or networks on the Internet expressing combined consent of their users to each other? Or are we simply talking about various systems that collect data to be used on the local level? The charter is a bit murky on this:
"Expressing consent is more straightforward on an individual basis; as the solution is moved closer to the source, it is more difficult to express a policy that satisfies all downstream receivers. "
Yakov 

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Bogus News Article - FTC's do-not-call registry email blocked by Yahoo, Yakov Shafranovich
Next by Date:  Re: [Asrg] Consent proposal, Yakov Shafranovich
Previous by Thread:  Re: [Asrg] Two ways to look at spam, Alan DeKok
Next by Thread:  RE: Re: [Asrg] Bogus News Article - FTC's do-not-call registry email blocked by Yahoo, Eric Greenberg
Indexes:  [Date] [Thread] [Top] [All Lists]