Spam at one level is a security problem, it's the allowance of
non-validated
sender to send messages impersonating other users.
Eliminating that (even if we could) still doesn't solve the spam problem.
A person can sent a Hotmail message saying IN THE BODY that they're
so-and-so...
how are you going to prevent false statements being made in ANY E-mail? I
don't
think you can.
That's part of the basis of putting verifiable information in a message, as
long as people are allowed to spoof any identity in any system you cannot
every solve this problem. You need to migrate to a system in which basic
identity is verifiable. I don't care if you say your bob(_at_)extra(_dot_)com
and
you're reply-to address is bob(_at_)example(_dot_)com , that's fine... You no
longer
are forging your sending identity.
Your example is "should a Cisco employee be allow to send a message from
anywhere without authenticating against Cisco" implies that Cisco doesn't
care who sends messages claiming to be from a Cisco.
So someone sends a message saying (in the body!) that they're from Cisco.
Caveat lector! Cisco CANNOT prevent that.
I don't think any system can prevent false statements (even newspapers make
them), what would be nice to see is a system which prevents false
identities.
Easy example, is today
sitting at my desk I can originate a message from "John Chambers" letting
you know the quarterly earning are great! That's a security problem, the
message didn't originate from Cisco nor is this user authenticated...
If you're sitting on an airplane, customer site, etc., you should
authenticate in to your corporate network or send email via another
channel.
Easier said than done. You may simply NOT HAVE CONTROL over how the
E-mail is
being sent, ONLY able to enter your return address.
Very true, but as a "normal" user all I care about is that the message that
I send is delivered and that the person/machine that I sent it to can reply.
There are tricks for mailinglist and other machine based system to better
handle auto-responses, but they should be secondary to human communications.
Hotmail, Yahoo, AOL, etc. all have authentication before you can send
email,
they can easily stamp, sign or otherwise endorse the message before it's
delivered on the network.
You're presuming that you're necessarily using Web-based E-mail, which is
NOT
always the case. (E.g. Internet cafes on cruise ships, where you're
'favored'
to send the mail using their native mail system rather than using the Web
browser... due to the satellite connection at $7+/minute!)
No I'm presuming that there is some level of authentication between me and
my email sending point. I should have no expectation that on a cuise ship
that I can send mail from a MTA located in the boiler room and retain my
work identity. After all it's a boiler room sending the message...
There is no reason that a MTA or MUA should in the long term allow
non-verifiable messages to arrive.
That depends ENTIRELY on the situation. It's dangerous to make categoric
statements like that.
Start with a bold point and find a strong compromise, start with a weak
point and have a weaker compromise.
It's the responsibly of the sending MTA
to stamp/sign a message on outgoing delivery. It's impossible to belive
that we can remove spam from the network, but what I want to see is good
senders not having to worry about their ability to send email and have it
be
received (see recent FTC problems).
"Good senders" could STILL decide to send spam. The recipient STILL needs
the
right to block stuff (even from people that they know and trust) that's
outside
the boundaries of what they're used to accepting (and willing to accept)
from
individual senders. And there PROBABLY needs to be a mechanism for them
to AT
LEAST BE AWARE that they've received something from someone "new", and to
decide
if they want to take it or not.
This is NOT a lot different than long-established policy of when you call
the
President of XYZ Corporation, and the secretary takes the call and finds
out:
1) who you are
2) what company you're with
3) what the call is regarding
And then, based on that (and their knowing the Boss) they'll either
deflect your
call to another department, or present the Boss with the information to
see if
he wants to take the call. And like in my proposal, he'll clarify his
policy:
1) no, I'm not interested in calls like these; send 'em to Customer
Service
2) Yes, put him through right away
3) I'll take it this time, but not if he calls back
4) tell him to get lost
or whatever.
Screening your calls with an answering machine is much the same... you'll
let
the answering machine take it, and listen while the caller (rapidly) makes
their
case for calling them back. If you want, you can pick up the phone and
take the
call; or you can maybe call them back at your leisure.
I fully agree with the above... The unfortunate truth is that spam is
partly in the eye of the reader, there are messages I get on a daily basis
that other people might view a spam. One of the difficulties in content
filtering games is that it's hard to know what's good if all you can work on
is the content.
Systems which provide identity verification provide addtional information by
which decissions can be made.
--koblas
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg