Paul,
Essentially all of the characteristics that you have listed
are no better than second-order.
PJ> Spam measurement and characterization should not be confused with the
PJ> inventory of problems list. Spam characterization seeks to understand the
PJ> current state of the problem (read symptoms).
To what end? What will be done with this characterization of "current"
symptoms, especially when we know that spammers are highly adaptable and
will change the symptoms, if they have to?
PJ> The inventory of problems list
PJ> seeks to look at the reason for the problem or the core attributes that
PJ> allow the actions taken by spammers that result in these symptoms.
As I said, most of the list did not appear to be core.
Any arguments to the contrary -- for each item on the list -- could be
quite insightful.
PJ> Your question above also assumes that spammers can change their operation to
PJ> avoid exhibiting ALL of these characteristics. I believe that to not be
PJ> accurate.
We have already seen considerable examples of adaptive behavior. For
example, my first use of spammassassin was highly successful, some
months ago. Now it is almost useless. (Yes, the ruleset needs to be
updated, but that is exactly my point.)
That's the first time I've seen such an assessment about the limitations
of spammers.
What is it that causes you to believe further adaptation is not likely
or possible?
PJ> Secondly, your question asks if they could still SEND spam. In some cases,
PJ> our goal is not to stop them from sending spam, but just to be able to
PJ> DETECT the spam.
Forgive me for believing that detection of spam should seek to use
criteria that are as persistent as we can make them.
PJ> Now, the question should be 'Will we be able to detect
PJ> and/or prevent the spam?'
The question should be, "Will we be able to develop mechanisms that
detect and/or prevent spam without requiring constant change over short
periods of time."
PJ> The two questions underneath all of this are: 1) Is this characteristic an
PJ> effective indicator of spam? And 2) Can they change the characteristic?
That is essentially what I originally asked, yes.
PJ> There are four possible situations, but three that matter:
PJ> Question 1: Yes. Question 2: Yes.
...
PJ> characteristics: some of it changes and some of it does not. Either way,
PJ> currently they provide effective means of spam detection.
Given that there is a goal of producing standards, at some point, and
that standards take a long time to produce and deploy, perhaps we should
be extremely concerned about focusing on characteristics that have
transient benefit?
PJ> Problems arise when a system creator mistakenly assumes that one of
PJ> these characteristics can not change.
Problems with standards arise when they do not attend to their life
cycle limitations.
PJ> Question 1: Yes. Question 2: No.
PJ> Means: Valid indicator now and moving forward:
PJ> This provide a good point of focus for new proposals.
It occurs to me that the line of analysis you are offering simply means
that we should attend to whether a characteristic is "core" or whether
it is merely a current indicator.
I'd consider that a pretty reasonable re-statement of my original
question, though I am not sure whether that is what you had in mind.
d/
--
Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg