Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com> wrote:
Going back to the original question
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg06391.html):
"Any measure for stopping spam must ensure that all non-spam messages reach
their intended recipients."
Am I correct in assuming that the overall opinion of the group seems to be
that this statement cannot be part of the requirements?
Yes. I would re-phrase the statement, by adding a final condition:
"Any measure for stopping spam must ensure that all non-spam
messages reach their intended recipients, unless the intended
recipients indicate otherwise."
With some additional caveats:
a) the recipient SHOULD be notified of any potential non-spam
messages which were blocked, and SHOULD be given the opportunity
to indicate consent to receiving those messages
b) the recipient SHOULD occasionally be informed as to the nature of
the message filtering, and given the opportunity to update their
statement of consent (or non-consent)
c) if there is no communication from the recipient as to the nature
of his or her consent for some time period, the anti-spam system
SHOULD remove all filtering, and assume that the recipient
consents to all traffic.
The purpose of (a) is to keep the recipient "in the loop" that there
may be messages of interest. The purpose of (b) is to verify that the
anti-spam system is implementing the consent of the recipient. The
purpose of (c) is to try to avoid dropping valid messages, due to
network problems, or implementation bugs in the anti-spam system.
i.e. When in doubt, force the recipients to re-state their consent.
I would also add another implementation caveat:
d) anti-spam systems MAY exchange consent information.
e.g. an ISP informs his upstream provider that ip-range/mask may
be blocked from sending data to port 25.
For the purpose of anti-spam systems exchanging consent, the
system sending consent MUST be treated as a recipient, and the
above conditions (a) through (c) MUST be applied.
i.e. For the purpose of an upstream provider, a downstream ISP is
just another "recipient" of network traffic, with which consent may be
exchanged and enforced.
The consent of the ISP is the sum total of the consent of the ISP's
customers, and the ISP's consent. But for the purposes of exchanging
consent with the upstream provider, the ISP claims ownership for *all*
consent statements sent to that provider.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg