At 05:44 PM 7/11/2003 -0400, Barry Shein wrote:
Well, there ya go, the NY Times is technologically ahead of ASRG in
recognizing what the real source of the spam problem is.
Barry, leaving the sarcasm aside, there are problems with looking at the
spam problem from this angle. There are specific problems with dealing with
the security issue which I mentioned in a prior post:
1. It is easier to deal with the problem on the edge of the network than at
the core. "Fixing" the core can take decades. In the short and medium term
we would be looking at "edge" solutions. In the long term perhaps a "core"
solution might work but would require a very long time to implement.
2. This is something that must be dealt on the infrastructure level of the
Internet - it is a general issue of security akin to other things that
zombies are used for (DDOS, hosting porn sites, worms, etc.). These are
issues that must be looked at as an Internet-wide problem not limited to
spam. Once again, this problem stems from the fact that the Internet as a
network inherently trusts its users and servers. Unless you will convert
the Net into a closed system where every single server and user must have
authorization, it will not solve the problem.
If this is a general "security" problem, than we cannot hope to solve the
"spam" specifics without solving the general security problem. Thus, it
might require a new group to be focused specifically on security issues of
the Net. We are dealing with spam only.
I would also like to make another suggestion. It seems that you and Eric
Brunner in particular have been advocating this approach. Why don't you two
get together and write up a document outlining the spam problem from this
point of view, and providing an evaluation checklist for solutions (also
see section 3.2 of the "Technical Considerations" document
(http://www.ietf.org/internet-drafts/draft-crocker-spam-techconsider-02.txt)).
This can provide a concrete framework and a checklist for the group to
consider various proposals falling under this angle of things such as
replacing SMTP, detecting hijacked computers, DRIP, etc.
Another suggestion which I mentioned before would be setting up an "Email
Standards Project" akin to the "Web Standards Project". Get a group of
people together and setup a site that will list recommended configurations
for popular MTAs and MUAs that can protect user' computers from being
hijacked and reduce spam. Things like shutting off open relaying, disabling
ActiveX and JavaScript inside mail clients, perhaps disabling HTML email on
send, etc. can be documented. User education is very important and
something that can be very useful in the long run.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg