We seek to understand and analyze the spam problem, before we can hope to
objectively evaluate proposals.
With all due respect, Yakov, this strikes me rather like the scene in the
broadway musical 1776 when the song says, 'We piddle, twiddle, and resolve...
nothing's ever solved!"
I think that I proposed a quite useful discussion of approaches that would not
just reduce the enormity of the spam problem, but that also would make major
inroads into viruses and worms, too.
My recipient-based permissions system didn't require any worldwide consensus,
could be implemented in as few as a SINGLE customer, and would still yield
IMMEDIATE benefits to that customer.
While it's certainly possible to create something far more complex and far more
costly, I'm not convinced that the other approaches offer value enough to
justify the additional complexity and cost.
Specifically, I don't think it makes a whole lot of sense to develop some big,
complicated standards-based thing where spammers are (for example) encouraged
to
write bots to hammer recipient servers to figure out just how much a given
recipient is going to let them get away with. I think it makes sense to make
them need to ASK for greater-than-minimum permission, and to simply not be able
to get anything through without that, arranged in advance.
What I'd like to see is, for starters, something freeware or shareware that a
SINGLE USER could implement on THEIR OWN SYSTEM, even if NOBODY ELSE IN THE
WORLD chose to also use it, and that would give them IMMEDIATE and DRAMATIC
improvement in their ability to deal with spam.
Hopefully, this could then be extended to the point where it could be
implemented at either their ISP or domain provider, so that unwanted message
traffic could be truncated before quite so much bandwidth were wasted by it
enroute. But that's a gilding the lily, perhaps.
The key things that I feel such a system needs to provide are things I've
discussed here at length in the past but in general include:
1) Ability to grant specific permissions to specific sender-destination
address pairs;
2) Ability to deny or allow based on (at least) use of HTML-burdened
attachments (default: denied), other attachments (divided into at least two
categories: safe (.GIF, .JPG, .TXT, etc) versus potentially malicious (.EXE,
.COM, .SCR, .BAS, etc etc.). Attachments would be denied by default.
3) Some kind of quarantining feature to help a user to build their initial
permissions list, and to help them maintain it on an ongoing basis.
4) Ability to easily adjust the permissions list going forward, probably by
E-mailed control messages.
5) I've posted a suggested format for a simple, editable, text-based
permissions list.
I understand fully that many here seem to think that we need to come up with
something a GREAT deal more complicated and that requires redesigning the whole
Internet E-mail system; I disagree with that notion.
That is why we need to focus on the foundation of the group
which includes inventory of problems, requirements, evaluation model,
consent framework, technical considerations document, analysis,
bibliography, survey of solutions, identification of standardization
requirements, etc. All of these things either do not have volunteers or
are not getting very little feedback from the group members.
Part of the problem, I think, is simply that we're making the problem SO
complicated and SO involved that the problem is going to be solved (or at least
distorted out of all proportion) by bureaucrats and legislators in the
meanwhile.
Honestly, I've been busy recently elsewhere and haven't been following the
message traffic here as assiduously as I might have. In part that's because
I'm
simply not seeing any convincing movement in what I consider to be a
productive,
positive kind of direction.
Without a solid foundation for the group we cannot hope to be able to
evaluate
any proposals objectively and consider its impact on the Internet.
First off, I am not even convinced that a good solution will come out of a
SINGLE approach to solving this problem... if nothing else, spammers have been
remarkably resourceful in evolving responses to most antispam defense
approaches
that have been tried so far. There may be a lot of advantages to trying to
make
them respond to MANY different challenges simultaneously.
I'd like to see us come up with more than just a bunch of technical documents.
What I'd like to see the group come up with in the end would be some kind of
actual prototype (hopefully open-source or at least freeware) that would be
immediately, directly, useful for those wishing to evaluate these concepts on
their own.
As they say, "the proof of the pudding is in the eating" and I'd like to see us
produce at least a simple but functional working prototype which people could
install on their own systems, nibble on and evaluate, and hopefully which could
rapidly evolve via extensions to meet new challenges as spammers change their
approaches.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment! Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg