This proposal seems very similar to my original version of Choicelist
located at
http://www.ftc.gov/bcp/workshops/spam/Supplements/fenley.pdf
Specifically figure 3 on page 12, and figure 5 on page 18 seem similar to my
picture on page 4. Though their diagrams are better looking, they seem to me
to convey almost identical structures and mail handling.
Thoughts on Project Lumos:
If checks to the main registry must be performed to check on the reputation
of a sender, why are certificates used? How is spoofed mail without a
certificate or x-header treated if the gateways are looking for those
specific items to recognize registered mail?
In Project Lumos, the registry keeps track of sender reputation. How will
reputation tampering be prevented? For instance I could get someone to
report that they received many emails from me so that my ratio of complaints
to mail is low, or I could make many complaints about a competitor to ruin
their reputation.
With Project Lumos, unknown registered bulk mailers must be automatically
trusted (if they are not automatically trusted then how is a reputation
originally established?). People have a reason to worry that their address
will be released to untrustworthy parties and "marketing partners" even
within the system.
Project Lumos gives few options to end users and instead assumes that ISPs
must do their filtering at the MTA level. This does not allow the end user
to make any consent decisions, and insures that Project Lumos will not be
effective at preventing user-defined spam.
Because free email services such as Hotmail and Yahoo would be held
accountable by Project Lumos for abuse by their users, I don't believe they
will happily register for this sort of reputation system. They already do
their best to prevent spammers from using their systems, but this system
would hurt their business by impacting deliverability. In Choicelist, each
sender is responsible for the creation of their own account, and abuse by
one customer does not effect other customers or the provider.
" Continuous performance measurement is required to establish the reputation
of both senders and ESPs."
Then there is a list of actions that must be performed by Project Lumos mail
gateways.
When I talked to Microsoft about Choicelist a while ago, one of their main
concerns was that I demanded a few things from recipients such as a
guarantee of delivery for wanted registered mail. I don't think large
providers will want to commit to this system because of the required
feedback. I am guessing that providers will use the data provided by the
system. I don't believe that they will, for instance, track and report all
the mail they receive to a central registry. Without this data Project Lumos
fails.
In Project Lumos it seems that an individual may only send mail courtesy of
a registered Email Service Provider.
If it is easy to register an ESP, one may be registered, then it may be used
to send masses of spam until its reputation is destroyed. There is no info
about how often this reputation is updated, and I doubt it could respond to
a wave of spam as it is being sent. Because certificates are used to verify
mail, and reputations will be expected to remain stable over time, I don't
see this system as very responsive to quick "spam and run" style attacks.
If on the other hand it is difficult to register an ESP, then how am I to
send mail from a domain that I own using my own equipment? Must I somehow
prove that I have legitimate need to send mail, and a reason for not using
an existing ESP? Must I be a member of the ESPC? This ambiguity may make the
system itself open to abuse by either operators, or users.
My system avoids many of these problems by defaulting closed, and giving
users choice. This, I believe, would be unacceptable to the good members of
the ESPC.
John Fenley
www.Choicelist.com
_________________________________________________________________
Share your photos without swamping your Inbox. Get Hotmail Extra Storage
today! http://join.msn.com/?PAGE=features/es
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg