* Joshua Baer:
There is a considerable amount of momentum and money behind both
commercial and open reputation services now in development. The
current market leader is IronPort's Bonded Sender, which boasts
adoption by tens of thousands of receiving domains and hundreds of
senders.
IronPort has repeatedly blocked the outgoing mail servers major German
mail providers (even though they appear to have a handle on their
abuse situation). At the same time, IronPort licenses its technology
to competitors of said mail providers. Do you really think this is
going to work in the long run?
These reputation-based systems have two significant problems: Its
participants can suddenly start sending vast amounts of spam, and it
hasn't to be their fault, really. Maybe a hard-to-fix weakness in the
account generation procedure is exploited, or a software company has
distributed software with an easily exploited defect to a lot of
customers. I'm not sure if you want to penalize such incidents, and
how you can still kick out the real non-compliers.
The other problem is that Internet technology as a whole is not
resistant to competent, organized crime. Right now, spammers can
achieve their goals by targeting end systems. Suppose we magically
take all those consumer Windows machines out of the equation. How
likely is it that spammers target something else instead, for example
global Internet routing? Currently, spam is a in the more popular
areas of the Internet, but it doesn't have a profound impact on its
core yet because spammers can get conduct their business with less
drastic measures. I really don't like the implications of an arms
race. And don't say that there are safeguards that would prevent
this. There aren't. BGP hijacking is already a problem, and there
are some indications that spammers already experiment with it.
Of course, some spam fighters want exactly that: total escalation and
annihilation. But such a catastrophe will only take us technicians
out of the loop because we have proven that we can't cope with the
problem.
In short, I'm not sure if technology-based spam fighting is a terribly
good idea.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg