Fine, but if the goal is to force them into a smaller and smaller corner,
then the fine-grained permissions list idea that I propose, combined with a
good
content filter, together does a LOT more to constrain them (and in a space
that's MUCH harder to escape from) than SPF and the like do.
And in addition, it doesn't significantly harm legitimate users (the way SPF
and other "authentication/reputation" schemes do), AND as a bonus, it virtually
eliminates E-mail as an effective vector for the transmission of viruses and
worms... thus accomplishing a MAJOR blow against zombie spambots, which create
such an otherwise intractable problem in controlling spam.
Enlighten me with a link to your plan? You make it sound like FUSSP.
I must have missed the post where FUSSP was defined, and up to now (at least) I
haven't written up a page for my Web site to detail my proposal. But it's been
discussed here on-list a number of times.
The gist of my proposal is that each recipient should be able to establish a
fine-grained mesh which restricts (on a sender-by-sender basis) the types of
mail the recipient is expecting (and willing) to receive from each sender.
THE DEFAULT, for unknown/unspecified senders, would be to allow through the
mesh
filter only mails smaller than a specified size (say 25K or 50K bytes maybe)
which contain no HTML and no attachments... thus simple, text E-mails not
exceeding the specified maximum size.
Mails getting through the fine-grained permissions list filter would then be
(again, by default, with the ability for the recipient to force delivery of
mails from specified/identified senders if desired) subjected to a good content
filter (think Spam Assassin or similar). (Note that by restricting the mails
at
that point to plain text and without attachments would deny spammers the great
majority of the most devious, cherished tricks that they commonly use to
evade/circumvent content filters).
Once a recipient has an established relationship with a given sender, they
could
set their permissions mesh filter so that mails arriving from that sender could
contain more bulky or risky content.
For example, my Aunt Gertrude might send me HTML codes representing simple
formatting (fonts, colors, italic, underline, boldface) but she's not likely to
send me JavaScript, ActiveX, forms, or hyperlinks. She might send me a JPEG of
her new poodle Fifi, but she's not at all likely to send me an encrypted ZIP
file, a .CPL file, a .SCR file, or an .EXE executable attachment.
Once I've whitelisted dear Aunt Gertrude indicating what sorts of things I
trust
her to send me, mail (purporting to be from her) which departs from that
familiar style of hers would BY DEFINITION be suspect and would automatically
either be quarantined or discarded (depending on how I as the recipient wanted
to deal with such things).
Note that this performs EXACTLY the desired function... even if Aunt Gertrude's
system were to become infected, the worm/spam messages the zombie residing on
her system might send me would be efficiently and effectively zapped, while the
GOOD things she was still sending me (since they LOOK like what I expect to get
from her) would (still!) sail through unimpeded.
Clueless types (the ones who are most likely to become infected) are probably
the least likely to set more advanced permissions for specified senders (and
there should be suitably dire warnings to hopefully dissuade them from being
cajoled into setting more expanded permissions without good cause). For most
of
their contacts, they would probably allow *nobody* to send them executable
attachments, which would thus eliminate in one fell swoop almost any common
mechanism for E-mail transmission of worms or viruses. Who needs daily virus
signature file updates..??!
Likewise, once things like "text as image" or obscured URLs or spoofed
hyperlinks or decrypting spam are effectively prevented, the remaining messages
are much less likely to evade or deceive the content filter.
Even if spammers still managed to evade content filters, and sent the same
number of spam messages as at present, even just making bulkier HTML-burdened
E-mails the "kiss of death" for the delivery of their spam (and thus forcing
spammers to send spam as smaller plain text messages) would if nothing else
reduce the total spam byte volume to a small fraction of the bandwidth and
storage space it wastes at present (since HTML-burdened spam is typically 3-5x
bulkier than the same message as plain text).
So note that the proposal DOES NOT eliminate HTML-burdened mail, nor does it
impact ANY legitimate E-mail technology. It DOES mean that UNSOLICITED mail
from UNKNOWN senders would need to be sent (as it SHOULD be anyhow, since the
format is designed for universal readability) as small E-mails using only plain
ASCII text.
Note that this approach even works for large consumer-products companies (say,
Proctor and Gamble's consumer relations department) since they could by default
receive small plain text E-mails from ANYBODY. (And they could anyhow extend
the permissions any way they wanted, although hopefully they'd maintain tight
enough standards to protect themselves adequately).
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg