The gist of my proposal is that each recipient should be able to establish
a
fine-grained mesh which restricts (on a sender-by-sender basis) the types
of
mail the recipient is expecting (and willing) to receive from each sender.
THE DEFAULT, for unknown/unspecified senders, would be to allow through
the mesh
filter only mails smaller than a specified size (say 25K or 50K bytes
maybe)
which contain no HTML and no attachments... thus simple, text E-mails not
exceeding the specified maximum size.
The average spam mail size is usually smaller than your proposed size.
which increases the false negative rate of ur proposal
The size limitation is NOT intended to differentiate spam/nospam. Its purpose
is to block "large" E-mails from unknown/untrusted people (and which might
otherwise consume an undesirable amount of Inbox space) as well as to help
avoid
"large" mails which could contain viruses/worms/etc. The default "no
attachments" rule helps a lot with that, (as does the "no HTML" default rule)
but putting the size limit (and setting it appropriately) also helps avoid
spammers trying to evade that by using non-attachment "embedded attachments" of
some sort.
As a recipient, I simply don't need (or want) to accept arbitrarily large
unsolicited E-mails from just anybody. If they want to send me something large
or cumbersome, they can contact me FIRST and request permission for the bulkier
or riskier mail..
What about the sales and customer care dept. of organizations who receive
mails in bulk from customers, clients etc.
My permissions-list proposal would not limit that AT ALL, as long as those
E-mails were below a certain size (which the receiving organization can set as
appropriate for their case) and as long as they meet the attachments/HTML
criteria they have set. I think you'd have a hard time arguing, for example,
that such "sales and customer care" departments would need to accept (at least
not as a first contact!) E-mails containing Javascript decryptors, ActiveX,
.SCR
or .EXE files, mail of arbitrary sizes (say 2Mb?)... the list goes on and on.
And that's one of the big differences between my proposal and a typical
"whitelist" proposal... my proposal specifically provides for a significant,
useful (while safe) type of E-mails for use in establishing initial contacts
with people. (And that E-mail still would need to satisfy the second-stage
content filter, based on other criteria the recipient can control, to get
through for delivery).
How user friendly will it be when the admin or user has to configure
settings for each sender.
That's an issue to be determined by the implementing software. I would expect
quite a diversity in dealing with those issues, depending on whether the
software involved were intended for direct (fairly clueless) end-user use or
for
"serious-power-user" types.
Anyhow, there doesn't HAVE to be any single standard for how to deal with that
stuff (and nothing says the recipient couldn't change their settings over time,
either). You might T-can the objectionable stuff without a whimper, you might
quarantine it with a periodic summary of questionable stuff being held, you
might deliver it (especially during the initial phase of the implementation)
with a way for the user to say "Yes, this sender is okay, let future stuff
through from them if it looks 'like this' one."
Likewise, the software might be clever enough to notice that when stuff is sent
to quarantine, some senders are particularly persistent (and MAYBE think
they're
legitimate) and those might be something to call to the attention of the
recipient, to verify whether it SHOULD in fact be getting delivered, or if
maybe
it's a known/persistent spammer which the recipient doesn't even need
quarantined, where that stuff in the future can go straight into the trash.
It sounds more like whitelisting with restrictions.
It certainly has whitelisting characteristics. The major differences are:
1) there is an established (although NOT necessarily standardized) class of
mail which can come from anybody and be delivered (subject, of course, to
satisfying the second-stage content filter); (those knowing they're sending an
intial-contact E-mail would want to use 'good netiquette' in hopes of
satisfying
that 'politeness' standard);
2) the whitelisting would provide a fairly fine mesh, so that the recipient
could fairly closely define the type of mails they expect (and are willing to
accept) from each given sender;
3) the unsolicited stuff, from unknown/untrusted senders, would have to
satisfy rules which would preclude use of most evasions, tricks, and
subterfuges
that spammers normally are able to employ to deceive or evade content filters;
4) the "no attachments/no HTML" (by default) rule would virtually eliminate
E-mail as a viable propagation vector for viruses and worms (since almost
nobody
would in practice set ANYBODY with permission to send them executable,
encrypted
ZIP, or other such 'dangerous' attachments). This would put a MAJOR crimp in
the ease of building armies of zombie spambots.
...restricting mails based on size or format will only produce more False
Positives.
Again, you apparently just don't 'get it'.
The fact is that (for example) I simply AM NOT INTERESTED in getting
HTML-burdened E-mails from people I don't know and who haven't cleared those
with me in advance. There is VERY little I want or need to get by E-mail that
can't be sent to me as (safer) plain ASCII text.
Once I *do* agree to accept formatted E-mail from somebody (and if they have a
DAMNED good reason for it, which I concur on) then I *still* probably don't
want
them to send me ActiveX, or executable attachments, or cookies, or "big" mails,
or (possibly malicious) scripting, and things of that sort. I don't want
obscured/misrepresented hyperlinks that are supposed to look like
http://confirm.sunbank.com but which in fact point to some rogue system in
China
or Romania.
Content filters can do a pretty decent job of detecting patterns in E-mail
text,
IF there is in fact text there to analyze. Text-as-image, decrypting text, and
so forth are among the tricks that spammers use to confound and evade content
filters; the solution to those evasions is simple... the presence of the
evasion trick is itself prima facie evidence that the message IS IN FACT spam
(and especially after you've had the ability to make exceptions for trusted
senders who you might EXPECT to send you stuff of a particular kind).
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg