----- Original Message -----
From: "Bill Cole" <asrg2(_at_)billmail(_dot_)scconsult(_dot_)com>
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Please critique my anti-spam system
Date: Sun, 5 Dec 2004 14:54:03 -0500
At 12:53 PM -0500 12/5/04, Michael Kaplan wrote:
> Billions of spam are sent each day and the problem is getting
> worse. I believe that this system will profoundly decrease email
> traffic by
> eliminating spam. In time as spam is controlled the number of bounces
> will decrease.
The response of spammers to better blocks and filters has been to send
more spam. If I want to ensure that 100 user get my spam, and a 90%
effective filter is commonly used, then I send out 1000 messages. If the
filter is 99% effective, I send out 10000.
This is not a content filter. If the spammer doesn't have your
email address then the spammer can't send you spam. There is no
reason for the spammer to increase the spam load. Sending spam to a
very effective filter is not futile. Sending spam to a non-existent
address is completely futile so the spammer will stop doing it.
That statement conflicts with available hard evidence. I have a
list of just under a dozen addresses under scconsult.com which have
not existed for various periods between 6 years and forever, yet
which all are offered mail at least daily. I have never accepted
mail for bogus addresses in SMTP, so for all of these addresses,
all the mail aimed at them while they have been dead (and all mail
ever aimed at the ones that never existed) has been refused. For
all of those addresses, the rate of mail rejection over the past 18
months has risen steadily.
I had imagined a scenario such as what would happen if AOL or some other large
provider made this system standard. Spammers already have a large bounce rate
and they still spam, but what would happened if more than 95% percent of the
emails sent to AOL addresses started to bounce? I suspect that at this point
there would be a financial incentive for spammers to weed out the invalid
addresses. I have read articles how many big time spammers already routinely
weed out invalid addresses, but I am unable to cite these articles off-hand. I
accept that for now I am only able to make reasonable speculation concerning
this point.
> The text in these bounces is generic. An email service
provider can alter
> the content of the message to a generic Chinese message if the user
> wishes. The instructions for the CAPTCHA can be created in a hundred
> different languages - the user can decide which one to see.
How do I know which language my sender will prefer? Particularly if the
sender is a new correspondent. If I set my system up to send out such
bounces in say, Hindi, and you don't understand it at all, how would
that situation be handled?
The text in these bounces is generic. My email provider can
recognize one of these generic bounces and substitute the generic
Hindi message with an identicle generic English message.
That is a radical concept. It is not consistent with the way any
significant fraction of the real mail system operators deal today
with any bounces. You are waving off a very serious problem by
hand-waving a profound change in how mail systems are run, in an
area where there is a long record of everyone doing their own thing
and ignoring standards out of ego and spite.
I'm sure
that others can think of other similar ways to handle this situation.
That's a poor response to a serious critique. If you can't think up
a real way to handle a real problem with your proposal, why ask for
a critique?
Even if this process did not happen then I doubt it would be a big
problem. If your system sends out bounces in Hindi then whoever is
trying to correspond with you also likely speaks Hindi. People who
cannot read each others language at all rarely correspond via email.
That's a remarkably naive response. It's also very much factually
incorrect. The Hindi example is a very good one, given the nature
of linguistic variety in India.
Consider this: well over half the spam that makes it past the
protections I have in place at the network and SMTP levels is
encoded in ways that are not anywhere near downward compatible to
US-ASCII. IOW: not only is that mail in a different language than
the English I speak, it uses a different alphabet than anything I
speak or can usefully piece together from a weak knowledge of a
handful of European languages. All of that mail arrives with an
envelope sender whose domain part resolves in such a way that I
could try to bounce it, but most arrives with a different From
header, indicating a strong chance one or the other is forged. If I
accept and then bounce all that mail I can't hope to read (some of
which could be non-spam from people who expect me to read their
language, I suppose...) I would be building bounces in English in
response to mail which is not in English, and sending them to
addresses that may or may not be the actual senders of the mail and
so may or may not understand the bounce and/or the original mail.
You are right, I should be more specific about how the language issue can be
resolved. One common technique used on many websites is to include the image
of many different international flags. If one doesn't speak English then you
can click on the flag of your nationality and a window would pop up with
translated contents of the bounce.
Every conceivable language would not be covered by this system, but it will
likely cover almost everyone who uses email.
If this system became common place then I can see how after a few years a South
Korean email service provider could pass on these generic bounces in the Korean
language if the user designated in his account preferences that he wanted this
to be done. Having this be done automatically would be a convenience, not a
necessity.
The language issue is a valid criticism but it can be significantly mitigated.
If my system is otherwise sound and if it can truly eliminate almost all spam
then I doubt that the language issue will be enough to disregard the system.
Note that after accounting for subscribed mailing lists like this
one, the mail that I cannot hope to decipher outnumbers my
legitimate mail from unknown strangers by a few orders of
magnitude. That is a common situation, and one that is related to
the core flaw in all C/R anti-spam systems: what happens to the
spam that arrives is as important as what happens to the non-spam,
and what happens to spam splatters innocent third parties.
With my system you would never see any emails sent by strangers lacking
legitimate sub-addresses.
There seems to be some concern that this system will effectively 'Joe Job'
innocent people. I don't see the clear incentive for spammers to do this - why
not just use a forged address? I don't personally know anyone who was Joe
jobbed. Is this that common? Also if spammers know your address then you can
solve the problem by activating my system and using a sub-address.
Thank you for your constructive comments.
Michael G. Kaplan
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg