On 22 Dec 2004, John Levine <asrg(_at_)johnlevine(_dot_)com> wrote:
This is yet another reason why a fine-grained permissions-based
approach, where the *recipient* can decide what E-mails they do and
do not want to receive (based on who the sender is, and what the mail
contains) is so decidedly the right way to pursue this problem.
So long as you are willing to spend an unlimited amount of money on an
e-mail infrastructure that accepts and stores terabytes of spam,
almost all of which will be discarded unread,
You are presuming that (1) spamming will continue to be lucrative; that (2) an
approach such as I envision will reduce neither the numeric number of spam
messages nor their average size; and (3) that spammers will continue to be able
to recruit zombie spambot armies to do their mailings for them.
I believe that (2) and (3) are both unlikely (given the approach I propose),
and
that together those will make (1) unlikely as well.
First off, I believe that a fine-grained permissions list (with permissions
based on who messages come from, along with what the nature of the contents of
those messages are) and which by default will not allow either "large", HTML or
attachments from untrusted senders, together will virtually eliminate E-mail as
an effective vector for recruiting spambot zombie armies (it will in fact
virtually eliminate the efficacy of sending worms and viruses in E-mail
messages).
Secondly, making HTML-burdened E-mail acceptance CONTINGENT upon the sender
being whitelisted by the recipient (and also on the basis of what that sender's
E-mail is normally expected and allowed by the recipient to look like) will
force spammers to abandon their most cherished and useful tricks for obscuring
the purpose and contents of their E-mail messages, thus making them FAR easier
to identify reliably and effectively with a good content filter. At the same
time, discouraging bulky HTML-burdened spam will all by itself cut the BYTE
volume (including both bandwidth and storage costs) by probably 70% or more.
Third, making spam filtering more effective and harder to defeat or evade will
dramatically reduce the payback to spammers, and the payback is what motivates
spamming in the first place. (The recent Iowa judgements totalling $1 billion
against three spammers, and with some 297 judgements still to be issued in that
case, can't fail but be noticed by spammers and raises dramatically the risks
of
their business model.)
and a fabuously complex
spam filter control panel that almost nobody will use,
Oh, that's TRULY rubbish. While obviously it would be CONCEIVABLE to implement
such a filter in a stupid and clumsy way, a reasonable implementation could
make
this VERY user-friendly (far more user-friendly, in fact, than typical
"security
permissions" for NTFS file systems).
I suppose I
agree. If you want to continue getting mail for $20/mo forget it.
(1) bandwidth costs and storage costs both continue to decrease (not increase).
(2) effectively forcing spam back to plain ASCII text reduces typical spam size
by two thirds to three quarters or more. This significantly reduces the cost
of
carriage to ISPs and backbone companies.
(3) making spam less effective and profitable will ultimately be the thing
which
will control it (in fact, little else is likely to).
ISPs tell me that when they have crummy filters that leak a lot of
spam, people are constantly asking to be able to tune the filters.
The fact is that users who are able to simply and easily control THEIR OWN spam
filtering, using techniques which are understandable and logical, are less
likely to require as much ISP support.
When they have good filters that work, nobody asks for options. A
large cable ISP said it was dramatic how the calls just stopped when
they switched from an old filter to a new one.
My experience with ISP-provided spam filtering has been (very) mixed.
Yahoo's spam filtering seems pretty decent, at least in terms of not having a
lot of "false positives"... virtually everything they deem as spam truly is (at
least that's what I've been seeing from here). OTOH, there is still spam which
slips past their filter into my Yahoo Inbox.
My domain name provider (Domain Direct) offers (third-party) domain-wide spam
filtering which had SO incredibly many false positives (and such clumsy
provisions for whitelisting and filter adjustment) that after fighting it for a
few weeks, I finally just turned their filter off. I can go ahead and get that
mail (including the spam) and process it better here using my own systems.
As for Comcast (my cable modem service provider) I don't know what spam
filtering they do, if any. If they do filter spam, I don't know what they do
with the stuff they determine to be spam, or how I could check to see what
false
positives are not making it to my Inbox.
Especially with threats of attorneys et al,
Could you be specific what threats of attorneys you're referring to?
I was referring to the comments posted here within the last few days about
attorneys for spammers (or commercial mailers CLAIMING that what they're doing
isn't "spam" and therefore that their mail should not be intercepted) suing
ISPs
or spam filtering companies to attempt to get the mail filters turned off for
the "spammers" E-mails (and it's almost as evil for bulk mailers to bribe or
pay
off ISPs in order to get "approved" (i.e. "bribed") mail delivered, even when
the recipient doesn't want it). Obviously, that legal approach simply isn't
going to be very sensible (nor is it likely to ever be successful in a court)
if
the filters are chosen and adminstered by the recipient themselves; the ISP
has
done everything they committed to do, which is to deliver the E-mail (or at
least made it available to the recipient to pick up) and then it's purely the
recipient's choice regarding what they will and won't open and read, for
whatever reasons make sense to them.
If you're in the United States, please consider them in relation to 47
USC 230 and section 8(c) of CAN SPAM.
I don't think that's relevant to what we're talking about here (at least not
what *I* am talking about). I'm not talking about companies, individuals, or
governments suing spammers, I'm talking about spammers (or those whose behavior
might arguably look like spamming) suing (or threatening to sue) ISPs.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg