[snip]
and (3) that spammers will continue to be able
to recruit zombie spambot armies to do their mailings for them.
That's certainly likely for the foreseeable future.
It depends entirely on how long it takes people to decide to tackle the problem
in a determined way.
First off, I believe that a fine-grained permissions list (with
permissions based on who messages come from, along with what the
nature of the contents of those messages are) and which by default
will not allow either "large", HTML or attachments from untrusted
senders, together will virtually eliminate E-mail as an effective
vector for recruiting spambot zombie armies (it will in fact
virtually eliminate the efficacy of sending worms and viruses in
E-mail messages).
In order for it to eliminate zombies, it has to be implemented by
_everybody else_. That's not going to happen.
Well, yes and no.
I agree that you probably won't eliminate 100% of the vulnerability, but at
some
point the remainder doesn't much matter. The issue is whether the
vulnerability
is widespread enough to ATTEMPT to exploit it.
It also depends on how quickly such a fine-grained permissions list approach is
accepted and installed. Obviously, if Microsoft were to include something like
this in Outlook and Outlook Express by default, it would be much more effective
and much sooner than if Infopoint or some other small software company were to
try to market it as an addon package.
Secondly, making HTML-burdened E-mail acceptance CONTINGENT upon the
sender being whitelisted by the recipient
You're assuming that you can tell whether or not the _recipient's_ MUA
will attempt to interpret a message as HTML.
It doesn't much matter. Most spammers don't know, either, what specific E-mail
client program a destination address is using. Nor do they care, in fact.
Again, this is the sort of thing that a recipient ought to have some control
over... just how aggressive (or not) such a filter ought to be in their
incoming
messages.
Third, making spam filtering more effective and harder to defeat or
evade will dramatically reduce the payback to spammers, and the
payback is what motivates spamming in the first place.
For some spammers, maybe. Many others sell their services, and the
worldwide shortage of suckers is not expected soon.
It won't take long for the word to get around that spamming doesn't work
anymore, and that some types work dramatically less well than others.
and a fabuously complex
spam filter control panel that almost nobody will use,
Oh, that's TRULY rubbish. While obviously it would be CONCEIVABLE
to implement such a filter in a stupid and clumsy way, a reasonable
implementation could make this VERY user-friendly (far more
user-friendly, in fact, than typical "security permissions" for NTFS
file systems).
Prove it. Come up with a reasonable implementation that my mother can
handle.
I'll be GLAD to do that, and I'll even bring it to release-ready, if you'll
fund
the development. :-)
The point is that this is IMPLEMENTATION-DEPENDENT, and does not need to be
part
of a "best practices" advisory. Some companies are hugely better at
"human-engineering" software products than others are; given that, we don't
have to concern ourselves HERE with the fact that some of them might not do a
terrific job of it.
ISPs tell me that when they have crummy filters that leak a lot of
spam, people are constantly asking to be able to tune the filters.
The fact is that users who are able to simply and easily control
THEIR OWN spam filtering, using techniques which are understandable
and logical, are less likely to require as much ISP support.
As spammers learn to evade those controls, the ISP has to upgrade
them.
I'd be surprised if ANY system didn't continue to evolve, just as the threats
evolve that it's intended to counter.
Again, though, I'll point out that once you default to "no attachments, no
HTML"
in E-mails from unlisted senders, you don't leave the spammers much room to
evade much of anything, at least as far as their E-mail content goes.
I will *freely* admit that the battleground will then most likely move to
malicious Web content and browser-based attacks, rather than spam E-mails...
but
that IS a different battle, and we don't have to fight that one HERE.
The user has still made a clear decision - one to delegate their right
to accept/refuse to the ISP. As long as the ISP's contract makes this
clear, then I believe there's no difference in the 2 cases.
Sounds good, until the "spammer" can find a case (even just ONE)
where the intended recipient actually WANTED the E-mail in question,
and said user didn't feel they had in fact granted their ISP the
'right' to MIS-BLOCK mail that the user actually wanted.
Then the ISP show the contract the user agreed to, and the law
granting it immunity.
There are a LOT of contracts which judges end up NOT holding as enforceable.
But whatever.
The user can exercise choice by switching to an ISP which allows greater
control by its users (and as John has pointed out, probably charges a
premium to cover the costs of offering that control).
I think you're being far, far too presumptuous about the
practicality of switching to a different ISP. Maybe you haven't
been paying attention, but the ISP world has been consolidating (and
especially if we're talking about broadband type services... okay,
yes, dialup ISPs are more plentiful).
Mail Service Providers are growing. They don't have to provide
Internet access; some people prefer buying unbundled services.
Many ISPs try (hard) to prevent their customers using other mail service
providers. Agreed that they are not likely to be totally successful at that.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg