On 26 Apr 2005, at 20:22, gep2(_at_)terabites(_dot_)com wrote:
That's an implementation issue, and a good software implementation
will shield
users from those specific details.
I agree that an implementation which provide ease of use and
accessibility for users to have this level of finely grained control is
a good thing. I do not think it will solve our problem any more than
current solutions in edge filtering already provide. The problem I am
referring to is not, necessarily, that of the customer being delivered
unsolicited mail but rather the support and operating costs it
generates. I do not think the adoption rate of any application which
requires consistent user interaction to derive effectiveness will be
high enough to offset the costs necessary to reduce filtering in the
core.
If you find anything which meets your requirements, I would love to see
it if for nothing else than personal use.
The point is that even (usually) well-managed systems CAN be infected,
and other
users at the same ISP can often forge addresses for other users at the
same ISP
domain name.
Unless you are referring to the risk of an ISPs mail server itself
becoming infected, you can mitigate this risk by ensuring that only
authenticated users can send mail and that authenticated users can only
send mail with "from:" addresses matching their specific allowed
addresses.
Therefore it allows eliminating the ugliness of "someday" and
allows besieged recipients to get relief RIGHT AWAY.
Your definition of "right away" and mine differ. Your solution still
requires development and cost incurred by promoting its adoption within
our user base. It would be significantly sooner than waiting for
adoption of all players in Internet mail to secure their mail servers
and I look forward to seeing a mail client with this functionality.
Again, my approach offers MUCH greater nuance than that. A trusted
friend who
happens to be using a somewhat-flakey or sloppy ISP doesn't have to be
penalized. Your suggestion results in painting folks with too wide a
brush,
which prevents effective filtering.
I do not encourage sloppy or somewhat-flakey players in any space.
Inconsistent mail service is a good reason to switch to a better
network provider. I believe a more appropriate point would be that you
do not wish to penalize your own subscribers by blocking legitimate
mail received from friends on sloppy providers. Unfortunately, not
penalizing a subset of customers who receive mail from legitimate
sources on sloppy providers often times penalizes are larger subset of
customers who receive unsolicited mail from this same provider. And
thus begins the magic juggling dance of blocking unsolicited mail while
reducing false positives.
It leaves innocent victims who are punished by association.
Encourage innocent victims to make better choices.
Fine. Again, my approach allows a recipient to control what THEY
receive, and
without leaving them in the frustrating position of "I wish someone
else would
do <whatever>."
This is akin to a thread I am currently participating in on NANOG. In
cases where customers want to be in complete control of the traffic
they receive, they should be willing and understand that this will be
awarded at a higher price point and include maintaining their own mail
infrastructure.
No, because the mail could be FULLY authenticated, if the victim's
machine has
been infected by a spambot zombie. That spambot could send E-mail
spams and
worms using the REAL user's AUTHENTICATED permissions.
Yes. Regardless of the content recognition you place on the receiving
end, in this case you will receive some spam or have a higher rate of
false positives.
Even if they are, authenticated mail can still be fraudulent.
Authenticated mail which does not match the finely grained controls,
which could place undue burden on the sender to know those controls in
advance, is going to be passed along in either case. When that happens,
it is important to have authenticated sender schemes in place in order
to respond to the appropriate party.
It doesn't have to. You only need to have individual recipients each
have a
finite number of TRUSTED recipients (and the GREAT majority of senders
a given
recipient receives mail from will NOT need to be whitelisted).
Agreed. When you find a system like this which provides the finely
grained control you want, pass it along. Mail clients have provided
this for a long time in the form of accepting messages only from known
senders. It doesn't have the finely grained control you desire, but it
is an effective example. As in that case, I do not think it will prove
effective in the long run as it requires too much interaction from the
participant in spite of its high effectiveness rate.
---
James Baldwin
hkp://pgp.mit.edu/jbaldwin(_at_)antinode(_dot_)net
"Syntatic sugar causes cancer of the semicolon."
PGP.sig
Description: This is a digitally signed message part
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg