That's completely, hopelessly impractical if a user is traveling and has
no
control over the originating path of their outgoing E-mail.
G P:
Your comments doesn't make sense to me. What's impractical?
You ignored the one question I asked.
And you ignored the multiple legitimate points I raised. Fair is fair. :-)
There's nothing in the draft that requires anything impractical of a
traveling user.
If you think otherwise, please refer to specific text in the draft.
Leibzon read more into the draft than was there.
The draft contains no text that says that users must use SUBMIT.
What the draft does is require support for a practical method already in
common use for traveling users to continue to use the same From: address
and server no matter where they are.
(Feel free to quote, unabridged, on ietf-smtp.)
Thanks, but I'm not on that list. Since we're dealing here with approaches
designed to control/limit spam, and that's what we're discussing, I feel it's
appropriate to talk here.
Actually, the topic is one specific approach.
Fine, I believe that anything which requires senders to route their mail
through
some specific MTA is impractical, simply because a large number of internet
access points that are available to travelers simply don't let the user have
any
say whatsoever about what MTA is going to handle their outgoing mail.
You violated my explicit request regarding how to treat the content of
private email to you. (Not to mention a very strong argument from Crocker.)
Frankly, I'm not interested in carrying on extended private debates. You're
not
likely to convince me, and it seems I'm not likely to convince you. The
discussion is only interesting if it enlightens someone else here, and serves
some purpose beyond just consuming my limited E-mail time.
<Plonk>.
Do whatever you like. Frankly, this issue goes beyond the egos of any one
participant here. If you don't want to read my posts, then don't. I honestly
don't care, since it seems you're not getting much from them in either case.
(to summarize:) My solution is the only good solution and everything
else is nearly useless and breaks stuff <but I can provide no evidence
or explanation as to how the draft in question breaks anything I'm
taking about.>.
You're welcome to express any opinion you like about my ideas, but I'd
appreciate you doing it in some other way than by putting words (or trying to)
in MY mouth.
I would never pretend that my solution is the only POSSIBLE good solution, but
I
will observe that over the last several years there have certainly been no
shortage of ideas tossed out here, and most of them have some pretty big
gotchas
which most people clearly aren't willing to accept... that's why we're still
having this discussion. If there were an obvious and satisfying technical
solution that we all agreed on, the life of this group would have been a very
short one.
Of course, authentication and certification will only be helpful if
there are consequences.
It's not clear that it's very helpful even if THERE ARE "consequences".
The great majority of machines pumping out spam probably belong to clueless
users (or even NOT-clueless ones, for that matter) whose machines have been
commandeered as a result of worms or viruses... the "spambot zombie" problem.
So your Aunt Matilda's ISP notifies her that her machine has sent out spam for
the last three days. What "consequences" do you think would create justice?
Should they cancel Aunt Matilda's account and excommunicate her to some offline
backwater for the rest of the poor dear's remaining life? That's not terribly
helpful. Do they help her exorcise the spambot zombie from her machine? Maybe
so, but that's not going to absolutely prevent her machine from being
commandeered again, some day in the future.
Even if someone updates their antivirus software EVERY SIX HOURS there's still
a
significant window of vulnerability between the time that a new virus or worm
appears and the time that their antivirus program detects it. And *all*
viruses
and worms are at their most prolific and most dangerous before ANY anti-virus
program detects them. Things like Blaster had infected literally MILLIONS of
machines around the world within the first few hours of its release into the
wild.
Even if you boot Aunt Matilda, eventually you'll boot most everybody off the
net... there, are you satisfied now? I don't think that's a terribly good
solution, either.
I'm willing to bet that the reputation services
that will be most useful will be the ones only vouch for very clean
entities.
1) "very clean entities" can still be infected.
2) "reputation services" can vouch for people who are sending spam.
3) "reputation services" can probably THEMSELVES be compromised.
4) Even if a 100% dependable "reputation service" exists someday, what good
does that do? Do you expect that mail won't be accepted from anybody that said
service won't vouch for? Again, you end up dividing the Net, and the part that
still has the privilege of E-mailing will find themselves in very small camp
indeed. E-mail isn't very useful if most people are excluded from it.
I don't think much of your scheme because it is one to which spammers
would very easily adapt if it became widespread.
Ultimately, the way they could (and probably would) adapt would be to stop
using
E-mail as the vector for sending spam and (in particular) infecting other
machines to create spambot zombies. They'll probably shift to using malicious
Web sites instead (and that's a separate problem to be solved, but at least we
would have solved a great part of the problem via E-mail that is OUR charter).
There's no reason the
payload of 95-99% of the spam I get wouldn't be readily adapted to
limited-size plain text email.
Fine. I *hope* in fact that they will do that. Once that is done:
1) The sheer bytecount volume of that E-mail is likely to be 3-5x smaller than
at present (at least on a per-message basis)... thus reducing wasted bandwidth,
wasted disk resources, and many other of the costs of carrying and queueing
unwanted E-mails.
2) The GREAT majority of the tricks that spammers and abusers use to evade
content filters are denied to them. Most spammer evasions of filters are based
on HTML, encryption scripting, ActiveX, text-as-image, obscured or
misrepresented links, Web site redirection, and the like. My proposal is not
intended to be a complete solution in and of itself, it's intended to be used
in
conjunction with a good content filter... and applies conditions to the
incoming
mail stream that allow that content filter to be *far* more effective and
efficient.
3) Limited-size plain text E-mails are EXCEEDINGLY unlikely to be able to be
able to carry worms or viruses. Your claim that "spammers would very easily
adapt" is true for most of the approaches that we've discussed here (SPF for
example, and at least most of the other authentication schemes) but nobody has
yet offered (at least not that *I* have seen anywhere) convincing evidence that
quarantining or otherwise blocking attachments [and especially those likely to
contain executable content (EXE/PIF/COM/BAS/etc)] in E-mails (from people not
trusted by a given recipient to send such executable attachments) doesn't at
least put a SERIOUS crimp in the ability of worms and viruses to propagate to
that recipient through E-mail.
If you know of any way for that to happen (other than through Web sites, which
as I'll freely admit is probably going to be the next battleground of this war)
then please feel free to share it with us.
4) Once you make worms/viruses/bugs dramatically less feasible to send in
E-mail (and in a way that doesn't depend on a never-ending stream of
predictably
after-the-fact updates to antivirus software), you will have HUGELY reduced the
ability of spammers and other abusers to not only just send spam, but also to
conduct any number of other exploits, including the launching of DDOS attacks
from their commandeered spambot armies.
I certainly don't claim that nobody else can possibly come up with a good
competing solution to the problem, but I will say on the record that I haven't
seen anything else here yet which has the interesting and useful set of
features
and logistical/operational characteristics that my proposal does, that breaks
fewer existing worldwide systems, or that does anywhere near as much to
effectively address not just the spam problem but also the virus/worm/DDOS
problems too.
Are there downsides to my proposal? Sure there are.
One of them is that my proposal gives control to and is centered on the final
recipient. While in many ways that is an ADVANTAGE (and probably, IMHO, by
enough that the downside is rendered 'acceptable'), it unfortunately does mean
that most of the backbone carrying cost of the spam is going to continue (at
least until spam stops carrying bulkier HTML-burdened content or attachments,
and until when viruses/worms abandon E-mail as a vector and shift to more
promising propagation approaches instead).
ULTIMATELY what dooms spam, is less impenetrable technological barriers than it
is the realization by the spammers that there have become easier scams and
other
ways to earn their living. I don't think we'll EVER eliminate 100% of unwanted
E-mails (and indeed, the cost (both social and financial) of doing so are
probably far more undesirable than the residual unwanted E-mail volume is.)
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg