On Apr 02 2006, Chris Lewis wrote:
First of all, CAN-SPAM doesn't define what is spam, and what isn't. It
simply defines a subset of spam that is legally actionable under US law.
The definition of spam doesn't depend on local ordinances.
Analysis under CAN-SPAM determinations simply isn't relevant, for
example, in our jurisdiction. Spam is spam, whether it's in Canada, or
the US or Australia.
Only when using your definition as anything that is sent without the
receiver's consent. The merits of various definitions have been
discussed to death on this list in the past, there's no need to rehash
them. I mentioned CAN-SPAM as I got the impression you used consent
in a more than informal way.
To stay on topic, do you accept that with your definition, the only
authority which can reliably decide consent (and therefore spamminess)
is the receiver? Moreover, insofar as the automated filtering systems
that are in place are concerned, these act as proxies for the
recipient only.
I ask this because it is relevant to the next bit:
Being an automated method of filtering, it depends on a set of criteria
and conditions stored in the program logic and database.
These criteria and conditions, if given in full to a human adjudicator,
could be judged by said human just as well with authority.
And these adjudicators would be able to make such judgements correctly?
Unlikely. And furthermore, even if they were not 100% accurate, ONLY
the overall result matters.
How do you define the overall result if you don't take
recipients authority as final. I should say that the adjudicators I mention
are assumed to be actual recipients in this case.
We don't judge testing of drugs on whether "adjudicators" understand how
the drugs work, we judge drug efficacy on _results_ in trials.
Correct, but _results_ are well defined in terms of observable
biological effects. If spam is defined in terms of recipient consent,
then observation requires asking the recipients if their consent is
given in each test case.
As Steve Atkins mentioned later in the thread, there's efficacy and
accuracy, two different aspects. I don't think there's anybody who would
dispute efficacy - rejecting at the source is clearly more efficient.
Efficacy has nothing to do with the success/failure of DNSBLs in a
general sense. Nor is rejecting at source a necessary consequence of
DNSBLs. We use DNSBLs, do rejections, but still get to quarantine the
whole email.
I apologize for using efficacy incorrectly, I meant efficiency in the
sense of machine workload.
However, if you accept the email in quarantine and silently reject
after the fact (correct me if I'm wrong), then I do not see that
Steve's point applies. You can test the effectiveness of your choice
of dnsbls without interacting with the spammer who sends the
message. In particular, you can do what Justin Mason outlined.
More importantly, Steve (and I) pointed out that these techniques simply
can't be tested to the level you might want to see, because they have to
be done with real mailstreams in realtime, and with, for example, grey
listing, it's simply NOT possible to judge in your terms whether the
email was spam or not. Applying the heuristic changes the sender
behavior, and you don't have the email to judge.
What you do have is all the information that the mail server has when
it makes the rejection choice. Namely X number of attempts from the
same host in Y time. If consent can only be authoritatively judged by
the recipient, then this recipient should be asked to judge based on
precisely that information (during a QA test, for verification). But
see the next paragraph.
The situation is simple: there's a variety of techniques that simply
cannot be tested to this level of academic certainty with "recipient" or
"recipient's judge" techniques, because applying them changes the
behaviour, and secondly, the recipient _cannot_ have anything to judge
it with.
No behaviour is changed by auditing the accuracy of a system after the
fact. But it doesn't come for free, logging relevant information is
necessary.
The recipient may well find it difficult to judge based on so little
information and without seeing the never accepted mail, whereas you
have much more experience with mail systems in general and for you the
greylisting record is quite sufficient, without the need to see the
mail at all.
I think that points to the fact that it makes more practical sense for
_you_ to judge consent than for the intended recipients, in these
cases. But that requires changing the meaning of spam slightly to
include you as an authoritative proxy for the recipient in difficult
cases. If so, then your comments (notifying the sender etc)
makes a lot more sense to me.
I don't want to make this reply too long, so I won't do a point by
point reply. I think we agree that your points apply to regular
frequent business communication, so there's no need to criticize them
again from a different perspective.
--
Laird Breyer.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg