On 9/1/06, David Nicol <davidnicol(_at_)gmail(_dot_)com > wrote:
On 9/1/06, Michael Kaplan < michaelkaplanasrg(_at_)gmail(_dot_)com > wrote:
> I will illustrate by example. You receive an email from a stranger. As
is
> often the case the email is not authenticated by DKIM or Sender ID, it
isn't
> S/MIME signed, and it isn't using a sub-address. Your filter rates this
> email as having an intermediate risk for being spam.
>
> Under my system this email would be bounced back to the sender along
with a
> sub-address. The sender's MUA will likely be updated to resend this
bounce,
> but if it isn't then all is not lost as the sender has the opportunity
to
> manually resend the bounce. The stranger's email is now
authenticated. I
> don't think that S/MIME is able to reproduce these functions.
A shared centralized challenge-response system, which could be the
beginning
of the reputation infrastructure that gets talked about here, would do the
same
thing with fewer steps for the senders and no software upgrades required.
As I understand it, any proposal that requires some kind of zero-day
during which
everyone on the internet is mandated to upgrade their MUAs in order for it
to work is a non-starter.
This proposal does not require any kind of zero-day. It combines the
advantages of a Bayesian filter and a sub-address based email system to
ensure that challenges are only seen sent for a small fraction of legitimate
mail. Updating the MUAs is only essential to make this system universally
transparent.
Ideally it would be great if the 10 largest MUA developers made this rather
simplistic upgrade, then maybe a year later this system would be deployed.
This system would not be a C/R system for any of the vast majority of people
with an updated MUA. It would not be a C/R system for anyone sending
non-spammy email.
Again, I contrast the tremendous ease of deploying Auto-Reply software with
the impossible task of the near universal deployment of DKIM or SPF. The
challenge will only apply to the ever diminishing number of emails that fall
through the cracks.
C/R systems are not desirable, but I argue that there comes a point where if
the challenge becomes so infrequent (1 out of 200 legit email?) that the
undesirability of C/R fades along with the appropriateness of calling it
C/R. The question is can this system block spam and make challenges so
infrequent that we have reached the point where it is desirable.
Michael
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg