Rich Kulawiec wrote:
On Sun, Nov 30, 2008 at 07:16:33AM -0800, Michael Thomas wrote:
And it's certainly not their problem that the UI designers maintain
their procrustean stance that their users are the ones who are wrong,
stupid, unreliable, etc, etc.
I agree with the general idea that UI presentations could be improved.
I think increased use of RFC 2369 headers and their corresponding
presentation would help; I've also considered the possibility of
making MUAs aware of proper opt-in signups (say, via RFC 2142 -request
addresses, which all all mailing lists should support), as it would leave
open the door for the MUA's to decline to present a "report as spam"
button while viewing any message on that list and instead present a
"request unsubscription" button (using the RFC 2369 headers) instead.
(Why do this in the MUA? Because it's MUA behavior that needs to
be affected, and it needs to be affected even when the MUA is running
on a system that's not Internet-connected at the moment.)
See, you've already lost me: I and I hope that just about everybody
else has been conditioned to not trust those "unsubscribe" buttons
because there's a pretty good chance that something actively evil will
happen if you click it. *I* don't want to understand the vagueries of
what is an is not trustworthy; I want my agent and/or things it uses
to figure that out for me. All *I* want to do is register my Royal
Displeasure.
I'm not at all sure that's much help, but I think we should at least
encourage compliance with RFC 2369 and RFC 2142 anyway, among others,
because (a) there's no downside and (b) it *might* help.
But:
Users have proven that they are, w.r.t. spam, all those things
you've enumated above. Why do you think phishing is so marvelously
successful and lucrative, for example? Why do you think (as I've reported
elsewhere) I've seen a 100.000% false positive rate on nearly 5 years of
AOL feedback loop reports? Why do you think that spyware (even in the
absence of drive-by downloads) is such a problem? Why do you think that
monitoring of *outbound* mail traffic at most sites reveals a steady
stream of replies/"unsubscribes" to spammer domains, after we've spent a
decade telling people not to do that?
So I'm not getting why you're saying that a "Unsubscribe" button in the
MUA would be a good choice? It seems like we're likely in agreement, but
I'm confused.
In any case, all of these things are successful because the margin to
success is so very low too. It's a relatively new human phenomenon
that you can reach out and touch your billion best friends for negligible
cost.
And arguably, this is not their fault. Users are simply trying to get
things done, and should not be expected to be experts on spam or firewall
configuration or malware techniques or anything else like that.
Of course they're not at fault. Think about how well your life would work if
at any particular meal there was 10% chance that your meal would kill you
unless you vetted it correctly. The answer is not to teach everybody how
to run a mass spectrometer, but to put in place processes and filters to
lower that
raw 10% chance down to something far, far lower.
We're only marginally better than "If you learned to run a mass
spectrometer"
on the spam/phish front. Our automatons need to be *way* smarter, and to
the degree that we blame the user/victim is to the degree that we miss that
point.
Mike
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg