ietf-asrg
[Top] [All Lists]

Re: [Asrg] A paper/project worth considering (found it!)

2008-12-14 18:16:55
On Sun, 14 Dec 2008, Rich Kulawiec wrote:

On Thu, Dec 04, 2008 at 11:18:47AM -0500, Chris Lewis wrote:
We have a TIS button.  I have no reason to believe that the error rate
on hitting it is even as bad as 5%.

Interesting.  As I mentioned elsewhere, I recently went through nearly
5 years of feedback loop reports from AOL and found that the error
rate was 100.00% -- every report ever filed was wrong.  (I think I
also mentioned that I found cases where users reported *their own
messages* to mailing lists as spam.)

I have to say that this precise sounding figure "100%" comes from using an incorrect base. If you sent a million messages and get one incorrect spam report, the error rate is .0001%, not 100%. You are getting a nonsense number because you are using the wrong base - a common error when dealing with percentages.

Dividing by the number of reports rather than the number of messages provides no way for AOL to ever have anything other than 100% error rate, assuming you do not send spam. Now, if you want to claim AOL spam reports are poor evidence, you at least have to tell us the number of good messages. Otherwise, the deck is stacked against AOL in a totally unfair manner - there is no way for the users to have any error rate other than 100% (or undefined, if there are no reports).

Daniel Feenberg


I have no reason to think AOL's users are any better or worse at this
than Comcast's or Yahoo's or any other ISP/mail provider.  (I should
conjecture that Chris's users are better -- well, they'd have to be in
order to keep the error rate that much lower!)

I think at the scale of the Internet, users are awful at telling spam
from not-spam: if they were good at it, phishing would be a non-problem.


But let me put all of these conversation about end-user abilities
aside and look at this a different way.  Anti-spam policy is as much a
security function as, say, firewall configuration; and there's no way
I'd even consider giving users the ability to affect that.  It's all
very populist to give users these controls, but I think it's terribly
misguided and reflects a lack of realization that spam can be as much
of a security threat as malicious packets.  Analyzing such threats
and devising effective counter-measures to them requires trained,
experienced people -- moreover, it requires people who have the
responsibility for doing so.

What I'm arguing (and I've argued this elsewhere) is that it's not
the role of end users to set anti-spam policy (in whole or in part)
any more than it's their role to set firewall policy.  It's not their
job, and they're terrible at it.

---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg