Alessandro Vesely wrote, On 6/12/09 2:28 PM:
I've only been subscribed to this list for 18 months, so you will
forgive me if I haven't yet grasped how it works. I've been receiving
spam for much longer than that, and lazily waited for someone to reel
off the rules to kill that plague. It never happened. Why? When I
subscribed, I thought I'd at least understand that...
Different people (and mail systems) have different spam problems.
Many people have come up with "good enough" solutions for their own spam
problems, but they are no all the same solutions. The idea that there is or
could be one solution that works for everyone has largely fallen into
disrepute because all of the attempts at it have fallen far short of the
goal. Unfortunately, many of the de facto best current practices are
completely unsuited for technical standardization. I don't think anyone
wants to see any sort of RFC that recommends using any specific DNSBL, but
for many people running mail systems of a wide variety the use of the
Spamhaus Zen DNSBL is their most effective single anti-spam tactic.
Recommending the shunning of specific whole countries certainly does not
belong in anything that anyone might see as a "standard" but as a matter of
practicality, many mail systems do so to great benefit and at no tangible cost.
Because spam is fundamentally a social problem rather than a technical
problem, the technical approaches to fixing it are all imperfect, many
subsets are subject to "arms race" problems, and the only generalizable
solution is that everyone running a mail system should apply a mix of
tactics suited to their spam and their non-spam (based on the locally
relevant definition of "spam") and pay attention to how those tactics work
*for them* rather than seek to locally deploy some global solution.
Understanding this list's dynamics is not easier. As in many lists,
messages that start a new thread are relatively rare. I don't have
message-per-thread statistics, but usually there are many responses.
Some messages get no response; for example, Frank sent a message on Spam
Statistics on April 28, and nobody answered, AFAIK.
There's not much in that case to answer about. He provided a link to a site
that provides interesting stats for one vendor's customers, but a lot of us
understand well that such stats are not particularly useful globally.
In particular, I'm puzzled as to why I got no answer to my yesterday's
message. A previous message by Amir, DNS-based Email Sender
Authentication Mechanisms: a Critical Review, had several responses.
You should keep in mind that the short-term level of response here to an
idea is going to be somewhat inversely related to how well it is reasoned
and presented. I think if you look at the nature of the early responses to
that post you will find that the first day was dominated by people
complaining about the manner of presentation.
The
subject of my I-D is almost the same, an SMTP extension to manage those
authentication mechanisms. However, I had exactly zero response. The
same happened for a similar message I sent on May 25. I cannot believe
it is by chance. Since it happened twice in a row, there has to be a
sound reason.
I thought Logical Positivism was a dead school of philosophy, but it seems
not... :)
Possible guesses:
* Because nobody is interested in the subject.
Already ruled out: it is the same subject of Amir's paper (rDNS, SPF,
DKIM, and the like.) How come nobody is interested?
It's not the same. It's an actual new idea rather than a rehash/critique of
existing tools. Many people here have already thought about (and in some
cases used) the various MARID tactics. It does not take a lot of new thought
to throw the same old rocks at their pet targets, but it does require new
careful thought to discuss a new idea.
* Because nobody has the time to retrieve the I-D from the web.
Doesn't work, by the same argument nobody would have read Amir's paper.
His takes less effort to form an opinion on.
I also think that the difference in media is important. An I-D is presumably
intended as a step towards a RFC, and people here ought to understand that
public discussions of I-D's should be done carefully. Your proposal is
complex enough that making a careful analysis takes real effort. A casual
scan of the document doesn't yield obvious fatal flaws, nor does it provide
any instant 'AHA!' response of how the VHLO mechanism would provide a clear
fix for a major problem. That results in it seeming like a low-yield chore
to go through 23 pages of details to figure out whether this idea is sound
and useful. Maybe improving sections 1.1-1.3 to more directly and concisely
define the problem VHLO is meant to address would encourage more attention.
If I understand it correctly, the problem VHLO is trying to address is that
sending and receiving sides may not always agree on which name(s) to use in
application of which DNS-based authentication and authorization schemes and
how strongly the results of those schemes should be interpreted as the name
owner vouching for the non-spam quality of the messages involved. This tends
to force receivers into complex scoring of their DNS-based and content-based
filtering, making deliverability for legitimate senders highly uncertain and
opaque.
If I understand it correctly, you are proposing that VHLO be used to address
that problem by providing a way for a SMTP sending system to provide the
names, schemes, and strengths that should be used for all messages in a
particular VHLO session. This allows receivers to layer DNS-based mechanisms
as absolute criteria ahead of expensive and fuzzy content filters, instead
of using them (as is common in tools like SpamAssassin) as scored criteria
in a large collection of other similarly imperfect scored criteria.
Of course, I may just be projecting my own ideas about spam control onto a
very quick scan of your draft in full attention-deficit mode, and I don't
have any opinion on whether the mechanical details you define will do the
job that I think you want done.
More telling: I'm not convinced that any new technical approach to spam
control has any chance of widespread adoption or even careful attention. The
jungle of existing tactics combined with a drop in user expectations has
resulted in a circumstance where the demand for better mail service is not
enough to get significant new technical approaches deployed.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg