On Thursday May 13, michel(_at_)arneill-py(_dot_)sacramento(_dot_)ca(_dot_)us
wrote:
Roy Badami wrote:
I think that LMAP will certainly stop spam in the short term,
in the same way that checking the domain of the MAIL FROM
resolved was quite effective for a while. Then spammers adapted,
[...]
Neil Brown wrote:
If LMAP is only to be a short term measure, then it isn't worth
the effort.
By that reasoning nothing is worth the effort. You are trying to design
a silver bullet; we already have acknowledged that there was no such
thing. MARID/LMAP/SPF etc are to become one out of 20 or 30 items in
mail handling. Look back in a recent past: there was a time when RBL
lists were the solution. Then the spammers adapted. Then came Bayesian
filters and many people touted them as "the" solution. Then the spammers
adapted. MARID is not going to be the silver bullet that will stop spam.
MARID will stop 20% of spam in the beginning and 5% in the end.
I disagree with your first statement.
Things are "worth the effort" if the cost is small (e.g. returning a
multiline greeting at the start of each SMTP session) or if the value
is substantial.
LMAP is not a small cost. We must make sure the value is substantial.
Don't think of MARID as stopping spam. Think of MARID as empowering
recipients. It gives a more useful perspective.
Try to become the spammer: if you had half a brain, would you today use
an open relay listed on spamhaus to spam? Of course not. The same thing
will happen to MARID tomorrow. Timing is everything; currently my
problem is not bozos that use open relays that have been in an RBL for 6
months; they have not adapted and they will die.
<tongue location=cheek>
If I were to become a spammer, I would probably join the MARID mailing
list and try to derail the process. I could encourage people to
develop wrong expectations so that reality would be sufficiently
disappointing that they wouldn't bother. I could pick up all the
little difficulties and make them seem bigger than they are. I could
make sure than any really *good* idea was thoroughly lampooned.
Of course I would do it from several different email addresses so that
I looked like I had lots of support on my side...
</tongue>
Spam sending and spam fighting are like the TCP sliding window: when the
lower sequence has been acked, the bottom of the window closes but the
top opens. The old story of the shield and the weapon; you are talking
about long-term gains like you already have the nuke that could end the
war. You don't have it. And anyway, sometime after you built the nuke,
the sworn enemy has collapsed and you finally feel safe, someone invents
terrorism. The end is not in sight.
It's not a war. It's a business. The key is cost. Don't make it
impossible for the spammers to send you spam. Make it expensive on a
per-item basis. But keep the cost easily in reach of genuine
correspondents. The most suitable unit of cost is person-time.
NeilBrown