On Tue, 14 Sep 2004, Anne P. Mitchell, Esq. wrote:
True - but that's the basis of all reputation mechanisms - there's no
absolute authority to refer to, you decide whose opinion you trust.
If
AOL trusts MSN, that's their business.
I agree. Reputation and trust can't be based on false assumptions. You
can't accept promises that you know the other party can't keep, even if
they really wanted to. That's true for just about everything, not just
spam.
This is exactly why reputation is only one part of it, and only offers
a complete package when coupled (tripled?) authentication and
accreditation - our IADB (ISIPP Accreditation Database) being one
example of the latter. Look for more accreditation databases to show
up, particularly as authentication moves more into place.
I'm not sure these databases aren't a good idea. I haven't really thought
them through enough to offer an opinion. My first impression on hearing of
them was that they were just another scam to get money from ISPs. First
impressions aren't always right. Knowing policies seems like it couldn't
hurt, although, like blacklists (ORBS, SORBS, MAPS, etc), these database
operators could easily lie and do harm. Since we've already had so many
bad experiences with blacklists, we aren't so gullible anymore about who
we trust. (well less so anyway) The present scheme for blacklists is to
find some college student with no assets in another country to claim
ownership or else to be completely anonymous to prevent being held legally
and financially responsible for false statemnts. And the anti-spam
community also has no scruples about continuing associations with
court-proven liars and those who have previously violated the trust placed
in them to block only spammers.
I'm not sure I'd call such databases "reputation". "Reputation" is
something that is acquired over time, by the opinion of many people, not
just one person. Not even a smallish group of people. 'Reputation' is
that thing that some will try to smear, and others honestly report. Time
reveals truth and reputation. No database can do that.
All three have a part - an important part. Authentication gets you to
"who is this really?"; accreditation gets you to "what are they
doing?", and reputation gets you to "what do others whom I trust think
about what they are doing".
But to get an answer to "who is this really", the authentication has to
actually work. MTA Authentication doesn't achieve this goal. Even with MTA
'authentication', the sender isn't really authenticated, and you don't
know who you're really dealing with. Further, no indication either way is
given. A system that is always right in a certain situation and often
wrong in others can still be useful. While a system that is uncertain in
all situations has no use.
Accredidation just lists a companies/end users/ISPs policies. A user won't
know if they really implement those policies, and there is no way to
distinguish a company with pink contracts from ordinary security and
disposable signup problems. But even larger, given our past bad
experiences with blacklists, we can't trust anyone not to use such lists
for revenge.
And there is still the problem I described with reputation: since an
ISP/end user/company/etc can never vouch that it will never sign up a
(disposable) spammer nor vouch that its users won't get viruses or worms,
nor even that its own systems won't be compromised. So reputation systems
based on such claims are based on dishonesty to begin with. Such a system
is basically just a negative reputation system: It lists only those who
lie or aren't smart enough to know they're lying.
I don't think this triad works.
In a perfect world, in my opinion, everyone would check SPF or other
authentication records, query an accreditation database like IADB, and
then either query a reputation system of their choice such Habeas or
Bonded Sender - or make a note from the IADB results that the sender is
listed with a service like Habeas or Bonded Sender (note that this
does not diminish the Habeas or Bonded Sender model - in fact it helps
them - we give points for participating in either - it just reduces the
query to their database by one).
A little offtopic: I don't think the spam problem can be solved
technically, based on information theory constraints, that is on the
notion that one can't ever prove that there aren't covert channels in a
communication system. The term 'covert channels' specifically comes from
the analysis of operating systems and spying, but the information theory
principles on which the notion of covert channels is based are not
specific to operating systems or spying. Similar analyses have been done
on other types of systems, using different terms than 'covert channel',
such as 'sneaky channel' Without going into too much detail, this means
the spam problem (like the spying problem) is always a whack-a-mole
problem. We can detect spam, and whack spammers. But spammers are always
free to sign up again, infect systems, etc, and otherwise adapt to
whatever means we invent to detect spam. The alternative is to restrict
their behavior non-technically, and that requires a lawful means of
coercion, which requires some kind of legal process.
Further off-topic, a thought occured to me recently after someone recently
mentioned "the economics of spam". My first thought was that they were
misusing the term economics. They meant "profits". 'Economics' is a
science about how costs, and profits and such things interact. One cannot
actually change the "economics" of spam. One can only change the costs and
profits of spam. Then it occured to me: a principle of economics states
that if a business finds a way to reduce costs, then the rest of its
competitors __have_no_choice__ but to follow suit in order to remain
competitive. In other words, spam should have a measurable impact on the
industry segments whose products are being spammed. In other words, the
Viagra retailers not using spam should be going broke. Viagra may not be
a good example, since Viagra is a prescription drug, and nearly all Viagra
spam is a hoax, not actually selling Viagra. But there are other products
that are being advertised via spam. The competing companies should be
going broke because the spamming companies have lowered their costs.
Just like the local grocery store is hard hit by Walmart. But, for some
reason, this isn't happening. I don't have the background to do the
necessary economic research, but there should be a measurable impact due
to spam, and not just on ISPs.
For those who didn't follow the above, let me put it this way: When
Walmart comes to town, things change. We should be able to detect and
measure those changes.
--Dean