[Top] [All Lists]

Re: Has the IETF dropped the ball?

2005-03-09 16:38:50

At 03:32 PM 3/9/2005 -0500, Keith Moore wrote:

Spam is a hard problem. If we knew of a good solution, we'd be using it. The government wouldn't have to mandate the solution, as there are plenty of incentives already. There are lots of half-baked non-solutions and a few good ideas that raise the bar for spam without actually stopping it.

Authentication methods will not solve the spam problem. They may make phishing harder, which is a good thing. They might be useful when combined with some other facilities, but nobody understand what those facilities are. Authentication methods are also no better than the hosts that people use to submit mail. So if you want to reduce spam by requiring authentication, you first need to figure out how to make Windows secure and to get that secure version deployed everywhere.

I'm more optimistic. Authentication will allow us to hold domains responsible for their outgoing spam. Reputable domains will eliminate 99% of their outgoing spam, as AOL has done. Success in the war on spam doesn't depend on all domains being as clean as AOL. We can rank them based on their reputations. Most email will come from domains that are clearly good or clearly bad. Only a small fraction will have to be filtered and processed as we do now for all email. These will be mostly new domains that are trying to earn a good reputation, and a few domains that were ranked as good, but suddenly fell into the hands of a spammer.

This is a non-trivial problem.

The key problems are social, not technical. Almost everyone shares your pessimism. Nobody will change until they see an immediate benefit. The challenge is to engineer the system so that it has positive feedback at every point on the growth curve. i.e. the immediate benefit of change is worth the immediate cost. Then the process will go to completion, and spam will no longer be a major problem.

Filtering methods will not solve the spam problem. They can raise the bar a bit, which means we will get different kinds of spam, rather than less spam.

Filters will be needed as long as the flow of spam is too much for users to handle. When it becomes rare again, the few pieces that get through will be "filtered" by the best judge of all, the recipient, then bounced upstream and used to rapidly and effectively isolate the source.

That is my view of the future, anyway. For the topic of this thread, however, it doesn't matter if I am wrong on this. If all we get is the elimination of phishing scams, that is reason enough to move ahead, and work out a standard that everyone can live with.

-- Dave

*************************************************************     *
* David MacQuigg, PhD              * email:  dmq'at'   *  *
* IC Design Engineer               * phone:  USA 520-721-4583  *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *
*************************************************************     *