On Mar 3, 2015, at 7:03 AM, John C Klensin <john+smtp(_at_)jck(_dot_)com>
--On Tuesday, March 03, 2015 10:06 +0000 Martijn Grooten
I actually think that what is being overlooked by just about
every new anti-spam technique I've seen proposed is that we're
already doing rather well. Only a small minority of spam makes
it to people's inboxes. False positives do occur, but they're
not exactly making people stop using email.
In the meantime, I think it would be good to find ways to
solve (i.e. mitigate) the problem of email spam within the
context of SMTP.
There is one other issue, of which, IMO, we keep losing sight.
Filter-based (or similar) spam mitigation is effective at
keeping recipients from being overwhelmed by spam volume and
reasonably effective at preventing spam-enabled malware, etc.,
from being delivered. For places with restricted or expensive
available bandwidth to delivery (or filtering) servers, it is
ineffective at reducing the impact on transport bandwidth.
Indeed, at some times, if filters block 90% of the spam,
spammers simply increase the volume in the hope of getting
desired absolute amounts through, and typically through to the
most vunerable recipients. That combination turns high-volume
spam into a DoS or imposition of costs attack, something we have
heard a lot about, especially from developing countries in
internal "governance" and "cybersecurity" meetings.
How significant that spam volume is relative to the average
movie download is another question, but the perception is that
it is important (and that few people with really restricted or
expensive links are downloading movies anyway).
Solutions to that class of problem lie in methods that keep the
spam off the network rather than keeping it from being delivered
once it is transported. Those solutions, so far, seem to be
more social or legal than technical.
Ironically, the better we get at spam mitigation, the less
likely we are to see sociopolitical remedies (such as throwing
spammers in jail and keeping them there) because the key
decision-makers --who typically have better access to good
filtering and bandwidth than typical members of their
populations-- have sufficiently little spam delivered to them
that they don't see the problem as significant.
So mitigation is not entirely a good thing.
"Two-way" techniques, whether via this sort of proposal or via
arrangements like one very common in the financial industry
(sending a very short message that says "you have secure mail,
log into your web account to pick it up") at least reduce the
bandwidth used by unsolicited or undesired mail. On the other
hand, a de facto policy that amounted to "spam is ok as long as
the messages are short" would not really constitute progress
Agreeing with Martijn. The Internet will reach a tipping point for IPv6.
Diehards insist this will never happen for email, however use of infrastructure
identifiers rapidly becomes overwhelming when over IPv6 or proxied into IPv4
through massively shared infrastructure. What will having an rDNS PTR record
really mean? The malefactors are upping the game with BGP injections. For
example, can there be a standard that support SMTP where both the client and
server are confirmed such as DANE-DANE/SMTP?
ietf-smtp mailing list