--On Thursday, September 26, 2019 16:22 -0400 John Leslie
<john(_at_)jlc(_dot_)net> wrote:
John C Klensin <john-ietf(_at_)jck(_dot_)com> wrote:
I have to agree with Dave and Keith. This is an arms race,
it is driving the costs of email up, increasing concentration
of actors and raising privacy risks, and driving diversity
down. Spam-carried malware and phishing attacks continue to
do real damage including leading identity theft.
+++++
In an odd way, all of that mostly-effective filtering has the
side effect that there isn't enough spam getting through: the
only way to actually stop the arms race is to treat spamming
as a seriously anti-social activity and spammers as criminals
and parts of criminal enterprises.
Umm... I disagree.
Spam is not a contry-by-country problem. It is world-wide.
And I didn't say a word about country-by-country anything. And,
if countries were to line up to solve the problem, I'd expect
the US Congress to be close to the end of the line, right in
front of those countries whom some of us suspect of having
anti-spam policies that, in practice, amount to "attack anyone
you like as long as you don't attack other citizens of our/your
country". Because of that world-wide problem, one that from my
perspective involves spammers hiding in one country to escape
the jurisdiction of others, a considerable amount of
international cooperation is obviously necessary. However,
there are precedents for that which go back several centuries
and they have a good success record... if the problem is
perceived as serious enough.
We are better able to address world-wide problem than any
individual contry's legislature (least of all the US
Congress!).
What you mean "we"? You can remember the days when there were
widely-held suspicions that anti-virus vendors were suspected of
spreading viruses to increase the market for their products. I
haven't heard of those suspicions being leveled against any of
the anti-spam vendors and operators. However, at least some of
them have incentives to let the spam level remain high enough
that they keep selling products and services, even if none of
them are motivated by it. Similarly, the very large providers
have incentives to see more and more email users driven to their
platforms (and to view the need to interoperate with smaller
providers as an inconvenience) even if, again, one does not
believe that drives their behavior.
If you consider the present situation, after all these years of
spam being widely considered as a scourge or worse, as
successfully addressing the problem, we disagree about the
definition of "success".
As long as legislators and regulators see very little spam
themselves, efforts to get effective laws and enforcement
actions are likely to be ineffective,
For US legislators, at least, _none_ of them deal with spam
as part of their regular email process. They have staffers
which _may_ read an actual email account: the legislator
couldn't possibly read all their "ham" from
probable-constituents.
Yes. But that was part of my point. And, again, the US is not
at the top of my list of concerns.
especially while self-defined "legitimate email marketers"
continue to press for weak laws and regulations to be sure
their activities are not constrained.
This is true. (and the "email marketers" contribute to
re-election campaign funds, while spam-receivers mostly don't).
Indeed.
From that point of view, if we really wanted to stop spam,
there is one thing we could do that might be effective and
that has not been tried: we could try to organize an
international Spam Impact day (or week) and persuade everyone
to shut down their filters for that period.
An interesting idea!!
I don't think such persuasion would be likely to succeed but,
if it did, I think it is safe to assume that many actors in
the political arena would decide it was time to Do Something.
Even if they did, how could enough legislators agree what
to do???
Depends on how much public (or constituent or donor) pressure
they were feeling. An equally good question, however, is
whether we would have a reasonable expectation that, if they
agreed on something, it would be realistic, plausible, and would
not cause more problems than it solved or whether they would
come up with bad solutions that would have to do more damage
before iteration was possible. I have no confidence about that
at all. On the other hand, that takes me back to where we
disagree -- I think our current path and mechanisms are an
increasingly expensive dead end, unless it results in a very
small number of providers who are willing to authenticate and
police the behavior of their own users and establish trust
relationships with each other. I don't consider that a
desirable outcome and that is part of what puts me in some
alignment with Dave and Keith, but YMMD and I'm confident that
of most of those operates does.
BTW, I carefully read the entire 300-page document before
replying. There are interesting ideas there -- not that we
could simply standardize this document -- but pieces for which
we could standardize an underlying structure. I'd be happy to
work on something of that order. (I have had no luck so far
getting a consensus to work on anything like that.)
I have not studied that much of it, but share your impression
that there are some interesting ideas there. For me, whether
they are interesting enough to overcome the difficulties others
have pointed out, including the formidable barriers to
widespread deployment and some trust issues, is another
question, but one that I have not studied the proposal
sufficiently to comment on (and I therefore haven't)
best,
john
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp