[Top] [All Lists]

Re: [ietf-smtp] IETF Policy on dogfood consumption or avoidance - SMTP version

2019-12-25 09:44:35
John C Klensin writes:

_Any_ envelope-level spam filtering technique other than, maybe,
specifically identifying a particular bad actor and rejecting
mail from them, is going to be subject to false positives --
legitimate messages that are incorrectly rejected.   Anyone who
reaches the conclusion you describe, whether they understand it
or not, is making the decision that losing some number (a number
that is actually very hard to estimate accurately) of legitimate
messages is ok if it makes a big dent in the spam.


I'm sure there are occasional "anyones" who believe that their subjective mail filtering criteria is 100% perfect; I do believe that the overwhelming majority who do this already understand this, and they accept it.

                                                     That is ok,
but it doesn't work well in environments in which reliable
delivery, i.e., not losing legitimate messages, is important.

And those environments will simply choose not to use subjective mail filtering rules. Noone's forcing them to do this. Furthermore, this is the default state of affairs. I don't know out of any SMTP servers that, out of the box, has a bunch of subjecting mail filtering rules enabled. Everyone who uses subjective mail filtering policies, today, made their own decision to do so; and in my last message I explained why making this a "MUST NOT" is unlikely to make any difference. That's just what I think; perhaps eventually it turns out that my reasoning didn't held, and everyone ends up stopping filtering out various things in HELOs, or whatnot, because the RFC says they "MUST NOT" do this.

And, in situations where it counts, the task of a mail
administrator who has to explain to her boss's boss why a
message from an important customer was rejected and didn't get
through is, well, not enviable.

That depends on what happened in the first place – whether the mail administrator did that on their own volition, or because the same boss complained "I'm getting too much spam, can you do anything about it", the mail administrator explained the options, but the boss's eyes started glazing over hearing all the technical mumbo-jumbo, and the boss just waved their hand "just do it". So now the mail administrator explained that the mail was rejected because the boss approved the change, and the boss will simply tell the mail administrator to undo it, then, and everyone lives happily ever after.

If one decides to block attempts to open SMTP sessions by
rejecting IP literals at EHLO time (a singularly blunt
instrument, even more blunt, IMO, than rejection based on IP
address ranges, there are also two ways of doing it.  One is to
return a 5yz code in response to the EHLO, thereby rejecting all
messages using such syntax regardless of origin or destination.
The second is to wait until the MAIL command, or maybe even one
or more RCPT commands, are received, thereby allowing
whitelisting if there are particular cases one wants to allow.

I agree, and that's what I do. But I also recognize that other implementations don't, and I'm somewhat skeptical that they'll find this argument persuasive.

concentration.   If there is a solution to spam, it is almost
certainly lies in general recognition of spamming as an
antisocial act and the creation of social, legal, and financial
disincentives to spamming.  That recognition will probably never
come as long as we are successful in preventing enough of it
from reaching legislators and their active constituents so that

I do not believe that any social, legal, or financial disincentive will have any measurable difference whatsoever.

Unless something is adopted worldwide, spamming will simply move its origination point. Some of the spammers will not be able cover their tracks, very well, and a few dumb ones will get caught. But most will continue on, mostly unimpeded.

they don't feel significant pain.  I'm not quite serious about
this, but, if one wanted to really stop spam by making life
painful for the spammers, the most useful possible step might be
to declare a "let all of it go through to the end users" week
every once in a while.

There have been similar kinds of boycotts done in the past, in other contexts. I can't think of even one that succeeded.

And for this particular one: the target audience for this declaration is, basically, a herd of cats. And without a buy-in from most of the herd, there won't be much of an impact to speak of.

In the US, I think this will require participation from at least gmail and hotmail/outlook. I can't imagine why they will want to. Their existing customer-facing mail filtering is good enough already, and I doubt that any major sources of spam will ever find a way to defeat them. And without their involvement, to turn off all spam filtering for a day, nobody will notice..

The situation outside of US, I suspect, will mostly be the same.

Attachment: pgpiPL33K12zl.pgp
Description: PGP signature

ietf-smtp mailing list