Re: [ietf-smtp] IETF Policy on dogfood consumption or avoidance - SMTP v

John C Klensin writes:

> _Any_ envelope-level spam filtering technique other than, maybe,
> specifically identifying a particular bad actor and rejecting
> mail from them, is going to be subject to false positives --
> legitimate messages that are incorrectly rejected.   Anyone who
> reaches the conclusion you describe, whether they understand it
> or not, is making the decision that losing some number (a number
> that is actually very hard to estimate accurately) of legitimate
> messages is ok if it makes a big dent in the spam.
Correct.

I'm sure there are occasional "anyones" who believe that their subjective  
mail filtering criteria is 100% perfect; I do believe that the overwhelming  
majority who do this already understand this, and they accept it.
>                                                      That is ok,
> but it doesn't work well in environments in which reliable
> delivery, i.e., not losing legitimate messages, is important.
And those environments will simply choose not to use subjective mail  
filtering rules. Noone's forcing them to do this. Furthermore, this is the  
default state of affairs. I don't know out of any SMTP servers that, out of  
the box, has a bunch of subjecting mail filtering rules enabled. Everyone  
who uses subjective mail filtering policies, today, made their own decision  
to do so; and in my last message I explained why making this a "MUST NOT" is  
unlikely to make any difference. That's just what I think; perhaps  
eventually it turns out that my reasoning didn't held, and everyone ends up  
stopping filtering out various things in HELOs, or whatnot, because the RFC  
says they "MUST NOT" do this.
> And, in situations where it counts, the task of a mail
> administrator who has to explain to her boss's boss why a
> message from an important customer was rejected and didn't get
> through is, well, not enviable.
That depends on what happened in the first place – whether the mail  
administrator did that on their own volition, or because the same boss  
complained "I'm getting too much spam, can you do anything about it", the  
mail administrator explained the options, but the boss's eyes started  
glazing over hearing all the technical mumbo-jumbo, and the boss just waved  
their hand "just do it". So now the mail administrator explained that the  
mail was rejected because the boss approved the change, and the boss will  
simply tell the mail administrator to undo it, then, and everyone lives  
happily ever after.
> If one decides to block attempts to open SMTP sessions by
> rejecting IP literals at EHLO time (a singularly blunt
> instrument, even more blunt, IMO, than rejection based on IP
> address ranges, there are also two ways of doing it.  One is to
> return a 5yz code in response to the EHLO, thereby rejecting all
> messages using such syntax regardless of origin or destination.
> The second is to wait until the MAIL command, or maybe even one
> or more RCPT commands, are received, thereby allowing
> whitelisting if there are particular cases one wants to allow.
I agree, and that's what I do. But I also recognize that other  
implementations don't, and I'm somewhat skeptical that they'll find this  
argument persuasive.
> concentration.   If there is a solution to spam, it is almost
> certainly lies in general recognition of spamming as an
> antisocial act and the creation of social, legal, and financial
> disincentives to spamming.  That recognition will probably never
> come as long as we are successful in preventing enough of it
> from reaching legislators and their active constituents so that
I do not believe that any social, legal, or financial disincentive will have  
any measurable difference whatsoever.
Unless something is adopted worldwide, spamming will simply move its  
origination point. Some of the spammers will not be able cover their tracks,  
very well, and a few dumb ones will get caught. But most will continue on,  
mostly unimpeded.
> they don't feel significant pain.  I'm not quite serious about
> this, but, if one wanted to really stop spam by making life
> painful for the spammers, the most useful possible step might be
> to declare a "let all of it go through to the end users" week
> every once in a while.
There have been similar kinds of boycotts done in the past, in other  
contexts. I can't think of even one that succeeded.
And for this particular one: the target audience for this declaration is,  
basically, a herd of cats. And without a buy-in from most of the herd, there  
won't be much of an impact to speak of.
In the US, I think this will require participation from at least gmail and  
hotmail/outlook. I can't imagine why they will want to. Their existing  
customer-facing mail filtering is good enough already, and I doubt that any  
major sources of spam will ever find a way to defeat them. And without their  
involvement, to turn off all spam filtering for a day, nobody will notice..
The situation outside of US, I suspect, will mostly be the same.

pgpiPL33K12zl.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp