Re: [ietf-smtp] IETF Policy on dogfood consumption or avoidance - SMTP version
John C Klensin writes:
_Any_ envelope-level spam filtering technique other than, maybe,
specifically identifying a particular bad actor and rejecting
mail from them, is going to be subject to false positives --
legitimate messages that are incorrectly rejected. Anyone who
reaches the conclusion you describe, whether they understand it
or not, is making the decision that losing some number (a number
that is actually very hard to estimate accurately) of legitimate
messages is ok if it makes a big dent in the spam.
I'm sure there are occasional "anyones" who believe that their subjective
mail filtering criteria is 100% perfect; I do believe that the overwhelming
majority who do this already understand this, and they accept it.
That is ok,
but it doesn't work well in environments in which reliable
delivery, i.e., not losing legitimate messages, is important.
And those environments will simply choose not to use subjective mail
filtering rules. Noone's forcing them to do this. Furthermore, this is the
default state of affairs. I don't know out of any SMTP servers that, out of
the box, has a bunch of subjecting mail filtering rules enabled. Everyone
who uses subjective mail filtering policies, today, made their own decision
to do so; and in my last message I explained why making this a "MUST NOT" is
unlikely to make any difference. That's just what I think; perhaps
eventually it turns out that my reasoning didn't held, and everyone ends up
stopping filtering out various things in HELOs, or whatnot, because the RFC
says they "MUST NOT" do this.
And, in situations where it counts, the task of a mail
administrator who has to explain to her boss's boss why a
message from an important customer was rejected and didn't get
through is, well, not enviable.
That depends on what happened in the first place – whether the mail
administrator did that on their own volition, or because the same boss
complained "I'm getting too much spam, can you do anything about it", the
mail administrator explained the options, but the boss's eyes started
glazing over hearing all the technical mumbo-jumbo, and the boss just waved
their hand "just do it". So now the mail administrator explained that the
mail was rejected because the boss approved the change, and the boss will
simply tell the mail administrator to undo it, then, and everyone lives
happily ever after.
If one decides to block attempts to open SMTP sessions by
rejecting IP literals at EHLO time (a singularly blunt
instrument, even more blunt, IMO, than rejection based on IP
address ranges, there are also two ways of doing it. One is to
return a 5yz code in response to the EHLO, thereby rejecting all
messages using such syntax regardless of origin or destination.
The second is to wait until the MAIL command, or maybe even one
or more RCPT commands, are received, thereby allowing
whitelisting if there are particular cases one wants to allow.
I agree, and that's what I do. But I also recognize that other
implementations don't, and I'm somewhat skeptical that they'll find this
concentration. If there is a solution to spam, it is almost
certainly lies in general recognition of spamming as an
antisocial act and the creation of social, legal, and financial
disincentives to spamming. That recognition will probably never
come as long as we are successful in preventing enough of it
from reaching legislators and their active constituents so that
I do not believe that any social, legal, or financial disincentive will have
any measurable difference whatsoever.
Unless something is adopted worldwide, spamming will simply move its
origination point. Some of the spammers will not be able cover their tracks,
very well, and a few dumb ones will get caught. But most will continue on,
they don't feel significant pain. I'm not quite serious about
this, but, if one wanted to really stop spam by making life
painful for the spammers, the most useful possible step might be
to declare a "let all of it go through to the end users" week
every once in a while.
There have been similar kinds of boycotts done in the past, in other
contexts. I can't think of even one that succeeded.
And for this particular one: the target audience for this declaration is,
basically, a herd of cats. And without a buy-in from most of the herd, there
won't be much of an impact to speak of.
In the US, I think this will require participation from at least gmail and
hotmail/outlook. I can't imagine why they will want to. Their existing
customer-facing mail filtering is good enough already, and I doubt that any
major sources of spam will ever find a way to defeat them. And without their
involvement, to turn off all spam filtering for a day, nobody will notice..
The situation outside of US, I suspect, will mostly be the same.
Description: PGP signature
ietf-smtp mailing list