ietf
[Top] [All Lists]

IAB policy on anti-spam mechanisms?

2003-02-26 20:59:24
I would like to propose that the IAB consider drafting and adopting a
position statement on the highly deleterious effect that certain
anti-spam mechanisms have on legitimate, efficient uses of the
Internet.

I am thinking mainly of the MAPS DUL (Dialup User List), a remarkably
ill-conceived mechanism that complicates life considerably for those
who prefer not to use their ISP's mail servers for reasons of
efficiency, latency and security while doing remarkably little (or
nothing) to actually combat spam.

Here's a page that says better than I can why MAPS DUL is such a bad idea:

http://homepages.tesco.net/~J.deBoynePollard/FGA/maps-dul-is-wrong.html

Other widely deployed but similarly misguided anti-spam mechanisms
include blanket blocks on incoming or outgoing TCP connections to port
25. I've even encountered on ISP that transparently and silently
redirected my outbound SMTP connections to their own mail servers!

All these mechanisms force users to relay outbound or inbound mail
through ISP-run mail servers. This increases latency, decreases
reliability (sometimes substantially), and totally precludes the
effective use of some very useful SMTP security features such as the
AUTH and STARTTLS commands.

There is precedent for the IAB taking a stand on this sort of
thing. In particular, RFC2775 on "Internet Transparency" expresses the
view that the end-to-end principle that underlies the Internet
architecture is still vitally important and worth preserving. Although
RFC2775 spoke mainly to the problems introduced by the widespread use
of NATs, spam filtering is mentioned in passing.

Another relevant precedent is RFC2804, "IETF Policy on Wiretapping",
in which the IETF formally rejected calls to design Internet protocols
to facilitate wiretapping. Yet anti-spam mechanisms that block direct
end-to-end SMTP transfers effectively disables the routine use of
STARTTLS, an automatic, transparent and highly effective
anti-wiretapping mechanism, and makes it a trivial matter for an ISP
to log every email sent or received by its users. At a time of
unprecedented threats to personal privacy and security, the widespread
use of mechanisms like STARTTLS should be encouraged, not discouraged.

As everyone knows, there are many different ideas and approaches to
the spam problem, yet none of them has proven to be a silver
bullet. There is plenty of room for innovation and experimention in
this area, and I certainly wouldn't want to dampen these activities.

However, I believe the IETF and IAB should state some basic principles
that should be observed by everyone working on the spam problem. And
the most basic principle of all should be that no anti-spam mechanism
should ever block email between consenting end-parties without giving
those parties the ability to disable those blocking mechanisms.

As currently implemented, however, end users rarely (if ever) have
such control. They are the "collateral damage" of the spam war, and
are shrugged off just like foreign civilian casualties in most
wars. But a formal policy statement by the IAB or IETF just might give
them something to defend themselves.

Comments?

Phil