Re: Proposal to define a simple architecture to differentiate legitimate

On Sun, 07 Sep 2003 09:58:47 +0800, Shelby Moore said:

> If it became an RFC or internet standard, and it became widely adopted, then 
> it is reasonable to assume that email clients would add features to handle this
> .  It is quite a low bandwidth operation (probably less than 1K bytes) to 
> poll 
> a POP server for email
It's not the bandwidth - it's the fact that there are these annoying things 
called
"timeouts".  For *each* server that isn't reachable, you get to wait a minute or
so - suddenly those 150 checks are taking quite some time.  And the queuing 
theory
of 150 sites with intermittent connectivity doing a push to your POP server is
different than what you see when you try to do 150 pulls....

But of course, if you actually *tried* this, you'd understand it...

> However, there is one key technological hurdle I did miss in my haste, there 
> would need to be some mechanism so that the same user doesn't keep 
> downloading 
> the same messages over and over again.  This would either require a special 
> modification
> to the POP server and require each user to login with a unique user name.
Hey.. what did I tell you?  Everybody needs a login of their own...

> And as a side benefit, there would be no way for someone to subscribe me to a
> list without my permission, as can be done by sniffing an authentication email
> for Majordomo. 
If your confirmation mail is being sniffed, you have *BIGGER* issues.

And if you have bigger issues, I suggest using the *proper* tools for the job.
See RFCs 2362-2364 and 3156.  If your issues are bigger than that, e-mail
subscriptions are the least of your problems.

> False.  You are correct that I missed this issue in my initial post.
> However, it need be only one POP account (one storage of emails) with flags 
> for
> each user.  In other words, the storage requirement need no increase
> drastically with number of subscribed users.
Hmm... store each mail as an object with links for each recipient.  A truly 
novel
idea, our homegrown mail system implemented it back in 1992.

>                                             The flags can either be stored at 
> the POP server 
> and then give each user a unique login id,
Hey.. there's that unique login again.

> No only 6000 POP accounts.  See above how email clients can handle the
> detection of new messages using UIDL.  And you only need one anonymous login
> and no password (just configure the POP server to accept any login and
> password).
And I tell *MY* UIDL from Keith Moore's UIDL from Vernon Schreyer's UIDL how?

> > Have you actually *TRIED* to use more than 100 POP accounts under any current
> > mail software?
> I will respond with similarly rhetorical question.  Did you try to use
> Netscape 2 on most current web pages?  Why make any application RFC if there
> can be no progress in applications?
There's a difference - I'm not proposing a new scheme of doing things that
involves a change to 500 million users.  So I submit to you that if this idea
is too hard to use with the current version of Outlook, it is a *non starter*
as a practical matter.

> 50, even 5000, is not statistically bulk on internet scale.  Is it not
> possible (or likely) to write laws without exclusions?  Do you think Hosts,
> ISPs, and anti-spam software would not account for this statistical 
> phenomenon?
Only problem is that many spammers are *already* only dropping 40-50 copies
of a note at a site at a time, specifically to work around that - then the rest 
of the
spamming recipients at your site get a different version with a different From: 
line
and a different source IP address.

I submit to you that if you didn't realize this was happening, you may not be 
qualified
to be suggesting proposals to counter it....

(Hint - if spammers weren't doing this, it would be trivial to block them, and 
we'd
not be HAVING this discussion, right? ;)

> > It's ironic that you're proposing this on a push-based mailing list provided 
> > by
> > an organization that is probably not in a position to provide POP accounts 
> > for
> > the 30,000 or so recipients of the the list.
> No.  As I said above, they would only need to provide one POP account for 
> this mailing list.
And as I pointed out, you'll need to create 30,000, because one account doesn't
allow you to keep track of who has already seen what messages.  And no, you're
*NOT* allowed to just say "everybody can fetch all the UIDLs and we'll just tag
them with the subscriber ID" - go read and *UNDERSTAND* section 6.2 of RFC2298
in order to understand why.

You might also want to go re-read the ASRG mailing list archives, your proposal
(and variants thereof) has been kicked down the beach like a dead whale
multiple times already.

pgp3s5ZX9zET6.pgp
Description: PGP signature