Iljitsch van Beijnum wrote:
declaring the spam problem unsolvable. I don't think it's a good idea
to lend credibility to this sentiment by publishing it as an RFC.
How hard is it to agree that:
a) there will always be (some) spam
b) there is no need for it to be 50% of all mail
Vernon Schryver responded:
That last sentiment is on my list.
There are several currently available, independent sets of mechanisms
that will keep more than 90% of all spam out of your mailbox with fewer
than 0.1% false positives. If your mailbox receives on average more than
1 spam/day and you care, then fire your current ISP and hire one that
offers reasonable spam defenses. If you care to invest your own time and
effort maintaining filters or if you can tolerate more than 0.1% false
positives,
your mailbox can be practically spam free.
Consider my response a new thread, "Why all existing anti-spam will fail
miserably or are otherwise indequate".
Or consider this response, "Exposing the security holes in all existing
anti-spam techniques", similar to the benefits of exposing the security holes
in operating systems before they are exploited. There is no sense in relying
on something and making an ever increasing investment in that thing, if it is
going to fail miserably at some point and force you to start over.
Vernon, misses some *very* important details in his *simplistic* analysis
above, which I am confident after all of you read the following, you will agree
could not be left as an unchallenged statement *pretending* to be factual.
1. The DCC (Vernon's business) and all current practical anti-spam which can
generate the 90% + < 0.1% that Vernon claims, rely heavily on whitelisting,
which is both inherently subvertable and more importantly which has a great
cost to (usually not transportable) investment in maintenance, which may in
many cases outweigh the *current* cost of spam:
http://www.ietf.org/proceedings/03mar/slides/asrg-1/sld12.htm
2. Not all people can use those existing anti-spam tools. For example, I am
capable of using BrightMail on my Earthlink account but not on my hosted
accounts. In order words, those existing tools don't scale every where.
3. And here is the kicker. ALL existing anti-spam methods, can be (and thus
will eventually be) easily subverted. This is already in public domain else
where. All someone need do is create a virus which both spreads sometimes via
email and the rest of time sends large quantities of highly randomized spam.
The seed would need to be truely random (e.g. cpu clock modulo milliseconds)
and randomize all headers (To, From, Subject, etc) and content, using lookup
tables of common domains, and normal words people use in email. Vernon's DCC,
Paul Graham's Bayesian filters, reply opt-in whitelisting, etc.. would all fail
miserably. Additionally imagine all the bounced traffic (from randomized
address) and especially the case where two reply opt-in whitelisting entities
get caught in infinite loop (randomized From/ Reply-To addresses). Also this
would probably overload the DCC servers with too many unique flooded
checksums. Some "script kiddie" could become famous by turning all anti-spam
from 90% in 1% effectiveness in days, not to mention probably overloading
internet email to the point where no one could find their legitimate email.
If #3 happens, those of you here at the IETF who attempted to ridule me
(unsuccessfully obviously), will be realizing that my warnings of dire
architectual problem are real.
Lastly I have done the full background search at ASRG (IRTF), and I did not
find prior art for either the proposal I made to legitimize bulk email by
moving it to "pull", nor the prior art for our soon to be patent-pending
anti-spam algorithm.
The closest prior art I found was "spam is any bulk email from someone you
don't know" essay, and "time-domain analysis" idea (with no details). I am
indeed working on novel anti-spam, and I do not appreciate the unprofessional
suggestion (borderline libel) otherwise.
If any one would like the full set of links to my research ("literature
review") at the ASRG, email me and I will send them to you privately.
This is the last I have to say on this matter in public. I am extremely
confident in the expertise of my assertions. The rest will be said with my
actions and other naturally occurring events.
Shelby Moore
http://AntiViotic.com