Harald Tveit Alvestrand <harald(_at_)alvestrand(_dot_)no> wrote:
the reason you don't see a lot of spam on IETF lists is because it's
sent to the list administrators, and they filter it by hand.
Clearly, this cannot continue (unless we come up with some way to
pay people to perform this service).
The chief beneficiaries of automatic spam detection and deletion in the
current IETF setup is the list administrators.
I am really in no position to criticize the use of SpamAssassin.
I started using it for my personal account just before I left for
IETF-58, and have little hope of turning it off. (It flags as spam
roughly 4,000 emails per week.)
But I think we should stop short of endorsing it.
It is, frankly, wrong to propagate to the list any email which we
consider to be likely spam. We should instead come up with a way to
verify/authenticate/intuit/whatever that it is an individually-written
message considered to be on-topic by some person we have no reason to
distrust.
SpamAssassin is a technical marvel -- and I suspect it could be
useful as a sorting tool to distinguish messages which deserve to be
distributed immediately vs. messages which need further verification.
But that further verification should be done _before_ anything is
distributed to the list. If the SpamAssasin filtering were applied
_during_ the SMTP session to ietf.org and a descriptive error (with
URL) was returned (rather than "250 - OK"), then we would have done
everything we reasonably could to notify an honest sender that we
needed further verification.
(And, of course, any other content-processing tool could be used
instead of SpamAssassin -- indeed I'm not sure any useful purpose
is served by publishing which particular content-assessment tool we
use.)
If we can't process during the SMTP session, then -- as a short-
term stopgap -- it is reasonable to flag messages for some automated
processing before distributing to the list.
(None of this is to criticize anyone who runs SpamAssassin at
their own site to apply more rigorous rules -- I'm probably doing so
myself, even if unintentionally.)
What I do wish to call into question is the wisdom of passing the
SpamAssasin headers to the list. I believe it creates the potential
for confusion as to what is or is not a legitimate message.
--
John Leslie <john(_at_)jlc(_dot_)net>