ietf
[Top] [All Lists]

Re: Principles of Spam-abatement

2004-03-01 09:04:29
From: Paul Vixie <paul(_at_)vix(_dot_)com>

...
And everyone else needs to move from the generic reference to
"consent" on to something that is more concrete, as well as being
integrated into a full range of human uses for email.

i'm pretty comfortable with www.dictionary.com's definition of "consent".

That is the fatal flaw in the calls for technical mechanisms
"communicating consent" to fix spam.  Webster's definition of consent
also applies to keeping solicitors from knocking on your door and
bandits from mugging you on the streets.  What keeps enough of them
from lying about having your consent are the non-technical protocols
of the justice system.

No matter what additional token of consent that you require spammers
to present to demonstrate that you have agreed to their mail, either
spammers will be able to forge it or legitimate strangers won't be
able to obtain it without contacting you or your agents and ceasing
to be strangers.

The usual response to that (and one which I think you've suggested)
is to have a third party act as your agent.  But that is exactly
equivalent to the Microsoft/Verisign crypto authentication FUSSP.
Whether SMTP is involved is irrelevant; the fatal flaw of such agencies
applies to any messaging scheme.  It is that unless a mail identity
is practically unforgeable thanks to $10,000 costs or enforced legal
penalties, spammers will sign up for new identities as each is executed
for spamming.  If an identity costs less than $50/year and there are
no enforced laws against having as many identites as the recent spurt
of "Zhang Jung" and "Media Dreamland" domain names, it will be impossible
for your consent/identity/reputation agency to ensure that 1000 of the
next 1,000,000 applications are really Al Ralsky in disguise.

There are other problems with the "consent" or "identity" or "reputation
agencies" that are often talked about.  One is that giving Microsoft/AOL
a franchise to levy a $0.001 toll on or append an ad to every message
in the Internet is a Bad Thing unless you are stockholder.

These problems have nothing to do with SMTP.   You give aid and comfort
to the spammers and parasites on the spam problem by suggesting that
a replacement to SMTP might solve these non-technical problems with
"communicating consent."   You are implicitly supporting the worse
than snake oil being flogged as spam solutions by big outfits.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com