From: Dave Crocker
Serious discussions about spam control acknowledge the fact of
limited, incremental benefit, significant deployment costs, potential
impact on basic modes of legitimate email, and the like.
Unfortunately, serious discussion is rather rare. What is missing from
most proposals is any interest in such careful consideration about
ramifications.
No, let's be honest no matter how impolitic. What's out of order
from most anti-spam discussions is anything that might squelch the
urgent, exciting, and positive talk. That certainly includes
consideration of inconvenient ramifications and obvious technical
issues. The taboos also cover any sentiment like "Ok, I'll implement
this and report back soon with results."
(Recent example technical issues:
SMTP-TLS does not imply commericial PKI, except in the sense that
commercial PKI is the only working(?) model of large scale key
distribution.
No law, standard, or anything else prohibits an SMTP relay from using
the same authenticator on output that it used on input for a message.)
Instead, efforts to explore real costs and real efficacy are met with
the usual plea that this is an emergency and we have to do _something_.
That's true only in the sense of urgent pleas that _other_ people to
do something. Every month or so, I check the ASRG archives. If there
has been a change in the last year, I can't see it. It's all urgent,
and devoid of anything like reports of actions. Even survey and BCP
documents start and then fade into the mist. I just now checked
https://www1.ietf.org/mail-archive/working-groups/asrg/current/maillist.html
to see if I'm being unfair.
Of course this problem is endemic to the Standards Process. It's worse
with spam because the problem hard verging on unsolvable and few if
any of the participants are trying to ship a product before market
window closes, graduate students trying to complete a thesis, others
trying to publish papers before the grant runs out, or mail system
operators trying to avoid drowning.
There are vendors and so forth, but they see that it might make sense
to ship, install, or test a white box with Linux and SA but it is silly
to spend any salaries or time on "proposals" that can't have any effects
before the spam problem is finished by other effects.
...
The IETF MARID BOF showed that serious discussion is, in fact, possible.
One simply needs to insist on it and encourage it when it happens.
If http://www.imc.org/ietf-mxcomp/mail-archive/msg00067.html is
reasonably accurate, then I beg to differ. As far as I can see, it
could be a summary of the most useful content of ASRG mailing list
from March and April, 2003.
=============================
] From: Paul Hoffman / IMC
] ...
] The majority of the "anti-spam" proposals being actively discussed
] are variants on the "prove the sender is who he says he is". None of
] these are perfect, yet:
Given the shift of many major spammers from forging domain names to
using their own throw-aways like xxcdfm1.com, pointlesstomovehere.com,
and attractiveinternetnews.com, "not perfect" is an understatement.
] - they are being actively discussed in the ASRG
Somehow "actively discussed" is doesn't quite convey "continually
discussed round and round without any change."
Vernon Schryver vjs(_at_)rhyolite(_dot_)com