Re: Principles of Spam-abatement

Vernon Schryver wrote:

From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
Since the IETF is a standards organization, can both you and vsj tell usin your opinion, if there is anything the IETF should or should not bedoing in the spam arena (changing existing standards, making newstandards, etc.)?

I have the lucky or unlucky task of being one of the two chairs of theASRG (together with John Levine). We also tried to reduce many of theproblems the original ASRG had including the large signal/noise ration,etc. All of this got me thinking about the larger question of what theIETF should be doing about fighting spam, which is why I am asking thequestion here.

draft-crocker-spam-techconsider-02.txt listed some opportunities for
IETF documents.  I vaguely recall they included:
  - codifying common sense for blacklist operators
      I thought ASRG time working on such a BCP, but it seems to have
      gone underground.

The two folks working on that ran out of free cycles and stopped theirwork. Nobody else has been willing to pick up the slack and none of theblacklist operators that I have spoken to were interested either(perhaps I just don't know enough of them). There was also talk aboutdocumenting the existing lookup protocol for blacklists as aninformational RFC, and perhaps work on extensions to this protocol. TheBCP work in the ASRG has migrated to a closed subgroup but hasn't seenenough interested parties willing to actually do some work.

   - improved forms and formats for DSNs.
   - improved mechanisms, forms, and formats for logging mail rejections.
   - mechanisms for sharing white- and blacklists among MX servers
      for a domain.

Some of the other things that have been proposed outside the draft arestandards for abuse reporting, BCPs for handling hijacked machines andblocking port 25/allowing SUBMIT, standards for exchanging filteringinformation and decisions between MUAs and MTAs, standards for creatinga "web of reputation" for MTAs, etc.

It is interesting to note that many of these efforts are solely focusedon areas where standards can make some difference as opposed to seekingthe "silver bullet" for solving the spam problem.

That the spam problem involves TCP/IP does not necessarily imply that
the IETF has a major role in dealing with the problem, any more than
the fact that guns contain metal implies that the American Society for
Testing and Materials (ASTM) has a major role in the search for world
peace.  Regardless of the ambitions of individuals to "make a difference"
or become famous, the IETF should strive first and foremost to do no
harm outside its charter in primarily non-technical arenas such as the
fight against spam.

It is interesting to note that the current version of the IETF missionstatement states something similar along these lines(http://www.ietf.org/u/ietfchair/ietf-mission.html):

"It is important that this is "For the Internet," and does not includeeverything that happens to use IP. IP is being used in a myriad ofreal-world applications, such as controlling street lights, but the IETFdoes not standardize those applications."

The problem is that many parties see the IETF as the caretaker for emailstandards and accuse these standards as one of the root problems forcausing spam. Obviously the problem has way too many aspects to bepurely technical and has not real technical solution (FUSSP or "silverbullet"). Another aspect of that is that many of the technical solutionsto some aspects of the problem such as filters are not even relevant tothe IETF's goal as a standards organization except where standardizationis needed (Sieve for example). Yet the media and some of the industryplayers have accused the IETF of foot dragging and not addressing theproblem, when this is clearly out of scope for the IETF.

This discussion got me thinking about the need to state clearly that theIETF's goal is not to solve the spam problem. I begun writing a draft onthis(http://www.shaftek.org/asrg/draft-irtf-asrg-ietf-role-in-fighting-spam-00.txt).


Yakov