I wrote this little rant a few weeks ago as an input to the
ETC Event; I just realized I forgot to share it with the list.
So here it is!
On Tue, Jun 15, 2004 at 12:20:19PM -0400, Meng Weng Wong wrote:
|
| To take a broad view, I see us pursuing two themes:
|
| 1) a move away from heuristics toward conformance
|
| 2) an attempt to improve overt bimodality in the spam vs
| nonspam distribution
|
| The first issue is exemplified by a group of male patients
| discussing the relative merits of "marital aid" medications.
| Instead of saying "sorry, doctor, you'll just have to avoid
| using that word when you email your patients" we want to be
| able to say "we rejected the message because it was not
| conformant to RFC3823".
|
| The bimodality issue is where accreditation and reputation
| come in. Daniel posited: "okay, when everyone's publishing
| SPF records, including the spammers, we're back to square
| one." But that's not really true: there is a general
| awareness that AOL runs a tight ship and if mail can be
| authenticated as coming from AOL it's very unlikely to be
| spam --- as opposed to, say, enlarge-it-today.com.
|
| Hence, reputation services. The community knows the
| difference between aol.com and enlarge-it-today.com. We can
| codify that knowledge in machine-readable form and
| confidently distinguish known-good from known-bad.
|
| But that leaves a grey area in the middle, the "insufficient
| data" pool --- the valley between the two humps where the
| confidence is poor. A domain like registered-yesterday.com
| starts out in the valley, because we don't know anything
| about it. The valley is the fundamental weakness of any
| statistics-based system. Domain-churning spammers try to
| hide there.
|
| But the valley is exactly where accreditation services are
| most valuable. Just as credit agencies must disclose
| ratings to consumers, any open, public reputation service
| should happily tell a domain that it's in the valley. And a
| legitimate domain, if it finds that it's in the valley,
| should be quite happy to sign up for accreditation. A
| spammer domain won't.
|
| And that's how we improve bimodality: if you're in the
| valley, but you're accredited, that's good enough for me.
| If you're not accredited, perhaps you have something to
| hide. Or perhaps you don't have anything to hide --- you
| just find accreditation too much hassle. That's fine: if
| you're really OK, the reputation services will pick up on
| that eventually. It may take longer than you would like to
| get a good rating, and you may find your mail unfairly
| turned down at some places, but hey, guess what, that's
| exactly analogous to how credit works in the business world
| today. It's a tradeoff that senders can make for
| themselves, and that's what counts. The architecture gives
| the market a chance to flourish.
|
This ties into the observation that we are transitioning
between paradigms: from "assumed innocent until proven
guilty" to "assumed guilty until proven innocent".