[Asrg] A Vouch By Feedback proposal (was: VPNs)

Alessandro Vesely <vesely@tana.it> Tue, 07 July 2009 10:28 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87AD83A6E51 for <asrg@core3.amsl.com>; Tue, 7 Jul 2009 03:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.776
X-Spam-Level:
X-Spam-Status: No, score=-2.776 tagged_above=-999 required=5 tests=[AWL=1.943, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8bzGnuC0TTft for <asrg@core3.amsl.com>; Tue, 7 Jul 2009 03:28:19 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 05C4A3A6924 for <asrg@irtf.org>; Tue, 7 Jul 2009 03:28:12 -0700 (PDT)
Received: from mach-4.tana.it (mach-4.tana.it [194.243.254.189]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Tue, 07 Jul 2009 12:27:53 +0200 id 00000000005DC031.000000004A532329.00003103
Message-ID: <4A532344.5010509@tana.it>
Date: Tue, 07 Jul 2009 12:28:20 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605)
MIME-Version: 1.0
To: asrg@irtf.org
References: <20090623213728.1825.qmail@simone.iecc.com> <4A41D773.50508@telmon.org> <4A41E506.2010106@mines-paristech.fr> <20090624160052.B5DC62428A@panix5.panix.com> <4A426B9D.7090901@mines-paristech.fr> <4A43618A.6000205@tana.it> <4A4F7DD0.4040404@billmail.scconsult.com> <4A51D35E.70306@tana.it> <4A52C36D.6040207@billmail.scconsult.com>
In-Reply-To: <4A52C36D.6040207@billmail.scconsult.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Asrg] A Vouch By Feedback proposal (was: VPNs)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2009 10:28:29 -0000

Vouch By Feedback could be a useful modification of the Vouch By 
Reference standard, if it didn't break its installed base.

VBF adds a DNS record pointing from the vouched domain to the 
vouching server email address. It could be an RP RR type, where the 
address is meant to receive the message/feedback-report (AFR) 
complaints. Web is-spam buttons direct reports to the ESP, who 
should forward them to any sender's vouching service. Clients who 
implement FBLs might send them to the relevant voucher directly. 
Vouchers, in turn, shall forward reports to the accountable 
originating ESP. The latter shall ban guilty users from sending for 
an amount of time proportional to the number of complaints. If the 
voucher sees complaints against users who should have been banned 
from sending, it shall suspend its vouching service for the relevant 
sender.

The second difference, the one that breaks compatibility, is that it 
would be more meaningful if the content of the _vouch TXT RR were a 
timestamp, rather than the type of message. Rehabilitated ESPs will 
get a new timestamp. That way, a recipient can quickly discern a 
long and honorable service from may-be-spammer newbies, and 
whitelist the former.


Bill Cole wrote:
> The overwhelming majority of mail I am offered by the Gmail outbounds is 
> spam. Google has played games with how they will accept abuse reports, 
> giving the appearance of not really wanting them.

I keep hearing differing opinions on that. At least, it should be 
"benign spam", in the sense that the sender is identifiable, unlike 
botnets' "malign spam".

Benign spam is indeed that kind of social phenomenon that some say 
about spam in general. It is too easy to give way to the temptation 
of advertising something that one believes in. Decent or better ESPs 
can control such phenomenon by educating or mildly punishing their 
users. Users who sent to honeypots after they bought an illegal 
Maddress CD should be punished more severely.

> In my direct experience working on middling corporate mail systems and 
> dealing with people handling much larger cheap/free "consumer" mail 
> systems, I had some tests of whether they cared about how we treated 
> their mail, and saw no sign that they did. At least some don't even seem 
> to care when fairly prominent corporations urge their smaller business 
> partners to avoid their non-free mail service. What they care about in 
> getting their users' mail delivered is the dozen peers to whom they send 
> 80% of their messages and maybe the next score down in size that handle 
> another 15%. It's not rational for them to care about systems with 10k 
> users or less.

By the same argument, middling mail system don't expect that anyone 
would subscribe to their FBL, even if they offered it prominently on 
their web sites. As I have such a tiny mail system, nobody would 
care to spend their time on whitelisting it, even if I could offer 
any required guarantees (let alone the time to look at them.) 
Doesn't that affect network neutrality, or even democracy, some way? 
We can take care of minor mail domains by automating whitelisting 
and FBL subscriptions.