IETF Logo Mail Archive

Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)

Kee Hinckley <nazgul@somewhere.com> Mon, 26 May 2003 22:27 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA01529 for <asrg-archive@odin.ietf.org>; Mon, 26 May 2003 18:27:12 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4QMQwH10516 for asrg-archive@odin.ietf.org; Mon, 26 May 2003 18:26:58 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4QMQvB10513 for <asrg-web-archive@optimus.ietf.org>; Mon, 26 May 2003 18:26:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA01523; Mon, 26 May 2003 18:26:41 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KQP0-0003Lt-00; Mon, 26 May 2003 18:25:10 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19KQOz-0003Lq-00; Mon, 26 May 2003 18:25:09 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4QMPCB10482; Mon, 26 May 2003 18:25:12 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4QMONB10446 for <asrg@optimus.ietf.org>; Mon, 26 May 2003 18:24:23 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA01491 for <asrg@ietf.org>; Mon, 26 May 2003 18:24:07 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KQMW-0003L8-00 for asrg@ietf.org; Mon, 26 May 2003 18:22:36 -0400
Received: from www.somewhere.com ([66.92.72.194] helo=somewhere.com) by ietf-mx with esmtp (Exim 4.12) id 19KQMV-0003L5-00 for asrg@ietf.org; Mon, 26 May 2003 18:22:35 -0400
Received: from [66.92.72.194] (account nazgul HELO [192.168.1.104]) by somewhere.com (CommuniGate Pro SMTP 3.5.7) with ESMTP-TLS id 2392850; Mon, 26 May 2003 18:24:09 -0400
Mime-Version: 1.0
X-Sender: nazgul@somewhere.com@pop.messagefire.com
Message-Id: <p06001345baf840e5770c@[192.168.1.104]>
In-Reply-To: <200305261439.h4QEdd9F012572@calcite.rhyolite.com>
References: <p06001340baf7c696cc6e@[192.168.1.104]> <200305261439.h4QEdd9F012572@calcite.rhyolite.com>
To: Vernon Schryver <vjs@calcite.rhyolite.com>
From: Kee Hinckley <nazgul@somewhere.com>
Subject: Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)
Cc: asrg@ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 26 May 2003 18:20:45 -0400

At 8:39 AM -0600 5/26/03, Vernon Schryver wrote:
>   - that mail from people you don't know and that you want would be
>    marked with "ADV".  Would you really want unexpected and so
>    unsolicited advertising?

Valid point.  I got lost there somewhere.

>
>   - that mail senders need to communicate with your whitelist software.
>    Why?  If envelope and headers are not forged, then when you decided
>    you want blue pills that grow loans from deals4u2buy.org you can
>    whitelist mail from deals4u2buy.org by pointing and clicking purely
>    on your own system.  At worst you can start watching your logs of
>    rejected mail and click on a caught sample to whitelist it.

That's not where I want them to communicate.  I think we all agree 
that we don't want to spend time wading through our spam mailbox to 
see if there's anything good.  It's better than wading through our 
normal inbox to see if anything's good, but not by a lot.  So I want 
to whitelist *before* I get the email.  Which means that I need to 
know what address is going to be sending.  Imagine all the 
complicated instructions some web site has to provide.  "We will be 
sending you email from this address for the main stuff, and from this 
address if there are administrative problems.  In order to add these 
addresses to your whitelist, if you are using Eudora on the Mac, do 
this, if Eudora on the PC, do that.  If you are using the third party 
whitelisting product xxx, do such and such.  If...."

I don't think that's going to work well.

>   - that Deals4u2buy.org will use N-different addresses.  On the
>    contrary, they'll good reasons to tell you their sender domain name
>    and to keep it constant.

Domain, sure.  But whitelisting by domain is asking for even more 
trouble than whitelisting by full address.  But if you want to 
whitelist by address, you definitely need to deal with more than one. 
Even the typical mailing lists uses at least two addresses.  (Some 
commercial mailings use a different one for each user--since the 
bounce information encodes the recipients email address.)

On the other hand, doing whitelisting by address just defers the 
inevitable forgery a little longer.  So without authenticated sender, 
I whitelisting seems doomed.  And since virtually every "make a major 
change to SMTP" system out there seems to depend on whitelisting as a 
transition tool, there's going to be a very interesting race.

>   - on the other hand, if the envelope or headers are forged, then
>    the "ADV" tag will also be missing, because a large minority and

Perhaps.  That's harder to predict.  Spammer behavior is easy. 
Follow the money and the direction that gets the most messages 
through.  Predicting user behavior is harder.

>   - Why can't people understand ADV tags and whitelisting?  I don't recall
>    encountering anyone who couldn't but who could handle email.  Proof

I don't understand ADV tags.  Does Amazon have to send me my purchase 
receipts with an ADV tag?  Does an opt-in list have to use an ADV 
tag--or just the people who randomly spam me?  I don't know what it 
means.  And it seems to me that it was you who berated me for trying 
to differentiate between different types of content from the same 
sender when I tried to differentiate between transactional email and 
advertising email.  You had some good points.  But isn't that what an 
ADV tag tries to do?  If not, then I don't dare block it.

Whitelists are hard to understand not because of the concept, but 
because of the plethora of email addresses that need to be 
whitelisted, and because people don't understand how easy forging is. 
And on top of that--the plethora of (as yet non-existent... but give 
them time) whitelisting interfaces.

>   - we already have standardized mechanisms for identifying mailing lists.
>    RFC 2919 is on the standards track.

Okay.  But I'm not sure where that ties into this issue.
-- 
Kee Hinckley
http://www.messagefire.com/          Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.36.0 | Report a Bug | By Email | System Status