Re: [Asrg] request for review for a non FUSSP proposal
Claudio Telmon <claudio@telmon.org> Mon, 22 June 2009 21:12 UTC
Return-Path: <claudio@telmon.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3EAB3A689D for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 14:12:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.083
X-Spam-Level:
X-Spam-Status: No, score=0.083 tagged_above=-999 required=5 tests=[AWL=0.802, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q2VUE9xAN0iA for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 14:12:02 -0700 (PDT)
Received: from slim-2c.inet.it (slim-2c.inet.it [213.92.5.123]) by core3.amsl.com (Postfix) with ESMTP id 305CE3A6C15 for <asrg@irtf.org>; Mon, 22 Jun 2009 14:12:02 -0700 (PDT)
Received: from 88-149-250-16.dynamic.ngi.it ([::ffff:88.149.250.16]) by slim-2c.inet.it via I-SMTP-5.6.0-560 id ::ffff:88.149.250.16+OHkb4eRNQnK; Mon, 22 Jun 2009 23:12:16 +0200
Message-ID: <4A3FF3AF.9030401@telmon.org>
Date: Mon, 22 Jun 2009 23:12:15 +0200
From: Claudio Telmon <claudio@telmon.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090318 Lightning/0.8 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <4A3DFC91.2090506@telmon.org> <4A3F9B2B.8020603@tana.it>
In-Reply-To: <4A3F9B2B.8020603@tana.it>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2009 21:12:03 -0000
Alessandro Vesely wrote: > Claudio, > I've skimmed part of your paper, and I think your framework has a > problem in the transition to consent-enabled mailboxes: When users > switch their mailboxes to consent-enabled, they lose the ability to > receive any message from consent-unaware senders, including friends, > business contacts, mailing lists, banks and similar notification > services, reminders, cell phones, etcetera. You're absolutely right, of course. This is the most critical deployment issue, and I have tried to consider some strategies in the "deployment" section. Nobody could actually "switch" to consent-enabled mailboxes: a gradual, albeit less effective transition path is required. > Most of them will end up > having a second mailbox which is not consent-enabled, or functionally > similar arrangement, resulting in two streams of messages. They'll have > to watch both streams and will find wanted and unwanted messages in each > one. A couple of thing could help. First, at the beginning the framework could be implemented by the receiver's MUA, instead of the receiver's MTA. This could produce backscatter, so it wouldn't be suited for wide deployment, but this way, people willing to adopt it were not bound to the choices of their ISPs. This way users wouldn't need two separate addresses: messages carrying proper tokens would be whitelisted, while others would receive a worse spam score. Also, messages for addresses associated to token in the address book, but not carrying a proper token, would be marked as forgery and treated as such. However, some people could actually prefer to have two different email addresses, even if then forwarding all messages to the non-consent-enabled mailbox. This helps in adopting the framework, but doesn't help much in finding it useful. In the beginning, the advantage could be more for senders that for receivers. A bank offering this option to its customers could protect its communications from phishing: messages without consent token, and with an address from the bank, could be highlighted by the MUA as probable phishing attempt. The main point here is that the presence/absence of tokens should be easily understood by most people, while mail authentication failures are usually not, and message authentication is hard for many reasons. People worried about forgeries could be told by the bank to adopt the framework (this wouldn't replace other security measures and proper behaviour, it would however add another layer of protection). Some services could be offered, e.g. protected mailboxes for children; relatives and friends would need to adopt the framework in order to communicate with them. These mailboxes would actually only accept messages with proper tokens. In this respect, having plugins available for most common MUAs would be critical. Friends and relatives willing to communicate with them could just be told to "install the plugin and put this string in this field", and then forget the whole thing. But again, all this may make sense if there is enough interest in this form of control on communications, which is probably not the case just for UBE. > (Well, the consent-enabled stream will have to wait for spammers to > become aware of the X-Consent-request header to get much unwanted > stuff.) The hope is that messages conforming to the consent request format and semantic should be much easier to deal with by using other antispam tools and controls. However, this is my guess, you know better than me. > Since any other action will be performed as usual, there will be > no visible advantage resulting from the framework. That state of affairs > will never be an incentive for widespread adoption, and, on the other > hand, without widespread adoption the framework will always require that > disappointing stream doubling. Well, this stream doubling is something many already do, keeping one address for close friends and business partners, not disclosing it in order to avoid spam and other messages. But again you're right, the framework would need reach a critical mass in some time, or it would be abandoned even by early adopters. Regards, - Claudio -- Claudio Telmon claudio@telmon.org http://www.telmon.org
- [Asrg] request for review for a non FUSSP proposal Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Alessandro Vesely
- Re: [Asrg] request for review for a non FUSSP pro… Jose-Marcio Martins da Cruz
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Paul Russell
- Re: [Asrg] request for review for a non FUSSP pro… Steve Atkins
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Rich Kulawiec
- Re: [Asrg] request for review for a non FUSSP pro… Rich Kulawiec
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Lyndon Nerenberg
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Douglas Otis
- Re: [Asrg] request for review for a non FUSSP pro… Alessandro Vesely
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Rich Kulawiec
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Ian Eiloart
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Seth
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Ian Eiloart
- Re: [Asrg] request for review for a non FUSSP pro… Douglas Otis
- Re: [Asrg] request for review for a non FUSSP pro… Rich Kulawiec
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… John Levine
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Ian Eiloart
- Re: [Asrg] request for review for a non FUSSP pro… Jose-Marcio Martins da Cruz
- Re: [Asrg] request for review for a non FUSSP pro… Ian Eiloart
- Re: [Asrg] request for review for a non FUSSP pro… Seth
- Re: [Asrg] request for review for a non FUSSP pro… Jose-Marcio Martins da Cruz
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Rich Kulawiec
- [Asrg] VPNs (was: request for review for a non FU… Alessandro Vesely
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] VPNs (was: request for review for a no… Claudio Telmon
- Re: [Asrg] VPNs vs consent Claudio Telmon
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] request for review for a non FUSSP pro… Seth
- Re: [Asrg] request for review for a non FUSSP pro… Danny Angus
- Re: [Asrg] request for review for a non FUSSP pro… Ian Eiloart
- Re: [Asrg] request for review for a non FUSSP pro… Ian Eiloart
- Re: [Asrg] request for review for a non FUSSP pro… Alessandro Vesely
- Re: [Asrg] request for review for a non FUSSP pro… Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Rich Kulawiec
- Re: [Asrg] VPNs vs consent Rich Kulawiec
- Re: [Asrg] VPNs (was: request for review for a no… Rich Kulawiec
- Re: [Asrg] VPNs vs consent Claudio Telmon
- Re: [Asrg] request for review for a non FUSSP pro… Alessandro Vesely
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] VPNs vs consent Claudio Telmon
- Re: [Asrg] VPNs vs consent Rich Kulawiec
- Re: [Asrg] VPNs Alessandro Vesely
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] VPNs vs consent Claudio Telmon
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] VPNs vs consent Claudio Telmon
- Re: [Asrg] VPNs vs consent Claudio Telmon
- Re: [Asrg] VPNs vs consent Jose-Marcio Martins da Cruz
- Re: [Asrg] VPNs vs consent Claudio Telmon
- [Asrg] Shared addresses (was: Re: VPNs vs consent) Claudio Telmon
- Re: [Asrg] VPNs Bill Cole
- Re: [Asrg] VPNs Bill Cole
- Re: [Asrg] VPNs Bill Cole
- Re: [Asrg] VPNs Alessandro Vesely
- Re: [Asrg] VPNs Bill Cole
- Re: [Asrg] VPNs der Mouse
- [Asrg] A Vouch By Feedback proposal (was: VPNs) Alessandro Vesely
- Re: [Asrg] VPNs Daniel Feenberg
- [Asrg] gmail as source of spam (was VPN) David Wilson
- Re: [Asrg] A Vouch By Feedback proposal J.D. Falk
- Re: [Asrg] A Vouch By Feedback proposal Alessandro Vesely
- Re: [Asrg] A Vouch By Feedback proposal Claudio Telmon
- Re: [Asrg] A Vouch By Feedback proposal der Mouse
- Re: [Asrg] VPNs Rich Kulawiec
- Re: [Asrg] VPNs Bill Cole
- [Asrg] Too Big to Block? John Leslie
- Re: [Asrg] Too Big to Block? Chris Lewis
- Re: [Asrg] Too Big to Block? Dotzero
- Re: [Asrg] Too Big to Block? Chris Lewis
- Re: [Asrg] A Vouch By Feedback proposal Ian Eiloart
- Re: [Asrg] Too Big to Block? Ian Eiloart
- Re: [Asrg] A Vouch By Feedback proposal Rich Kulawiec
- Re: [Asrg] Too Big to Block? Rich Kulawiec
- Re: [Asrg] A Vouch By Feedback proposal Ian Eiloart
- Re: [Asrg] Too Big to Block? John Leslie
- Re: [Asrg] Too Big to Block? Alessandro Vesely
- Re: [Asrg] Too Big to Block? der Mouse
- Re: [Asrg] Too Big to Block? John Leslie
- Re: [Asrg] Too Big to Block? der Mouse
- Re: [Asrg] Too Big to Block? John Leslie
- Re: [Asrg] EPOSTAGE Too Big to Block? John Levine
- Re: [Asrg] EPOSTAGE Too Big to Block? John Leslie
- [Asrg] archives Tom Petch
- Re: [Asrg] archives Bill Cole
- Re: [Asrg] archives Claudio Telmon
- Re: [Asrg] archives Tom Petch