Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)
Vernon Schryver <vjs@calcite.rhyolite.com> Tue, 27 May 2003 00:35 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07503 for <asrg-archive@odin.ietf.org>; Mon, 26 May 2003 20:35:38 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4R0ZOc17686 for asrg-archive@odin.ietf.org; Mon, 26 May 2003 20:35:24 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R0ZOB17683 for <asrg-web-archive@optimus.ietf.org>; Mon, 26 May 2003 20:35:24 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07481; Mon, 26 May 2003 20:35:07 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KSPG-00058N-00; Mon, 26 May 2003 20:33:34 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19KSPG-00058K-00; Mon, 26 May 2003 20:33:34 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R0XOB17627; Mon, 26 May 2003 20:33:24 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R0WKB17557 for <asrg@optimus.ietf.org>; Mon, 26 May 2003 20:32:20 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07220 for <asrg@ietf.org>; Mon, 26 May 2003 20:32:03 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KSMI-000539-00 for asrg@ietf.org; Mon, 26 May 2003 20:30:30 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19KSMD-00052t-00 for asrg@ietf.org; Mon, 26 May 2003 20:30:25 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h4R0VvCi007599 for asrg@ietf.org env-from <vjs>; Mon, 26 May 2003 18:31:57 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305270031.h4R0VvCi007599@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)
References: <p06001345baf840e5770c@[192.168.1.104]>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 26 May 2003 18:31:57 -0600
> From: Kee Hinckley <nazgul@somewhere.com> > ... > > Why? If envelope and headers are not forged, then when you decided > > you want blue pills that grow loans from deals4u2buy.org you can > > whitelist mail from deals4u2buy.org by pointing and clicking purely > > on your own system. At worst you can start watching your logs of > > rejected mail and click on a caught sample to whitelist it. > > That's not where I want them to communicate. I think we all agree > that we don't want to spend time wading through our spam mailbox to > see if there's anything good. It's better than wading through our > normal inbox to see if anything's good, but not by a lot. So I want > to whitelist *before* I get the email. Which means that I need to > know what address is going to be sending. Imagine all the > complicated instructions some web site has to provide. "We will be > sending you email from this address for the main stuff, and from this > address if there are administrative problems. Why would you need to white-list the administrative address? Why would adminstrative messages have ADV tags? They shouldn't be bulk and they're argueably not "commercial." > In order to add these > addresses to your whitelist, if you are using Eudora on the Mac, do > this, if Eudora on the PC, do that. If you are using the third party > whitelisting product xxx, do such and such. If...." That argues for common user interfaces, not protocols for computers to talk to each other. > ... (Some > commercial mailings use a different one for each user--since the > bounce information encodes the recipients email address.) Some people are unclear on the concept of X, for any value of X. Confusing cute ideas with solutions to real problems is a common way that happens. The mailing list package that does that is a classic example of that syndrome. > > > - that Deals4u2buy.org will use N-different addresses. On the > > contrary, they'll good reasons to tell you their sender domain name > > and to keep it constant. > > Domain, sure. But whitelisting by domain is asking for even more > trouble than whitelisting by full address. I meant full address. > But if you want to > whitelist by address, you definitely need to deal with more than one. > Even the typical mailing lists uses at least two addresses. (Some > commercial mailings use a different one for each user--since the > bounce information encodes the recipients email address.) There is RFC 2919. The DCC detects bulk mail by protocol and unsolicited bulk mail by adding local whitelists. The DCC source includes a sample whitelist and I hear from the thousands of installations of DCC clients. Because of that, I claim some direct and second hand experience whitelisting mailing lists. From tha experience, it seems to me that those lists that don't suffer the cute idea syndrome are easy to white-list. After lists using that system, the problems I've heard of are desires to white-list all lists of some brand like Yahoo Groups. > On the other hand, doing whitelisting by address just defers the > inevitable forgery a little longer. So without authenticated sender, > I whitelisting seems doomed. And since virtually every "make a major > change to SMTP" system out there seems to depend on whitelisting as a > transition tool, there's going to be a very interesting race. I don't see any deferring of inevitable forgery, because whitelisting is already extremely popular. You're also assuming facts not inevidence, that forgery of mailing list senders is a likely problem. If it is likely then why haven't the spammers already been forging mail with practically universally whitelisted markings, such as CERT.org advisories and Habeas's mark? > ... > > - Why can't people understand ADV tags and whitelisting? I don't recall > > encountering anyone who couldn't but who could handle email. Proof > > I don't understand ADV tags. Does Amazon have to send me my purchase > receipts with an ADV tag? Does an opt-in list have to use an ADV > tag--or just the people who randomly spam me? I don't know what it > means. And it seems to me that it was you who berated me for trying > to differentiate between different types of content from the same > sender when I tried to differentiate between transactional email and > advertising email. You had some good points. But isn't that what an > ADV tag tries to do? If not, then I don't dare block it. I don't like ADV tags because the laws that mandate them seem as muddled as the noise about spam in the main IETF list. In this thread I've assumed for the sake of discussion that ADV tags make sense, despite my lack of understanding. I think ADV tags could make sense. I'd put them on all messages in a bulk mailing which includes or might include some unsolicited copies--in other words on "opt-out" spam. > Whitelists are hard to understand not because of the concept, but > because of the plethora of email addresses that need to be > whitelisted, and because people don't understand how easy forging is. > And on top of that--the plethora of (as yet non-existent... but give > them time) whitelisting interfaces. There's no plethora that needs whitelisting. There are plenty of existent whitelisting interfaces, but that is a problem. > > - we already have standardized mechanisms for identifying mailing lists. > > RFC 2919 is on the standards track. > > Okay. But I'm not sure where that ties into this issue. List-ID headers are an obvious and good solution for identifying mailing lists. Instead of white-listing sender FQDNs or SMTP client IP addresses or host names, you could white-list List-ID strings. Vernon Schryver vjs@rhyolite.com _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Article - New anti-spam proposal in the Ho… Yakov Shafranovich
- Re: [Asrg] Article - New anti-spam proposal in th… Richard Rognlie
- Re: [Asrg] Article - New anti-spam proposal in th… Kee Hinckley
- RE: [Asrg] Article - New anti-spam proposal in th… Bob Wyman
- Re: [Asrg] Article - New anti-spam proposal in th… Barry Shein
- RE: [Asrg] Article - New anti-spam proposal in th… Barry Shein
- Re: [Asrg] Article - New anti-spam proposal in th… Eric Brunner-Williams in Portland Maine
- RE: [Asrg] Article - New anti-spam proposal in th… Vernon Schryver
- RE: [Asrg] Article - New anti-spam proposal in th… Eric D. Williams
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … mathew
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- RE: [Asrg] Article - New anti-spam proposal in th… Tom Thomson