Re: [Asrg] request for review for a non FUSSP proposal

Jose-Marcio Martins da Cruz <> Wed, 24 June 2009 09:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43B113A682D for <>; Wed, 24 Jun 2009 02:55:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ar3IrXILRvor for <>; Wed, 24 Jun 2009 02:55:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 53D643A6B24 for <>; Wed, 24 Jun 2009 02:55:02 -0700 (PDT)
Received: from localhost.localdomain ( []) (authenticated bits=0) by (8.14.3/8.14.3/JMMC-11/Feb/2009) with ESMTP id n5O9tDhj016757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Jun 2009 11:55:13 +0200 (MEST)
Message-ID: <>
Date: Wed, 24 Jun 2009 11:57:19 +0200
From: Jose-Marcio Martins da Cruz <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20090507 Fedora/1.1.16-1.fc11 SeaMonkey/1.1.16
MIME-Version: 1.0
To: Ian Eiloart <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Miltered: at boipeva with ID 4A41F801.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 4A41F801.000/<>
Cc: Anti-Spam Research Group - IRTF <>
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To:, Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Jun 2009 09:55:03 -0000

Ian Eiloart wrote:

> He uses a secretary to filter his email. If only we all had that 
> resource. Instead, my 12,000 users have me and a bunch of rules that I 
> maintain.

An automated secretary...

> A better example of consent is spamcop. If you want to report a spam 
> message to them, you can send it to an email address like 
> where xxxxxxxxxxxxxxxx is an 
> apparently random string. Perhaps it carries some cryptographic 
> authentication which prevents others from using it, perhaps not, so I've 
> obfuscated it. I can't remember how I got the string - probably from a 
> web form - I just keep it in my address book.

Well, you submited my message to spamcop... ;-). Their address was in the list of 

> I wonder whether creating a standard just makes the idea easier to 
> attack through automated means. I have, for example, a mechanism that 

That's a good point.

> prevents people spoofing local email (ie pretending the sender is in our 
> domain when the recipient is in our domain). I could have used something 
> clever, but went for something simple and very easy to attack. However, 
> it's still working some years later, and has in the meantime kept our 
> internal email pretty spam free. If someone does attack it, I'll do 
> something more principled.

You're right. A standard will just work till the moment it will be cracked. And after that 
the standard will be droped down and people will go back to their own home made rules.

Either way, a good point to think when proposing a standard is if people is open to it. 
E.g., is spamcop open to replace their consent mechanism by a standard one ?