Re: [Asrg] C/R Interworking Framework

Yakov Shafranovich <> Thu, 05 June 2003 18:36 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id OAA10214 for <>; Thu, 5 Jun 2003 14:36:43 -0400 (EDT)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id h55IaIu29593 for; Thu, 5 Jun 2003 14:36:18 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h55IaIB29590 for <>; Thu, 5 Jun 2003 14:36:18 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA10191; Thu, 5 Jun 2003 14:36:13 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19NzZ6-00024l-00; Thu, 05 Jun 2003 14:34:20 -0400
Received: from ([] by ietf-mx with esmtp (Exim 4.12) id 19NzZ6-00024i-00; Thu, 05 Jun 2003 14:34:20 -0400
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id h55IS6B28926; Thu, 5 Jun 2003 14:28:06 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h55IR5B28885 for <>; Thu, 5 Jun 2003 14:27:05 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA09808 for <>; Thu, 5 Jun 2003 14:27:00 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19NzQC-0001z0-00 for; Thu, 05 Jun 2003 14:25:08 -0400
Received: from ([] helo= ident=trilluser) by ietf-mx with smtp (Exim 4.12) id 19NzQA-0001ys-00 for; Thu, 05 Jun 2003 14:25:07 -0400
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
To: Vernon Schryver <>,
From: Yakov Shafranovich <>
Subject: Re: [Asrg] C/R Interworking Framework
In-Reply-To: <>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
List-Archive: <>
Date: Thu, 05 Jun 2003 14:26:43 -0400

At 09:30 AM 6/5/2003 -0600, Vernon Schryver wrote:

> > From: Yakov Shafranovich <>
> > ...
> > That is my question exactly, how long will it take for such feature for
> > propagate if it were included in sendmail and qmail. Dave Crocker begun to
> > address adoption issues in his draft but more work needs to be done.
>What more work can be done that would not be "shooting the bull"?
>No one can accurately predict what literally millions of people will do.
>The best that can be done is to examine similar past cases.

Very well I agree with that. The question is finding the most similar past 

> >                                                                      The
> > adoption/propogation of features is an issue not just with CRI but with 
> any
> > anti-spam protocol or proposal.
>That is quite wrong.  As Dave Crocker's draft points out and as
>others have often said, many anti-spam protocols and proposals are
>effective with for the first few users.  Examples include
>   - the DCC
>   - Vipul's Razor,
>   - Brightmail,
>   - Postini,
>   - SpamAssassin,
>   - private blacklists,
>   - public DNS blacklists including the RBL, RBL+, SBL, SPEWS, and SORBS,
>   - various "Bayesian" filters,

Allow me to explain my thoughts more clearly. I agree with your point that 
these proposals have taken off rather well. However, these proposals are 
"one-sided" - meaning they only require one side of the email transaction 
to implement them. By contrast, "two sided" protocols such as RMX and CRI, 
which require both sides to participate, would be much slower to be 
adopted. I was referring originally to these "two sided" proposals in my 
message and forgot to mention that.

Another point it that there is a difference between C/R and CRI. C/R is 
one-side and does not need two sides to agree on anything. This is being 
done today. C/R is the anti-spam tool and in line with your comments, would 
in theory be adapted fast. CRI on the other hand is used to enhance the 
user experience of C/R systems allowing them to interoperate without human 
interaction, would eventually follow albeit slower.

> >                                 However, I believe that ISPs and end-users
> > have a bigger incentive to turn-on such features due to the amount of spam
> > today.
>That is fundamentally "build it and they will come."  People who
>have built things and who are not sales professionals (no offense
>intended to anyone) tend to be less optimistic about whether people
>will come on their own.
> > ...
> > I tend to disagree with SMTP-TLS example. Confidentiality of email via
> > SMTP-TLS is something that most end-users or ISPs do not care about. ...
>Ok, how about Microsoft and other security patches?  Why are there so
>many worms and viruses that affect systems that would have been
>invulnerable if they had installed the proper patches that were released
>6 or 12 months ago.

I do not think it is a good example either. How many users see effects of 
viruses and worms on the daily basis? On the other hand almost every email 
user on the planet gets spam every other day. We need to look at an example 
where there was a major issue that was relevant to a majority of users on a 
DAILY basis, and the adoption rate of technical solutions that were made to 
solve it

> > ...
> > As for the Earthlink example, I am not sure exactly what you mean. I was
> > not aware that Earthlink used outside lawyers which successed in several
> > days after spending money on doing it in-house. Please provide some links
> > for the story.
>The best account I'we seen was the Wall Street Journal's in
>but that may require a subscription.
>seems similar to the WSJ article.
>In re-reading the WSJ article, I seem I'm quite wrong about how long
>Pete Wellborn was on the case.

The article seems to be proving the Earthlink goes after spammers very 
quickly including terminating accounts the same day.


Asrg mailing list