Re: [Asrg] request for review for a non FUSSP proposal

Claudio Telmon <claudio@telmon.org> Tue, 23 June 2009 14:22 UTC

Return-Path: <claudio@telmon.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A47EC3A6BE1 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 07:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XVEbMPfw21ay for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 07:22:07 -0700 (PDT)
Received: from slim-4c.inet.it (slim-4c.inet.it [213.92.5.127]) by core3.amsl.com (Postfix) with ESMTP id 3E2393A69DA for <asrg@irtf.org>; Tue, 23 Jun 2009 07:22:07 -0700 (PDT)
Received: from 88-149-251-208.dynamic.ngi.it ([::ffff:88.149.251.208]) by slim-4c.inet.it via I-SMTP-5.6.0-560 id ::ffff:88.149.251.208+enHnkj59P3; Tue, 23 Jun 2009 16:22:22 +0200
Message-ID: <4A40E51D.7040307@telmon.org>
Date: Tue, 23 Jun 2009 16:22:21 +0200
From: Claudio Telmon <claudio@telmon.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090318 Lightning/0.8 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <4A3DFC91.2090506@telmon.org> <4A3F9B2B.8020603@tana.it> <4A3FF3AF.9030401@telmon.org> <4A3FF7F1.1060705@nd.edu> <4A3FFB64.6030409@telmon.org> <20090622215251.GA2137@gsp.org> <4A400246.9060103@telmon.org> <20090623100542.GA9628@gsp.org> <4A40B2C0.8090604@telmon.org> <20090623133941.CABAC24289@panix5.panix.com>
In-Reply-To: <20090623133941.CABAC24289@panix5.panix.com>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 14:22:08 -0000

Seth wrote:

> What benefit does that offer over using tagged addresses (with the tag
> as the "consent token")?  I do that now, for commercial mailers; when
> an address starts getting spammed, I turn it off.  Sometimes, I give
> the company that got it a new address to use.

It's quite similar. The framework is actually quite similar to anything
that sets a different "tag" or "token" for different correspondents, and
then accepts only messages carrying those tags somewhere in the message.
I referred to "ham passwords" as an example, but in the paper I also
cite tagged addresses (I call them "address name extensions", which as I
understand it is one of the many names of this kind of mechanisms).

There are some relevant differences between how tagged addresses are
currently defined/deployed, and this proposal. I don't say that the same
results couldn't be achieved with tagged addresses, but a framework
similar to the one I've defined would be required in order to cope with
these differences.

The main problem is that tagged addresses would be disclosed every time
messages are sent in Cc to many addresses. This opens to forgery, and
most of the positive effects discussed until now in this thread were
lost. A solution would require either not to send messages in Cc:, or to
purge the messages from the tags when delivered to other recipients,
which is the main task for the framework I've described. I think that
tags/tokens in a separate header can ease this task, since addresses can
be disclosed in many places, e.g. in the body of a message.

Also, currently (but it doesn't need to be so), tags are bound to
addresses and service providers, so distributing tags or moving to
another provider would be complicated. The framework I've described
provides an explicit solution to this, since it uses an SMTP extension
that can be standardised.

Finally, the framework provides a way to deal with consent requests
(requests of contact from unknown people), that should reduce the risk
of spam and malware. Again, this could be done also with tagged addresses.

All in all, all I've described could be done with tagged addresses, but
IMO it would end up with the same framework, just with tags/tokens put
in a different, maybe less appropriate place.

-- 

Claudio Telmon
claudio@telmon.org
http://www.telmon.org