Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)
Kee Hinckley <nazgul@somewhere.com> Tue, 27 May 2003 01:12 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA09336 for <asrg-archive@odin.ietf.org>; Mon, 26 May 2003 21:12:57 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4R1Cju20657 for asrg-archive@odin.ietf.org; Mon, 26 May 2003 21:12:45 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R1CjB20637 for <asrg-web-archive@optimus.ietf.org>; Mon, 26 May 2003 21:12:45 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA09326; Mon, 26 May 2003 21:12:27 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KSzO-0005gC-00; Mon, 26 May 2003 21:10:54 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19KSzO-0005g9-00; Mon, 26 May 2003 21:10:54 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R1BCB20596; Mon, 26 May 2003 21:11:12 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R1AUB20551 for <asrg@optimus.ietf.org>; Mon, 26 May 2003 21:10:30 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA09181 for <asrg@ietf.org>; Mon, 26 May 2003 21:10:12 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KSxE-0005dd-00 for asrg@ietf.org; Mon, 26 May 2003 21:08:40 -0400
Received: from www.somewhere.com ([66.92.72.194] helo=somewhere.com) by ietf-mx with esmtp (Exim 4.12) id 19KSxD-0005da-00 for asrg@ietf.org; Mon, 26 May 2003 21:08:39 -0400
Received: from [66.92.72.194] (account nazgul HELO [192.168.1.104]) by somewhere.com (CommuniGate Pro SMTP 3.5.7) with ESMTP-TLS id 2393171; Mon, 26 May 2003 21:10:13 -0400
Mime-Version: 1.0
X-Sender: nazgul@somewhere.com@pop.messagefire.com
Message-Id: <p06001347baf8673e742d@[192.168.1.104]>
In-Reply-To: <200305270031.h4R0VvCi007599@calcite.rhyolite.com>
References: <p06001345baf840e5770c@[192.168.1.104]> <200305270031.h4R0VvCi007599@calcite.rhyolite.com>
To: Vernon Schryver <vjs@calcite.rhyolite.com>
From: Kee Hinckley <nazgul@somewhere.com>
Subject: Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)
Cc: asrg@ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 26 May 2003 21:09:07 -0400
At 6:31 PM -0600 5/26/03, Vernon Schryver wrote: > > complicated instructions some web site has to provide. "We will be >> sending you email from this address for the main stuff, and from this >> address if there are administrative problems. > >Why would you need to white-list the administrative address? Why >would adminstrative messages have ADV tags? They shouldn't be bulk >and they're argueably not "commercial." Well, as we've both said. The ADV proposals are confusing. > > addresses to your whitelist, if you are using Eudora on the Mac, do >> this, if Eudora on the PC, do that. If you are using the third party >> whitelisting product xxx, do such and such. If...." > >That argues for common user interfaces, not protocols for computers to >talk to each other. Sure. And all Window's users should adopt the Mac interface--but we're talking about the real world. Go read an ISP's support page on configuring your email product to talk to their mail server. I've had to write those things. It isn't fun. And I have users who call me at least once a year because they got a virus and had to wipe their disk and they've forgotten how to do it, could I please tell them again. > > commercial mailings use a different one for each user--since the >> bounce information encodes the recipients email address.) > >Some people are unclear on the concept of X, for any value of X. >Confusing cute ideas with solutions to real problems is a common >way that happens. The mailing list package that does that is a >classic example of that syndrome. Yes. But they do, and it will be a problem. > > But if you want to >> whitelist by address, you definitely need to deal with more than one. >> Even the typical mailing lists uses at least two addresses. (Some >> commercial mailings use a different one for each user--since the >> bounce information encodes the recipients email address.) > >There is RFC 2919. Which does not, as far as I can tell from reading it, indicate whether administrative mail sent to an individual user (e.g. "your email address has been bouncing frequently" or "please turn off your vacation program") should have a list identifier. Nor does it address non-list commercial email that comes from numerous addresses (for perfectly valid reasons). >mailing lists. From tha experience, it seems to me that those lists >that don't suffer the cute idea syndrome are easy to white-list. >After lists using that system, the problems I've heard of are desires >to white-list all lists of some brand like Yahoo Groups. Which could in theory be done using RFC 2919's sub-groups. But then, lots of things would be easier if lists followed recommendations more often. >I don't see any deferring of inevitable forgery, because whitelisting >is already extremely popular. Whitelisting is popular among techies. I'm not aware that any of the major email clients support it--which means that it's not in use with most users. (Some mailers do support filtering based on whether someone is in your address book--but my experience has been that the average user has never created any filters.) >You're also assuming facts not inevidence, that forgery of mailing >list senders is a likely problem. If it is likely then why haven't >the spammers already been forging mail with practically universally >whitelisted markings, such as CERT.org advisories and Habeas's mark? Because I'm making the assertion that the number of people who whitelist is tiny. As evidence I'd offer a) that the majority of users have a major spam problem, and b) my experiences with sending mail to wormalert hoaxed folks using a different email address, yet getting through fine. >I'd put them on all messages in a bulk mailing which includes or might >include some unsolicited copies--in other words on "opt-out" spam. Have you ever met a bulk-mailer who thought they had any of those :-). > > Whitelists are hard to understand not because of the concept, but >> because of the plethora of email addresses that need to be >> whitelisted, and because people don't understand how easy forging is. >> And on top of that--the plethora of (as yet non-existent... but give >> them time) whitelisting interfaces. > >There's no plethora that needs whitelisting. Not if they are applied as you recommend. I agree. >List-ID headers are an obvious and good solution for identifying mailing >lists. Instead of white-listing sender FQDNs or SMTP client IP addresses >or host names, you could white-list List-ID strings. Agreed. In some respects, the (semi-articulated) proposal from the bulk-mailing folks appears to be an attempt to provide a similar identification mechanism for non-list, bulk mail. -- Kee Hinckley http://www.messagefire.com/ Junk-Free Email Filtering http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Article - New anti-spam proposal in the Ho… Yakov Shafranovich
- Re: [Asrg] Article - New anti-spam proposal in th… Richard Rognlie
- Re: [Asrg] Article - New anti-spam proposal in th… Kee Hinckley
- RE: [Asrg] Article - New anti-spam proposal in th… Bob Wyman
- Re: [Asrg] Article - New anti-spam proposal in th… Barry Shein
- RE: [Asrg] Article - New anti-spam proposal in th… Barry Shein
- Re: [Asrg] Article - New anti-spam proposal in th… Eric Brunner-Williams in Portland Maine
- RE: [Asrg] Article - New anti-spam proposal in th… Vernon Schryver
- RE: [Asrg] Article - New anti-spam proposal in th… Eric D. Williams
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … mathew
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Kee Hinckley
- Re: ADV: (was Re: [Asrg] Article - New anti-spam … Vernon Schryver
- RE: [Asrg] Article - New anti-spam proposal in th… Tom Thomson