Re: [Asrg] seeking comments on new RMX article

["Alan DeKok" <aland@freeradius.org>]

Vernon Schryver <vjs@calcite.rhyolite.com> wrote:
> How does traceability and accountability reduce spam?  If you believe
> the DNS blacklist enthusiasts, most spam is already sufficiently
> traceable to be blocked.

  My experience has been different, as have others.

  Additional traceability means that it's more difficult for spammers
to send anonymously.  Once they're out in the open as spammers, then
blacklists become more useful.

  Note that blacklists only work against openly declared long-term
spammers.  "Stealth" spammers who use throw-away accounts, "hacked"
machines, etc. can easily circumvent any blacklist, unless the
blacklist reporting & distribution are both instantaneous.

  My experience with blacklists was that only about 10% of originating
IP's were on any blacklist, which made such lists useless to me.

> Why do you care more about tracing and accounting than not receiving
> spam?  That's a rhetorical question, but it involves what I think is
> an important point.

  I don't.

> However, unless you are spammer fighter interested in attacking
> spamemrs, you don't care who or where the spammers are if you can
> simply arrange to not receive their junk.

  I agree.  But I don't think such arrangements are trivial, or easily
made.

  Making more people accountable for their behaviour is just one more
tool in the fight against spam.  I've never claimed that any tool is
perfect, or that it will do everything.  In contrast, many people
violently oppose any system which *isn't* perfect, which makes me
wonder what the heck their agenda is.

> >   I'm at a loss to respond to such a position.  It's so trivially,
> > obviously wrong, that I'm left wondering what I'm missing.
> 
> You have grossly misrepresented what people have been saying.  No one
> has said that mail from from mobile users must be non-traceable and
> anonymous.  Thanks to SMTP-AUTH, STARTTLS, pop-before-SMTP, and other
> mechanisms, it is usually entirely traceable and not at all anonymous
> as far as the first MTA is concerned.

  Which misses entirely what I said.  A mobile user SHOULD use
SMTP-AUTH, STARTTLS, pop-before-SMTP, or other systems to
authenticate & secure his connection to his home domain.  So it's his
home domain which has done the hard work of verifying a previously
unknown, anonymous, roaming user.  Now that that's done, the
well-known, public, open MTA for the home domain can relay the message
to other well-known, public, open MTA's.

  The people going on about roaming users requiring naked SMTP to the
recipient domain haven't made it clear why it's the *recipients* job
to do authenticate them.  Isn't it easier for the home MTA to do
SMTP-AUTH, STARTTLS, etc., than it is for the recipient MTA to run the
message through crappy content filters?

  The MTA for the home domain has information which the recipient MTA
doesn't have, and may never have.  That information can be used to
reduce the work done by the recipient, to separate spam from
non-spam.  So the work of spam filtering is spread more evenly across
the network, and significantly less work is done, as a whole.  I fail
to see why there's any opposition to that goal.

  That's the entirety of my position in this matter.

  Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg