Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)

Vernon Schryver <vjs@calcite.rhyolite.com> Tue, 27 May 2003 04:26 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13892 for <asrg-archive@odin.ietf.org>; Tue, 27 May 2003 00:26:44 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4R4Qa431557 for asrg-archive@odin.ietf.org; Tue, 27 May 2003 00:26:36 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R4QaB31554 for <asrg-web-archive@optimus.ietf.org>; Tue, 27 May 2003 00:26:36 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13881; Tue, 27 May 2003 00:26:13 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KW0v-0006yy-00; Tue, 27 May 2003 00:24:41 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19KW0v-0006yv-00; Tue, 27 May 2003 00:24:41 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R4P7B31488; Tue, 27 May 2003 00:25:07 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4R4O6B31428 for <asrg@optimus.ietf.org>; Tue, 27 May 2003 00:24:06 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13771 for <asrg@ietf.org>; Tue, 27 May 2003 00:23:43 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19KVyV-0006x5-00 for asrg@ietf.org; Tue, 27 May 2003 00:22:11 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19KVyU-0006x0-00 for asrg@ietf.org; Tue, 27 May 2003 00:22:10 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h4R4NguU009882 for asrg@ietf.org env-from <vjs>; Mon, 26 May 2003 22:23:42 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305270423.h4R4NguU009882@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: ADV: (was Re: [Asrg] Article - New anti-spam proposal in the House of Representative)
References: <p0600134bbaf890811fd9@[192.168.1.104]>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 26 May 2003 22:23:42 -0600

> From: Kee Hinckley <nazgul@somewhere.com>

> >I think you are mistaken.
> >   - I've seen users talk about using whitelisting with Hotmail
> >   - I think I've been told the Outlook can do something like whitelisting
> >   - Netscape 7's filters can be used to whitelist.
>
> If that is the case--why are they getting spam?

(Note that I was responding to your statement that whitelisting is
not available.)

My guess is two reasons:
  - Most people want to receive mail from strangers.  They value
   the ability to hear from lost uncles more than they dislike spam.

  - Most people don't think of the notion of whitelisting everyone
   but a few friends.  When it's pointed out to them, they can
   understand whitelisting a sender that would otherwise be filtered.
   But they don't "get" the notion of going to 100% whitelisting.

That second reason is not theoretical, as demonstrated by the many
people who propose here and everywhere perfect spam solutions that
are equivalent to 100% whitelisting.


> ...
> >I believe Habeas's claim that most of the Internet has already
> >white-listed the Habeas mark.  So why aren't more spammers forging it?
>
> What does "most of the internet mean"?  AOL, MSN and Earthlink have 
> decided to let Habeas mail through for their users?  I could believe 
> that.  

Habeas claims 300,000,000 mailboxes have whitelisted their mark. 
I suspect that includes some of AOL, MSN, Earthlink, Outblaze, Juno,
and the default configurations for many spam filters.

>        But that has nothing to do with whitelisting email addresses 
> and lists.

It's not the same as whitelisting addresses and lists, but it is
relevant to the question of spammers forging addresses to use whitelists.
If spammers are fearless about forgery, why doesn't even some spam
include the Habeas mark?  (Yes, I noticed the recent court cases,
which is why I used the present tense.)


> >And why don't you see forged spam supposedly from CERT or the IETF?
>
> Because 99% of the users out there haven't a clue what they are, and 
> certainly haven't whitelisted them.
>
> I think you're talking about ISP whitelisting.  I'm talking about 
> end-user whitelisting.  Those are two completely different things.

They differ but are related.  A lot of ISP whitelisting consists of
suggestions or default configurations for users's individual whitelists.


> >  > In some respects, the (semi-articulated) proposal from the
> >>  bulk-mailing folks appears to be an attempt to provide a similar
> >>  identification mechanism for non-list, bulk mail.
> >
> >What is "non-list, bulk mail"?  As far as I can see, the bulk mail
>
> The stuff companies like Roving send for their customers, and large 
> companies like Amazon send for themselves.  Am I really being that 
> unclear?  I give up.

Distinguishing between the bulk mail of this list and the stuff Roving
sends is counter-productive.  The contents of bulk mail really doesn't
matter, and neither do the software used to send it or the motives of
the senders.  All that matters is whether a reasonable person (in the
legal sense of the phrase) would say the mail is solicited by all of
its targets.  Why wouldn't or shouldn't Roving include List-ID headers
for its various streams?  What's the difference between white-
or blacklisting Rovings domains or IETF's servers?

Once you start paying attention to contents, you end up with hopeless
muddles such as "ADV is required on commercial mail" with no hope
of deciding whether a lot of mail is "commercial."


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg