Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Chris Lewis <> Fri, 04 December 2015 15:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8E3161A87D2; Fri, 4 Dec 2015 07:34:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.242
X-Spam-Level: **
X-Spam-Status: No, score=2.242 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aDQ0bXI53UUt; Fri, 4 Dec 2015 07:34:44 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C821C1A8857; Fri, 4 Dec 2015 07:30:57 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4FUtTk029233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 10:30:56 -0500
References: <20151130042819.10658.qmail@ary.lan> <> <> <> <> <> <> <>
From: Chris Lewis <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Fri, 4 Dec 2015 10:30:55 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 15:34:45 -0000

On 12/01/2015 10:09 PM, Ted Lemon wrote:

> I am very curious to hear your numbers, as long as you explain how you got them.  I don't mean explain your spam algorithm--I mean characterize your sample, and explain why you think it's a good sample, and explain your methodology: what you did to the sample for test A versus what you did for test B.   Interesting things to do for the test sample to differentiate it from the control sample would be removing the last Received header field entirely (last in sequence, meaning first added), modifying the From clause for example as Stephen Farrell suggested, or simply deleting the From clause but keeping the rest of the last Received header field.

The issue here is even describing the methodology of comparing the test 
sets and the discussion about how it's very difficult to catch the same 
spam in other ways, reveals altogether too much information for spammers 
to use.

The numbers I've been able to give in these threads should be 
informative and are about as far as I can go.

> BTW, turning off the Received header field testing for a week isn't a valid methodology, since there's no way to control for the rather substantial variation in amounts and types of spam from week to week.

Actually, even though I'm not specifically measuring this over long 
periods of time (because the efficacious is already proven well enough 
to me and the systems who use the results which is what matters), I 
could readily provide time-series numbers that take into account that 
variation and demonstrate the usefulness of the technique.  But I don't 
think it worth the days worth of digging through old log files, and the 
exposure risk to the measurement infrastructure itself it would take to 
prove to you that I actually do know what I'm talking about.

>> In an ideal world, when everybody here was under NDA, I could give you some of the obvious, compelling and overwhelming evidence.

> I don't think you could.   You've said enough things that don't actually make sense at this point that I would really need you to show your work, not just give me assurances like the following:

Your inability to make sense of what I've said is demonstrative of a 
lack of operational experience.  I don't like "I know, and can't tell 
you how, trust me" arguments from authority any more than you do. 
Ironically, most people say I talk far too much.  I like explaining 
things and do a lot of free training in the appropriately secured 
venues.  But sometimes I have no choice.


If you can tell me what I said doesn't make sense, maybe I could fix 
those bits.