more on Stopping spam isn't as easy as you might hope

[Dave Farber <dave () farber net>]

> Date: Sat, 31 May 2003 12:49:42 -0400
> From: Meng Weng Wong <mengwong () dumbo pobox com>
> Subject: Re: [IP] Stopping spam isn't as easy as you might hope
> To: johnl () iecc com
> Cc: Dave Farber <dave () farber net>
>
> >Date: Sat, 31 May 2003 04:01:08 -0400
> >From: John R Levine <johnl () iecc com>
> >
> >The social problem with designated sender is that there are plenty of
> >perfectly legitimate reasons for mail from a domain to originate someplace
> >other than its home network.  Lots of people maintain accounts at Yahoo or
> >other free mail providers, but send mail with their Yahoo address from
> >their home ISP using the ISP's mail server.
>
> MUAs should add a configuration field to distinguish header "From:"
> vs. envelope from.  That solves this problem.  If they choose not to
> do this, they should send mail through Yahoo's web interface.  That's
> a fair constraint.  Yahoo gives them free email; in return, they're
> supposed to give Yahoo their eyeballs.
>
> >Many others use forwarding services such as pobox.com, which would
> >all be unable to function with designated sender, since mail
> >forwarded by such services correctly retains the original sender's
> >address, not the forwarding service's.
>
> If MUAs add the above configuration field, customers can use their
> local ISP address as their SMTP envelope, while preserving their pobox
> address in the "From" header.
>
> If customers really want to use their pobox.com address in their
> envelope "from", they are welcome to send mail through our
> sasl.smtp.pobox.com server.
>
> >And finally, this won't really block any significant amount of spam,
> >since there will always be some domains who out of political
> >principle, malice, or incompetence designate the entire Internet as
> >their valid sender ranges, and spammers can just use those.
>
> I disagree.  I think it'll block a tremendous amount of spam, just as
> closing open relays did initially.
>
> When the technical internet community decided that open relays were a
> bad idea, it took very little time for everyone to update their MTA
> policies.  RMX or DS/DM can be adopted just as quickly.  When the ten
> biggest ISPs adopt the Designated Mailer protocol, the debate is over.
>
> Yes, some domains will cry first amendment; others will sing
> "Tradition!"; but those domains, like the domains that intentionally
> run open relays, are ultimately a small, curmudgeonly, and
> insignificant fraction that can easily be blacklisted.
>
> Nowadays these blacklists can be defined with per-user granularity so
> email recipients can choose just which blacklists to observe in
> accordance with their individual philosophies.  Most recipients don't
> care about the principle of the thing.  Let's not get tripped up by
> the exceptions to the rule.  No society can accommodate all the crazies.
>
> >Or spammers can register throwaway domains of their own, since
> >burning an $8 domain for a 10 million message spam run isn't much of
> >a deterrent.
>
> True.  But ask any blacklist operator why he doesn't run his blacklist
> on the basis of sender domains, and he'll say it's because sender
> address fraud makes IP blacklists the next best thing.  Once we have
> sender domain accountability, blacklist operators can pounce on
> domains using automated methods, and I predict an eventual shift away
> from IP blacklists.
>
> Let's say you get a spam.  You use the Designated Mailers Protocol to
> verify the sender domain against the client IP.  If the match fails,
> you may choose to reject it.  If the match succeeds, there are two
> possibilities.
>
> If the domain is generally respected, the onus is on the domain owner
> to rate-limit outgoing traffic from senders --- which is something
> many ISPs already do.  And because the spam is coming from inside
> their network, they presumably have an audit trail strong enough to
> identify and cut off the spammer, and pursue legal action.  They have
> an incentive to do this: if they do not, the domain will be
> blacklisted and other usernames at that domain will complain and
> terminate.  With accountability, the domain distribution becomes more
> strongly bimodal over time: spam-friendly and spam-unfriendly.
>
> If the domain is a throwaway or a known spam-friendly ISP, you'll find
> it on a blacklist.  It doesn't matter if the spammer has simply set
> "allow all", or if the spammer has painstakingly approved his
> spam-source machines into DNS.
>
> There are lots of blacklists out there; you get to pick one, as an
> end-user, not as an ISP sysadmin, that best matches your personal
> sense of whether a domain is respected or not.
>
> >I'm not arguing that nothing can work so we should throw up our hands, but
> >it's dismaying that the same old unworkable anti-spam approaches keep
> >reappearing over and over, reinvented by people who haven't done the most
> >rudimentary investigation of prior work, invariably foundering on the same
> >problems that came up the last six times that similar proposals failed.
>
> They needed to do 581% more research.
>
> >There's plenty of room for innovative thinking, both to try to identify
> >and deter spam, and to pick out the real mail from among the spam and get
> >it to the receipients.  But please, let's stop going in circles, build
> >some prototypes, run some experiments to see how they work, and try to
> >move forward instead.
>
> Yes.  At some point you have to say, these are the ideas; they're the
> best we have; true, they all have flaws; still, let's give them a chance.
>
> So are you proposing that we experimentally implement Gordon Fecyk's
> proposal, or that we do not?  I cannot tell.


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/