Interesting People mailing list archives
more on Stopping spam isn't as easy as you might hope
From: Dave Farber <dave () farber net>
Date: Sat, 31 May 2003 13:07:01 -0400
Date: Sat, 31 May 2003 12:49:42 -0400 From: Meng Weng Wong <mengwong () dumbo pobox com> Subject: Re: [IP] Stopping spam isn't as easy as you might hope To: johnl () iecc com Cc: Dave Farber <dave () farber net> >Date: Sat, 31 May 2003 04:01:08 -0400 >From: John R Levine <johnl () iecc com> > >The social problem with designated sender is that there are plenty of >perfectly legitimate reasons for mail from a domain to originate someplace >other than its home network. Lots of people maintain accounts at Yahoo or >other free mail providers, but send mail with their Yahoo address from >their home ISP using the ISP's mail server. MUAs should add a configuration field to distinguish header "From:" vs. envelope from. That solves this problem. If they choose not to do this, they should send mail through Yahoo's web interface. That's a fair constraint. Yahoo gives them free email; in return, they're supposed to give Yahoo their eyeballs. >Many others use forwarding services such as pobox.com, which would >all be unable to function with designated sender, since mail >forwarded by such services correctly retains the original sender's >address, not the forwarding service's. If MUAs add the above configuration field, customers can use their local ISP address as their SMTP envelope, while preserving their pobox address in the "From" header. If customers really want to use their pobox.com address in their envelope "from", they are welcome to send mail through our sasl.smtp.pobox.com server. >And finally, this won't really block any significant amount of spam, >since there will always be some domains who out of political >principle, malice, or incompetence designate the entire Internet as >their valid sender ranges, and spammers can just use those. I disagree. I think it'll block a tremendous amount of spam, just as closing open relays did initially. When the technical internet community decided that open relays were a bad idea, it took very little time for everyone to update their MTA policies. RMX or DS/DM can be adopted just as quickly. When the ten biggest ISPs adopt the Designated Mailer protocol, the debate is over. Yes, some domains will cry first amendment; others will sing "Tradition!"; but those domains, like the domains that intentionally run open relays, are ultimately a small, curmudgeonly, and insignificant fraction that can easily be blacklisted. Nowadays these blacklists can be defined with per-user granularity so email recipients can choose just which blacklists to observe in accordance with their individual philosophies. Most recipients don't care about the principle of the thing. Let's not get tripped up by the exceptions to the rule. No society can accommodate all the crazies. >Or spammers can register throwaway domains of their own, since >burning an $8 domain for a 10 million message spam run isn't much of >a deterrent. True. But ask any blacklist operator why he doesn't run his blacklist on the basis of sender domains, and he'll say it's because sender address fraud makes IP blacklists the next best thing. Once we have sender domain accountability, blacklist operators can pounce on domains using automated methods, and I predict an eventual shift away from IP blacklists. Let's say you get a spam. You use the Designated Mailers Protocol to verify the sender domain against the client IP. If the match fails, you may choose to reject it. If the match succeeds, there are two possibilities. If the domain is generally respected, the onus is on the domain owner to rate-limit outgoing traffic from senders --- which is something many ISPs already do. And because the spam is coming from inside their network, they presumably have an audit trail strong enough to identify and cut off the spammer, and pursue legal action. They have an incentive to do this: if they do not, the domain will be blacklisted and other usernames at that domain will complain and terminate. With accountability, the domain distribution becomes more strongly bimodal over time: spam-friendly and spam-unfriendly. If the domain is a throwaway or a known spam-friendly ISP, you'll find it on a blacklist. It doesn't matter if the spammer has simply set "allow all", or if the spammer has painstakingly approved his spam-source machines into DNS. There are lots of blacklists out there; you get to pick one, as an end-user, not as an ISP sysadmin, that best matches your personal sense of whether a domain is respected or not. >I'm not arguing that nothing can work so we should throw up our hands, but >it's dismaying that the same old unworkable anti-spam approaches keep >reappearing over and over, reinvented by people who haven't done the most >rudimentary investigation of prior work, invariably foundering on the same >problems that came up the last six times that similar proposals failed. They needed to do 581% more research. >There's plenty of room for innovative thinking, both to try to identify >and deter spam, and to pick out the real mail from among the spam and get >it to the receipients. But please, let's stop going in circles, build >some prototypes, run some experiments to see how they work, and try to >move forward instead. Yes. At some point you have to say, these are the ideas; they're the best we have; true, they all have flaws; still, let's give them a chance. So are you proposing that we experimentally implement Gordon Fecyk's proposal, or that we do not? I cannot tell.
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Stopping spam isn't as easy as you might hope Dave Farber (May 31)
- <Possible follow-ups>
- more on Stopping spam isn't as easy as you might hope Dave Farber (May 31)