FC: Christopher Arnold: Comments on anti-spam CR proposals

[Declan McCullagh <declan () well com>]

---

Date: Tue, 3 Jun 2003 10:22:52 -0400 (EDT)
From: "Christopher M. Arnold" cmarnold at applied-knowledge.net
To: Declan McCullagh <declan () well com>
Subject: comments on C-R email proposals
In-Reply-To: <5.2.1.1.0.20030603010707.0422b108 () mail well com>

Declan--

I have enjoyed the debate on C-R systems these past weeks on the Politech
list.  I personally feel that the use of C-R methods for general email use
completely lack foresight but not only for the reasons you have been
reporting.  Two concerns of mine will be difficult, if not impossible, to
resolve however.

1.  There is a small group of users in the world who prefer a non-GUI mail
client.  Pine, elm, mutt...what have you.  The use of an embedded image as
an authorization token will clearly not work here.

Requiring the receiver to "click" on a link is only slightly less annoying
with a non-GUI client.  In many cases a mailing list was joined through
email as opposed to filling out a web-based form but for some reason it
becomes acceptable to attempt to force the recipients to use a
non-mail-related protocol to leave the list, opt-out of whatever list
they find themselves on or other like situations.

Mind you, these are annoyances mainly.  My primary concern is with
security...

2.  Firms often, and most certainly should, maintain IT-related security
policies and guidelines.  These are usually coupled with HR acceptable use
policies, so on and so forth.  The introduction of ad hoc C-R systems
would more often than not either force a firm to modify its policies to
accommodate them or risk dropping loads of legitimate mail.  The use of
RBLs at the MTA level could assist to some extent but I feel would quickly
become an administrative nightmare.

Additionally, many trojans, worms and viruses propagate through holes in
certain popular mail clients.  Individuals and enterprises alike can
mitigate the risks associated with this vector of attack to some degree
now but who's to say that C-R systems wouldn't create an entirely new set
of problems to deal with as users randomly click more and more without
thinking and vendors rush to add new features while adding new bugs?

Whatever the case, thanks for the Politech list!  If you happen to post
this to the list would you please be kind enough to sanitize my email
address in some way?

Christopher Arnold, CISSP
Founder
Applied Knowledge Solutions Group




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------