[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Several Observations and a solution that addressesthem all

To: Jason Hihn <jhihn@paytimepayroll.com>
Subject: Re: [Asrg] Several Observations and a solution that addressesthem all
From: Kee Hinckley <nazgul@somewhere.com>
Date: Mon, 10 Mar 2003 16:39:26 -0500
Cc: asrg@ietf.org
In-reply-to: <NGBBLHANMLKMHPDGJGAPEEABCEAA.jhihn@paytimepayroll.com>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <NGBBLHANMLKMHPDGJGAPEEABCEAA.jhihn@paytimepayroll.com>
Sender: asrg-admin@ietf.org

At 12:23 PM -0500 3/10/03, Jason Hihn wrote:

The outgoing mail server will have to see what addresses account@yahoo.com
did send to that haven't been verified ("authenticated") yet. If it gets a
request from an account that was not sent to, then it sends an 'account does
not exist' message. This will cause the spoofed message to be rejected,
while not allowing the existence of an account to be determined by a
malicious entity.

This assumes a pretty complex infrastructure mapping between all possible sending servers and receiving servers for the same domain. And until everyone has updated their mail servers, the false positive rate is going to be huge, so you don't dare block on it.

So once again you have a system which nobody has an incentive to move to until it's been deployed by the majority of users.

Let me propose a rule for proposals.

No proposal without an explanation of the incentives for the senders and receivers to adopt the system at three stages: 10%, 50% and 90% deployed. And at each stage, explain what actions the spammers are being forced to take.

I would argue that a system that offers no benefits until you've passed the 50% point is never going to be adopted.

On the other hand. A system which is virtually guaranteed to fail at the 90% point (challenge/response, possibly content filters) can demonstrably shown to have early adopters because, while it may fail when scaled, it works now.

Let's try and leverage those social forces. (My anthro advisor would be proud :-)
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- RE: [Asrg] Several Observations and a solution that addresses them all
  - From: Jason Hihn
- Re: [Asrg] Several Observations and a solution that addresses them all
  - From: Vernon Schryver

References:
- [Asrg] Several Observations and a solution that addresses them all
  - From: Jason Hihn

Prev by Date: Re: [Asrg] Lets Fix Mailing Lists
Next by Date: Re: [Asrg] Lets Fix Mailing Lists
Previous by thread: RE: [Asrg] Several Observations and a solution that addresses them all
Next by thread: Re: [Asrg] Several Observations and a solution that addresses them all
Index(es):
- Date
- Thread