[Asrg] Re: Anti-spam work, a writeup

[ajv-oarybolive at vsta.org]

---------------
Hi,

First, thanks for looking at my writeup.

As far as the legal side, call I can say is that in my experience, the
current state of intellectual property law in the USA is that for almost any
work one can create, there is probably a patent which arguably covers your
work.  I would hope that ASRG will therefore focus on identifying the best
techniques and technologies, with the understanding that later due diligence
will be required to identify and resolve collisions with existing IP.  I,
personally, will not respond further on this aspect of anti-spam research.
Like many people, I have strong feelings on this side of the technology
world, but I know that communicating them here would not contribute to the
success of ASRG.

For mailing lists, I do indeed use a single unique address for subscription
to the list.  Spam harvesting from list archives has become much less of a
problem in the last couple of years, as most archivers obscure or remove
E-mail addresses.  But when I do start getting spammed, I unsubscribe one
address and subscribe another.

As a corollary, I have found that when I start communicating with someone
who I "met" by way of the list, our initial interactions are using my list
subscription address.  When I need to delete that address, I can look at my
database for that address; it has recorded all the accounts who have used
that address (it had to, so that replies work).  Usually there's a person or
two with whom I have established a longer-term correspondence.  I mint a new
address for each of them, and send a note "please update my address to X".
Now that they're on their own unique address, they never need to be
perturbed again.

As Mr. Lick notes, my approach is not a whitelist, because its operation is
not affected by the sender's address.  The fact that the sender can jump
from address to address without being hassled is convenient for people, and
possibly a deal buster when it's E-mail 'bots as a part of E-commerce
(things get ugly quickly when E-mail responders start talking to E-mail
responders).

The central comment I've gotten from a number of very clueful people is that
Traveller seems quite reasonable and powerful, but that the potential
hassles of using it (especially getting *started* using it) can seem larger
than the problem it solves.  It's true; I had forgotten all about the
scripts I wrote to cull correspondents from my mail archives, generate
a private address from my pool for each of them, and send off "hi, I'm now
reachable at X" messages.  I guess that if one of the larger E-mail services
started offering these techniques as an option, they could provide a button
which could do this automagically on behalf of John Q. User.  As I admitted
to one recent reviewer, being a very technical guy makes it hard for me to
tell when what I've thought up is reasonable to ask of a "normal" user.

My vacation(1) auto-responder does bounce back messages at a fair rate.
Sendmail isn't bad at filtering out a lot of the cruft before it gets to the
point of invoking vacation(1), but there's still definitely a workload
there.  Although I haven't found it to be a big deal, I *have* tuned my
sendmail down so it doesn't hold onto undeliverable messages for anywhere
near as long (in fact, it's currently down to 4 hours).

Let me amplify on one aspect of Traveller; it doesn't inflict
Challenge/Response on anyone unless they send a message to my "cold contact"
address.  So Traveller stays the hell out of the way when it comes to things
like mailing lists.

I have to admit I haven't found the last time this kind of system was
discussed on the CSRG list; I've only worked my back through 3-4 months of
the mail archives.  If somebody wants to send a URL, I will certainly jump
over and do my homework ASAP.

Sincerely,
Andy Valencia

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg