[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication and email

To: <wgchairs@ietf.org>, "Paul Hoffman / IMC" <phoffman@imc.org>
Subject: Re: Authentication and email
From: "James Kempf" <kempf@docomolabs-usa.com>
Date: Mon, 3 Feb 2003 11:20:22 -0800
References: <3E354398.BF1D5575@lmf.ericsson.se> <611987020.1043699189@localhost> <3E3674FA.202781D7@lmf.ericsson.se> <674756478.1043761959@localhost> <3E369EAE.80761DAC@lmf.ericsson.se> <p05210219ba5e0c696c00@[165.227.249.18]> <kju1fpz0jf.fsf@romeo.rtfm.com> <p05210234ba606fe32ed5@[165.227.249.18]>

> >IMHO, spam reduction has more to do with economics. As long as
> >sending millions
> >of unsolicited emails is cheap, the arms race between spam filters
> >and spammers
> >will continue.
>
> Following this logic, the only way to use S/MIME or PGP to reduce
> spam is for IETF mailing lists to reject all mail from unknown
> senders, and to reject all unsigned mail from known senders. This
> would certainly reduce spam; it would also reduce valid mail from new
> participants and from current participants who are sending from
> machines that are not set up the way their other machines are.
>

I guess I don't follow you.

In fact, the IESG and IAB lists do put holds on mail from unknown senders. Three
people on IAB act as spam filterers, volunteers are selected on a half year
basis. This is a very labor intensive way of solving the problem, but it works
fairly well. Since IAB has put this system in place, there has been no spam on
the list. The lists do not require signed mail, and, as I believe you have
pointed out, requiring signed email is probably not a practical solution to the
spam problem in any event.

I don't know how other organizations do spam filtering, but I've heard of some
sophisticated, almost-AI like solutions, and others that require participants to
specifically indicate that a particular email is spam, then distribute this
information to other participants. All of these solutions suffer from problems,
such as the potential for false positives or spammers being able to quickly
change identifying information.

The point that I was trying to make is that nontechnical solutions may have a
greater probability of success solving the general problem of spam than IETF
trying to solve the problem with security mechanisms that may be difficult and
complex to deploy, put in place specifically for IETF lists. As stated, my own
opinion is that the problem is economic, so an economic solution would be the
preferable one. I'd be happy to debate this opinion, but probably not on this
list.

                jak

Follow-Ups:
- Re: Authentication and email
  - From: Paul Hoffman / IMC <phoffman@imc.org>

References:
- Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Harald Tveit Alvestrand <harald@alvestrand.no>
- Re: Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Harald Tveit Alvestrand <harald@alvestrand.no>
- Re: Authentication and email
  - From: Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>
- Re: Authentication and email
  - From: Paul Hoffman / IMC <phoffman@imc.org>
- Re: Authentication and email
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Authentication and email
  - From: Paul Hoffman / IMC <phoffman@imc.org>

Prev by Date: Informational RFC to be: draft-turk-bgp-dos-04.txt
Next by Date: Re: from Ned - Re: dead IDs in the RFC Ed queue
Previous by thread: Re: Authentication and email
Next by thread: Re: Authentication and email
Index(es):
- Date
- Thread