Soundness of silence

I've only been subscribed to this list for 18 months, so you will
forgive me if I haven't yet grasped how it works. I've been receiving
spam for much longer than that, and lazily waited for someone to reel
off the rules to kill that plague. It never happened. Why? When I
subscribed, I thought I'd at least understand that...

Understanding this list's dynamics is not easier. As in many lists,
messages that start a new thread are relatively rare. I don't have
message-per-thread statistics, but usually there are many responses.
Some messages get no response; for example, Frank sent a message on
Spam Statistics on April 28, and nobody answered, AFAIK.

In particular, I'm puzzled as to why I got no answer to my yesterday's
message. A previous message by Amir, DNS-based Email Sender
Authentication Mechanisms: a Critical Review, had several responses.
The subject of my I-D is almost the same, an SMTP extension to manage
those authentication mechanisms. However, I had exactly zero response.
The same happened for a similar message I sent on May 25. I cannot
believe it is by chance. Since it happened twice in a row, there has
to be a sound reason.

Possible guesses:

* Because nobody is interested in the subject.
Already ruled out: it is the same subject of Amir's paper (rDNS, SPF,
DKIM, and the like.) How come nobody is interested?

* Because nobody has the time to retrieve the I-D from the web.
Doesn't work, by the same argument nobody would have read Amir's paper.

* Because it is poorly written.
Well, my English is not that good, but used to be readable. Also, at
first I thought an I-D's introduction should only give a hint at
interpreting the behavior described in the rest of the text, in order
to let readers draw the consequences more freely. Now I've changed it
to describe the use model. I admit that's confusing, but not to the
point of not discussing it: in facts, I've discussed it with a handful
of people already, but never on a list. Hm... _that_'s puzzling.

* Because it is written by me.
Naah... paranoid.

* Because nobody is interested in yet another anti-spam tool.
I could understand that. But this does not explain why everyone
resisted to the temptation of telling me why I'm an asshole.

* Because someone wrote privately to everyone banning public answers.
Unbelievable, paranoid, I don't think would ever have worked as intended.

* Because vhlo is not endorsed by John.
Not really. John himself told me to write to the list. Possibly, he
did not answer because he wanted to see if anybody _else_ was interested.

* Because it is not endorsed by the IESG.
Uh? What is the IESG?

* Because the referred paper is an I-D.
Hmm... this list has been discussing I-Ds before. However, it may be
that a public message about an I-D would have be classified as rough
dissension and thereby commit the IETF to do something with it, such
as assigning it a "dead" state. I'm not much into the standardization
process, but such a rule would seem too bureaucratically silly to be
operative.


Yet, it happens every time. I bet I can reproduce that behavior
consistently, look at this: "Hey, I've written take 3". See any
response? No. So, why?

FWIW, and for your convenience, I paste below the original text that
inspired the title of this rant.


Hello darkness my old friend,
I've come to talk with you again
Because a vision softly creeping
left it's seeds while I was sleeping
And the vision that was planted in my brain
still remains, within the sounds of silence

In restless dreams I walked alone,
narrow streets of cobblestone
'neath the halo of a streetlamp
I turned my collar to the cold and damp
when my eyes were stabbed by the flash of a neon light
split the night... and touched the sound of silence

And in the naked light I saw
ten thousand people maybe more
people talking without speaking
people hearing without listening
people writing songs that voices never share
noone dare, disturb the sound of silence

Fools said I you do not know,
silence like a cancer grows,
hear my words that I might teach you
take my arms that I might reach you
but my words, like silent raindrops fell...
and echoed the will of silence

And the people bowed and prayed,
to the neon god they made
And the sign flashed out its warning
in the words that it was forming
And the sign said, "The words of the prophets
are written on the subway walls, and tenement halls
and whisper the sounds of silence.

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

My guess is "need more patience grasshopper".

I didn't respond to your post because I haven't read your draft yet
(light reading for the weekend?) although it is on my to-do list. I've
read your posts on other lists and you seem a reasonable person so I
do plan on taking the time to read the draft.

Some of us have day jobs that have to take a priority to reading and responding.

Lastly, the level of discussion on ASRG hasn't gotten me overly
excited overall in quite some time so I don't always pay as close
attention to the flow of posts as I might on some other lists.



On Fri, Jun 12, 2009 at 2:28 PM, Alessandro Vesely<vesely@...> wrote: _______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

On 6/12/2009 14:28, Alessandro Vesely wrote:
>
> Yet, it happens every time. I bet I can reproduce that behavior
> consistently, look at this: "Hey, I've written take 3". See any
> response? No. So, why?
>

Priorities; the summary you posted piqued my interest, but I have not yet had
time to read the full document.

--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

--On 12 June 2009 20:28:08 +0200 Alessandro Vesely <vesely@...> wrote:

> I've only been subscribed to this list for 18 months, so you will forgive
> me if I haven't yet grasped how it works. I've been receiving spam for
> much longer than that, and lazily waited for someone to reel off the
> rules to kill that plague. It never happened. Why? When I subscribed, I
> thought I'd at least understand that...

Can I suggest that a URL for the draft might be useful?



--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

Alessandro,

It may have something to do with your messages being filtered into the SPAM folder.  I have been
lurking in this group for a few years trying to keep abreast of the technology.  Of those that post
to the list, you (unfortunately) are the only one who gets sent to the SPAM folder, automatically,
might I add (this is not by my design).  Perhaps others who might be interested in what you have to
say are finding your messages mixed in with the trash also?

Michael Schadone


Alessandro Vesely wrote:
<SNIP>

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

Alessandro Vesely wrote, On 6/12/09 2:28 PM:
> I've only been subscribed to this list for 18 months, so you will
> forgive me if I haven't yet grasped how it works. I've been receiving
> spam for much longer than that, and lazily waited for someone to reel
> off the rules to kill that plague. It never happened. Why? When I
> subscribed, I thought I'd at least understand that...

Different people (and mail systems) have different spam problems.

Many people have come up with  "good enough" solutions for their own spam
problems, but they are no all the same solutions. The idea that there is or
could be one solution that works for everyone has largely fallen into
disrepute because all of the attempts at it have fallen far short of the
goal. Unfortunately, many of the de facto best current practices are
completely unsuited for technical standardization. I don't think anyone
wants to see any sort of RFC that recommends using any specific DNSBL, but
for many people running mail systems of a wide variety the use of the
Spamhaus Zen DNSBL is their most effective single anti-spam tactic.
Recommending the shunning of specific whole countries certainly does not
belong in anything that anyone might see as a "standard" but as a matter of
practicality, many mail systems do so to great benefit and at no tangible cost.

Because spam is fundamentally a social problem rather than a technical
problem, the technical approaches to fixing it are all imperfect, many
subsets are subject to "arms race" problems, and the only generalizable
solution is that everyone running a mail system should apply a mix of
tactics suited to their spam and their non-spam (based on the locally
relevant definition of "spam") and pay attention to how those tactics work
*for them* rather than seek to locally deploy some global solution.

> Understanding this list's dynamics is not easier. As in many lists,
> messages that start a new thread are relatively rare. I don't have
> message-per-thread statistics, but usually there are many responses.
> Some messages get no response; for example, Frank sent a message on Spam
> Statistics on April 28, and nobody answered, AFAIK.

There's not much in that case to answer about. He provided a link to a site
that provides interesting stats for one vendor's customers, but a lot of us
understand well that such stats are not particularly useful globally.


> In particular, I'm puzzled as to why I got no answer to my yesterday's
> message. A previous message by Amir, DNS-based Email Sender
> Authentication Mechanisms: a Critical Review, had several responses.

You should keep in mind that the short-term level of response here to an
idea is going to be somewhat inversely related to how well it is reasoned
and presented. I think if you look at the nature of the early responses to
that post you will find that the first day was dominated by people
complaining about the manner of presentation.

> The
> subject of my I-D is almost the same, an SMTP extension to manage those
> authentication mechanisms. However, I had exactly zero response. The
> same happened for a similar message I sent on May 25. I cannot believe
> it is by chance. Since it happened twice in a row, there has to be a
> sound reason.

I thought Logical Positivism was a dead school of philosophy, but it seems
not... :)

> Possible guesses:
>
> * Because nobody is interested in the subject.
> Already ruled out: it is the same subject of Amir's paper (rDNS, SPF,
> DKIM, and the like.) How come nobody is interested?

It's not the same. It's an actual new idea rather than a rehash/critique of
existing tools. Many people here have already thought about (and in some
cases used) the various MARID tactics. It does not take a lot of new thought
to throw the same old rocks at their pet targets, but it does require new
careful thought to discuss a new idea.

> * Because nobody has the time to retrieve the I-D from the web.
> Doesn't work, by the same argument nobody would have read Amir's paper.

His takes less effort to form an opinion on.

I also think that the difference in media is important. An I-D is presumably
intended as a step towards a RFC, and people here ought to understand that
public discussions of I-D's should be done carefully. Your proposal is
complex enough that making a careful analysis takes real effort. A casual
scan of the document doesn't yield obvious fatal flaws, nor does it provide
any instant 'AHA!' response of how the VHLO mechanism would provide a clear
fix for a major problem. That results in it seeming like a low-yield chore
to go through 23 pages of details to figure out whether this idea is sound
and useful. Maybe improving sections 1.1-1.3 to more directly and concisely
define the problem VHLO is meant to address would encourage more attention.

If I understand it correctly, the problem VHLO is trying to address is that
sending and receiving sides may not always agree on which name(s) to use in
application of which DNS-based authentication and authorization schemes and
how strongly the results of those schemes should be interpreted as the name
owner vouching for the non-spam quality of the messages involved. This tends
to force receivers into complex scoring of their DNS-based and content-based
filtering, making deliverability for legitimate senders highly uncertain and
opaque.

If I understand it correctly, you are proposing that VHLO be used to address
that problem by providing a way for a SMTP sending system to provide the
names, schemes, and strengths that should be used for all messages in a
particular VHLO session. This allows receivers to layer DNS-based mechanisms
as absolute criteria ahead of expensive and fuzzy content filters, instead
of using them (as is common in tools like SpamAssassin) as scored criteria
in a large collection of other similarly imperfect scored criteria.

Of course, I may just be projecting my own ideas about spam control onto a
very quick scan of your draft in full attention-deficit mode, and I don't
have any opinion on whether the mechanical details you define will do the
job that I think you want done.

More telling: I'm not convinced that any new technical approach to spam
control has any chance of widespread adoption or even careful attention. The
jungle of existing tactics combined with a drop in user expectations has
resulted in a circumstance where the demand for better mail service is not
enough to get significant new technical approaches deployed.





_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

Bill Cole wrote:
> Different people (and mail systems) have different spam problems.

I tend to understand that as different classes of spam. For an
example, consider a creditor of mines who solicits payment by sending
me reminders. Assume I'm not going to pay and I just discard them. If,
by chance, they end up in the spam folder, would I be willing to train
my Bayesian filter to avoid that? Probably no. And, are those
reminders spam? In some acceptation of the term, yes. Thus, a fax or a
registered letter is better than email...

I don't see why such techniques are not amenable to standardization.
Actually, there is a couple of DNSBL drafts that are slowly moving
forward.

It should be possible for my SMTP server to accept mail only from,
say, an office opposite with whom I do most business, and shunning all
the rest except, say, Gmail, thereby relying on their filtering.
There's nothing wrong with that, except for technical problems that
make it difficult to set it up properly.

> Because spam is fundamentally a social problem rather than a technical
> problem, the technical approaches to fixing it are all imperfect, many
> subsets are subject to "arms race" problems, and the only generalizable
> solution is that everyone running a mail system should apply a mix of
> tactics suited to their spam and their non-spam (based on the locally
> relevant definition of "spam") and pay attention to how those tactics
> work *for them* rather than seek to locally deploy some global solution.

Yes, that's the conclusion I also reached. Spam is a universal plague
and we must live with it. It is indecent to egoistically take oneself
away from it. Therefore, solutions to get rid of spam are not wanted,
not even discussed. BTW, discussion implies that someone will try to
also get rid of direct marketing, in the bargain. So, let's keep all
of it, even the inadmissible zombie-generated spam.

>> In particular, I'm puzzled as to why I got no answer to my yesterday's
>> message. A previous message by Amir, DNS-based Email Sender
>> Authentication Mechanisms: a Critical Review, had several responses.
>
> You should keep in mind that the short-term level of response here to an
> idea is going to be somewhat inversely related to how well it is
> reasoned and presented. I think if you look at the nature of the early
> responses to that post you will find that the first day was dominated by
> people complaining about the manner of presentation.

Someone suggested I should also have posted an URL. Those are just
practical issues.

>> * Because nobody is interested in the subject.
>> Already ruled out: it is the same subject of Amir's paper (rDNS, SPF,
>> DKIM, and the like.) How come nobody is interested?
>
> It's not the same. It's an actual new idea rather than a rehash/critique
> of existing tools. Many people here have already thought about (and in
> some cases used) the various MARID tactics. It does not take a lot of
> new thought to throw the same old rocks at their pet targets, but it
> does require new careful thought to discuss a new idea.

That's partially correct. OTOH, it is just a mashup of those same
existing tools, providing a framework for letting senders know.

> I also think that the difference in media is important. An I-D is
> presumably intended as a step towards a RFC, and people here ought to
> understand that public discussions of I-D's should be done carefully.

Being an I-D _and_ a proposed solution emphasize each other,
conflicting with the universal plague requirement above. However, it
is also important to reach some form of agreed failure diagnosis.
Question 12 in http://asrg.sp.am/about/faq.shtml is just too generic.

> Your proposal is complex enough that making a careful analysis takes
> real effort. A casual scan of the document doesn't yield obvious fatal
> flaws, nor does it provide any instant 'AHA!' response of how the VHLO
> mechanism would provide a clear fix for a major problem. That results in
> it seeming like a low-yield chore to go through 23 pages of details to
> figure out whether this idea is sound and useful. Maybe improving
> sections 1.1-1.3 to more directly and concisely define the problem VHLO
> is meant to address would encourage more attention.

That's what I've been trying to do in the last two rounds. Any
explicit hint?

> If I understand it correctly, the problem VHLO is trying to address is
> that sending and receiving sides may not always agree on which name(s)
> to use in application of which DNS-based authentication and
> authorization schemes and how strongly the results of those schemes
> should be interpreted as the name owner vouching for the non-spam
> quality of the messages involved. This tends to force receivers into
> complex scoring of their DNS-based and content-based filtering, making
> deliverability for legitimate senders highly uncertain and opaque.

Yes, the overall idea is simply to allow whitelisted ("first-class"?)
delivery for senders who ask for it, and are eligible. Eligibility
criteria already exists, based on those DNS techniques. VHLO is mainly
meant for those servers who already implement various forms of
whitelisting.

For example, Spamhaus lookup, when used to reject, usually gives a
clear response as to why rejection occurred, both to end user and log
files. However, DNSBLs used for scoring, as well as positive listings
and vouching, that lead a server to accept messages with suspicion, is
highly uncertain and opaque, as you say.

> If I understand it correctly, you are proposing that VHLO be used to
> address that problem by providing a way for a SMTP sending system to
> provide the names, schemes, and strengths that should be used for all
> messages in a particular VHLO session. This allows receivers to layer
> DNS-based mechanisms as absolute criteria ahead of expensive and fuzzy
> content filters, instead of using them (as is common in tools like
> SpamAssassin) as scored criteria in a large collection of other
> similarly imperfect scored criteria.

Correct. And also feedback, without which a sender cannot know which
vouching services would provide which benefits.

> Of course, I may just be projecting my own ideas about spam control onto
> a very quick scan of your draft in full attention-deficit mode, and I
> don't have any opinion on whether the mechanical details you define will
> do the job that I think you want done.

Some mechanical details may need to be amended/discussed, in case.

> More telling: I'm not convinced that any new technical approach to spam
> control has any chance of widespread adoption or even careful attention.
> The jungle of existing tactics combined with a drop in user expectations
> has resulted in a circumstance where the demand for better mail service
> is not enough to get significant new technical approaches deployed.

Great! I cannot tell it better than that. It obviously implies that
email is going to die out. Newcomers don't perceive it as something
new and exciting, but rather as an obsolete communication system used
predominantly by elder people, generally left in a state of
regrettable neglect.

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

>> Because spam is fundamentally a social problem rather than a
>> technical problem, [...]
> Yes, that's the conclusion I also reached.  Spam is a universal
> plague and we must live with it.

Not quite.  There are walled-garden approaches to email that are
basically spam-free, because they have the accountability the open
Internet lacks.

> Someone suggested I should also have posted an URL.  Those are just
> practical issues.

Perhaps, but they are very relevant when addressing the question of
"why did my note generate no traffic?".  Every additional barrier that
makes it harder - even a little harder - for people will reduce the
response.  Speaking personally, for example, I have often ignored
documents provided as PDFs where I would not have ignored the same
content as a text file, because reading PDFs is substantially more
complicated and unpleasant for me than reading text files.  Other
people will have other reasons to respond to _this_ mail rather than
_that_ one - practical issues, yes, but still relevant.

>> I'm not convinced that any new technical approach to spam control
>> has any chance of widespread adoption or even careful attention.
>> The jungle of existing tactics combined with [...]
> [That] obviously implies that email is going to die out.

It's not obvious to me.  Can you spell it out for me how you get from
Bill's lack of conviction - okay, let's make it easy and assume Bill is
right: from the lack of widespread adoption or attention to new
technical antispam techniques - to email dying out?

> Newcomers don't perceive it as something new and exciting, but rather
> as an obsolete communication system used predominantly by elder
> people, generally left in a state of regrettable neglect.

Honestly, this is one of the few things that could save email.  If
enough of the net.population deserts it for newer and shinier
commuications media, spammers will perceive a lack of value in it and
start leaving it alone, making it usable again for us (FVO "us"
approximating "people who didn't desert it", which I expect would
include most/all of the people I for one care about exchanging email
with anyway).

Do I expect that to happen?  Not really.  But neither do I see it dying
out.

/~\ The ASCII  Mouse
\ / Ribbon Campaign
 X  Against HTML mouse@...
/ \ Email!     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

On 16 Jun 2009, at 12:28, Alessandro Vesely wrote:

> Someone suggested I should also have posted an URL. Those are just  
> practical issues.

Yes a practical issue if you want people to comment on your Draft -  
make it easy for them to grab it and read it, otherwise it will  
disappear into the 'waiting for time to search for it, download and  
then review it' pool of things to do.

        f
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

At 04:28 16-06-2009, Alessandro Vesely wrote:
>I tend to understand that as different classes of spam. For an
>example, consider a creditor of mines who solicits payment by
>sending me reminders. Assume I'm not going to pay and I just discard
>them. If, by chance, they end up in the spam folder, would I be
>willing to train my Bayesian filter to avoid that? Probably no. And,
>are those reminders spam? In some acceptation of the term, yes.
>Thus, a fax or a registered letter is better than email...

"different spam problems" does not mean different classes of
spam.  Look at it in terms of user-base and mail traffic.  You also
have to understand that the problem is not linear, i.e. the amount of
spam is proportional to the user-base.

If you want to consider these reminders as spam, you have the right
to do so.  It's unlikely that all creditors will resort to sending a
registered letter or a fax because of that.

As you were complaining about the soundness of silence, let's see how
you would have reacted if nobody answered the message you posted.  :-)

>I don't see why such techniques are not amenable to standardization.
>Actually, there is a couple of DNSBL drafts that are slowly moving forward.

Documents from the ASRG (IRTF) and the IETF fall in different
streams.  Within the IETF, standardization has a different meaning.

>Yes, that's the conclusion I also reached. Spam is a universal
>plague and we must live with it. It is indecent to egoistically take
>oneself away from it. Therefore, solutions to get rid of spam are
>not wanted, not even discussed. BTW, discussion implies that

The different solutions are discussed but it's difficult to reach an
agreement on them.

>Being an I-D _and_ a proposed solution emphasize each other,
>conflicting with the universal plague requirement above. However, it
>is also important to reach some form of agreed failure diagnosis.
>Question 12 in http://asrg.sp.am/about/faq.shtml is just too generic.

Maybe there's a cultural problem.  The answer to question 12 provides
sound advice on what you could do before submitting a proposal.

Regards,
-sm

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

--On 16 June 2009 08:47:51 -0400 der Mouse <mouse@...>
wrote:

> Not quite.  There are walled-garden approaches to email that are
> basically spam-free, because they have the accountability the open
> Internet lacks.

Agreed. What efforts are being made to introduce that accountability to
email?


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

>> Not quite.  There are walled-garden approaches to email that are
>> basically spam-free, because they have the accountability the open
>> Internet lacks.
> Agreed.  What efforts are being made to introduce that accountability
> to email?

Few-to-none, as far as I can tell, outside of the walled gardens.

Part of the problem is that for any-to-any email, the cooperation of
the sending site is required to push responsibility back onto the
sending user, too many sending sites refuse to, and the failure to
impose responsibility along with authority granted goes clear to the
top of Internet governance.  This is in large part why I'm getting out
of active abuse fighting: as long as the mismatch between authority and
responsibility is so close to total at the upper levels of Internet
governance, I believe anti-abuse efforts at the lower levels are almost
entirely just rearranging the deck chairs on the Titanic - at best
they're delaying the inevitable.  I can't really put my heart into an
endeavour that I believe is futile and doomed and not something I enjoy
doing for its own sake.  Even if I'm wrong about its being futile and
doomed, that's still how it feels to me.

/~\ The ASCII  Mouse
\ / Ribbon Campaign
 X  Against HTML mouse@...
/ \ Email!     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

der Mouse wrote:
>>> I'm not convinced that any new technical approach to spam control
>>> has any chance of widespread adoption or even careful attention.
>>> The jungle of existing tactics combined with [...]
>> [That] obviously implies that email is going to die out.
>
> It's not obvious to me.  Can you spell it out for me how you get from
> Bill's lack of conviction - okay, let's make it easy and assume Bill is
> right: from the lack of widespread adoption or attention to new
> technical antispam techniques - to email dying out?

Because it is not reliable. Why would you spend your time and
intelligence writing text that will end up in some spam folder without
ever being read?

>> Newcomers don't perceive it as something new and exciting, but rather
>> as an obsolete communication system used predominantly by elder
>> people, generally left in a state of regrettable neglect.
>
> Honestly, this is one of the few things that could save email.  If
> enough of the net.population deserts it for newer and shinier
> communications media, spammers will perceive a lack of value in it and
> start leaving it alone, making it usable again for us

That's an interesting assertion. I think spammers love their
honeypots, some of which possibly even pay a visit to their
spamvertized sites. How will spammers perceive a lack of value? Their
instigators are not looking for the most effective channel, they are
looking for the cheapest. They might very well be the last ones to
leave, who knows. At any rate, I'd very much avoid such experiment: It
is the worst anti-spam approach I've ever heard.

> (FVO "us"
> approximating "people who didn't desert it", which I expect would
> include most/all of the people I for one care about exchanging email
> with anyway).

You must be at least 47, then. Correct? ;-)

> Do I expect that to happen?  Not really.  But neither do I see it dying
> out.

Do you perceive migration toward giant ESPs as the premise for
newer/shinier media? The global walled-garden is just a step away.
Nowadays businesses are too much concerned about costs, but what will
happen when they will be wanting to pay a small amount for acceptable
reliability? (Microsoft has been looking after that since their first
MAPI release...)

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

>> Can you spell it out for me how you get from Bill's lack of
>> conviction - okay, let's make it easy and assume Bill is right: from
>> the lack of widespread adoption or attention to new technical
>> antispam techniques - to email dying out?
> Because it is not reliable.  Why would you spend your time and
> intelligence writing text that will end up in some spam folder
> without ever being read?

_Will_ end up there?  Without _ever_ being read?  I wouldn't, of
course.  But that's not what we have.  I participate in a lot of
mailing lists, and I daresay some fraction of what I write gets ignored
by some fraction of its potential readers - some of it because of
misfiling by spamfilters, some of it because people have decided I'm
not worth listening to, whatever.  But as long as those fractions stay
small enough, the readership is high enough that I don't consider the
time and effort wasted.

Mail does not need perfect - or even very good - reliability in order
to be useful.  When I first started using email, it could take a week
to get mail from Montreal to California, with a chance that sometimes
approached even that it would get lost on the way.  This didn't deter
lots of people, including me, from using it anyway.

>>> Newcomers don't perceive [email] as something new and exciting, but
>>> rather as an obsolete communication system [...]
>> Honestly, this is one of the few things that could save email.  If
>> enough of the net.population deserts it for newer and shinier
>> communications media, spammers will perceive a lack of value in it
>> and start leaving it alone, making it usable again for us [...]
> That's an interesting assertion.  I think spammers love their
> honeypots, some of which possibly even pay a visit to their
> spamvertized sites.  How will spammers perceive a lack of value?

Low ROI.  A honeypot can "visit" a malware drive-by installer all day,
and if it doesn't result in another bot joining the botnet, it holds no
value for the bot herder.

Of course, not all spam is about recruiting botnets members, but
similar remarks apply to all forms of spam: if it doesn't produce the
desired effect, it will stop being used, whether that effect is people
falling for phishing scams, people falling for 419 scams, new botnet
hosts, customers for knockoff software copies, customers for "cheap
meds", whatever.

> Their instigators are not looking for the most effective channel,
> they are looking for the cheapest.

The cheapest - in terms of effect for resources invested.  ROI.  A
spammers-only email system will provide zero-to-negative ROI.

> They might very well be the last ones to leave, who knows.

Could be.  I did say "could save email", not "would save email". :)

> At any rate, I'd very much avoid such experiment: It is the worst
> anti-spam approach I've ever heard.

Oh, I'm not proposing it as "let's do this in order to save email".  If
it happens at all, it will happen because most of the net sees email as
not worth saving.  (I find amusing irony in the idea that that it might
prove to be be email being seen as not worth saving that saves it.)

>> (FVO "us" approximating "people who didn't desert it", which I
>> expect would include most/all of the people I for one care about
>> exchanging email with anyway).
> You must be at least 47, then.  Correct? ;-)

No, actually, I'm not.  (Where did you get that figure?  I'm curious.)

>> Do I expect that to happen?  Not really.  But neither do I see
>> [email] dying out.
> Do you perceive migration toward giant ESPs as the premise for
> newer/shinier media?

Not premise for, exactly, but I see it as related, in that it's part of
the current flood towards shiny interfaces and never mind whether the
content has any value; it's new! and shiny! so it must be good.

> The global walled-garden is just a step away.

Perhaps.  I see no sign of it, though, at least not as I sketched it;
the few entities that are coming close to being global walled gardens
for email (gmail being the first one that comes to my mind) are not, as
far as I can tell, bothering to impose the responsibility on senders
that was a premise for the walled gardens I described being any more
spam-free than today's net.

> Nowadays businesses are too much concerned about costs, but what will
> happen when they will be wanting to pay a small amount for acceptable
> reliability?

I don't know.  I don't even have guesses; it depends on too many other
factors which you haven't specified (many of which, I suspect, nobody
currently has more than guesses for either).

/~\ The ASCII  Mouse
\ / Ribbon Campaign
 X  Against HTML mouse@...
/ \ Email!     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

Alessandro Vesely wrote, On 6/16/09 7:28 AM:
It goes beyond that sort of edge case of defining spam as "mail I don't
like". There are envelope characteristics that exist in distinct types of
mail that are mostly seen by different sets of receiving systems, such as
messages with more than 10 recipients. For microdomains and mass-market mail
providers, such mail is almost always archetypal spam: sent without any
prior relationship to addresses harvested from the net or bought from a
harvester. For many businesses, such mail is almost entirely legitimate mail
from existing business partners: service providers, suppliers, etc.  On
different mail systems, the same low-cost rule may correlate well to the
spam/non-spam classification, *but in opposite directions.*



Which are good efforts, but they don't actually tell readers which DNSBL's
are highly effective and which are dangerous to their mail. Or which might
be both. For the overwhelming majority of mail systems, the most effective,
cost-effective, and safe tool to shun spam is the Spamhaus Zen list, but it
would be a very bad idea for any RFC to say that. Similarly, there are very
safe, cheap, and effective ways to stop spam before DATA based on rDNS and
HELO names that could never pass muster for an RFC.

> It should be possible for my SMTP server to accept mail only from, say,
> an office opposite with whom I do most business, and shunning all the
> rest except, say, Gmail, thereby relying on their filtering. There's
> nothing wrong with that, except for technical problems that make it
> difficult to set it up properly.

No RFC will (or should) ever recommend such an approach.

That is not because such an approach will never be the best one for any
system, but because it is not a widely deployable solution and it relies
upon a characteristic of the mail world that may well be transient.

I disagree. :)

I think you are misunderstanding my point. The existing tools are good
enough that most mail system operators can put together some set of them to
assure that a large majority of their users see spam rarely and have very
little legitimate mail blocked, while the non-zero level of errors in both
directions have made users more acclimated to and forgiving of such
imperfections. This has raised the bar significantly for new technical
approaches, which will not even get attention unless they are very good,
very low-cost, and very easy to deploy.


[...]
Replace the tutorial on mail filtering fundamentals with a concise problem
definition and concise explanation of how VHLO provides a solution.

[...]
>> More telling: I'm not convinced that any new technical approach to
>> spam control has any chance of widespread adoption or even careful
>> attention. The jungle of existing tactics combined with a drop in user
>> expectations has resulted in a circumstance where the demand for
>> better mail service is not enough to get significant new technical
>> approaches deployed.
>
> Great! I cannot tell it better than that. It obviously implies that
> email is going to die out.

Not at all. I just don't expect that it will every be like 1993 again. I
think we've reached something like a dynamic equilibrium over the past few
years, and it will take a really big push to change that. There are many
mail systems out there shunning 97%+ of all messages while delivering less
than a spam per week per user and stopping less than one legitimate message
per year per user. 5 years ago, that sort of accuracy took an anti-spam
craftsman tending a garden of homegrown tools (and customizations of open
tools) with users screaming bloody murder over every error. Today you can
buy it in a box or as a service, and the users are largely resigned to the
fact that sometimes mail goes missing and sometimes they get solicited for
dubious drugs and money-making schemes. Perversely, users have also become
shockingly dependent on Internet email, and expect it to do things that they
never would have asked back before mail administrators evolved into a breed
of artful destroyers of most mail.

 > Newcomers don't perceive it as something new
> and exciting, but rather as an obsolete communication system used
> predominantly by elder people, generally left in a state of regrettable
> neglect.

That perception is IMHO largely shaped by the fact that the newest of
newcomers are people who do not actually operate as autonomous adults.
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

SM wrote:
> At 04:28 16-06-2009, Alessandro Vesely wrote:
>> I tend to understand that as different classes of spam. For an
>> example, consider a creditor of mines who solicits payment by sending
>> me reminders.
>
> "different spam problems" does not mean different classes of spam.

It should, at least in terms of the causal states that originate those
problems. By its own nature, a spam message is unlikely to be a singleton.

> If you want to consider these reminders as spam, you have the right to
> do so.

Yes, but everybody else has the right to consider me a fool for that.
What unacceptably affects reliability is that I could claim I never
received them since they ended up in the spam folder.

> It's unlikely that all creditors will resort to sending a
> registered letter or a fax because of that.

They'll eventually have to, if they get no acknowledge.

>> I don't see why such techniques are not amenable to standardization.
>> Actually, there is a couple of DNSBL drafts that are slowly moving
>> forward.
>
> Documents from the ASRG (IRTF) and the IETF fall in different streams.  
> Within the IETF, standardization has a different meaning.

The "net effect" is influencing software development and its default
configurations. Not to say that compliance suites bear no interest,
but the differences among standardization meanings are not enforced.

>> Yes, that's the conclusion I also reached. Spam is a universal plague
>> and we must live with it. It is indecent to egoistically take oneself
>> away from it. Therefore, solutions to get rid of spam are not wanted,
>> not even discussed.
>
> The different solutions are discussed but it's difficult to reach an
> agreement on them.

Perhaps, reaching an understanding is even more important.

>> [It] is also important to reach some form of agreed failure diagnosis.
>> Question 12 in http://asrg.sp.am/about/faq.shtml is just too generic.
>
> Maybe there's a cultural problem.  The answer to question 12 provides
> sound advice on what you could do before submitting a proposal.

Hm... sound? Vernon's list is not really helpful, except for trying
and discourage potential submitters. Reviewing all relevant RFCs is a
good advice, except that RFCs don't mention why they failed to be
effective anti-spam solutions.
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

>>> Question 12 in http://asrg.sp.am/about/faq.shtml
>> The answer to question 12 provides sound advice on what you could do
>> before submitting a proposal.
> Hm... sound?

Yes.

> Vernon's list is not really helpful, except for trying and discourage
> potential submitters.

You're reading it too literally.  The "sound advice" is not present
overtly; it could perhaps be phrased "make sure you're not falling into
any of these traps if you want to be taken seriously rather than
eliciting just pointing and laughing".

/~\ The ASCII  Mouse
\ / Ribbon Campaign
 X  Against HTML mouse@...
/ \ Email!     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

> Yes, but everybody else has the right to consider me a fool for that.
> What unacceptably affects reliability is that I could claim I never
> received them since they ended up in the spam folder.

I am sure the law varies around the world, but in the U.S., aside from a
few specific areas like turning off utilities, evictions and court
orders, the sender is presumed to have complied with their requirements
to notify you if other agreements allow for electronic communications
and they made a good faith effort to send to your last known email
address.  Most such agreements put it on you to ensure your current
email is on file and that you obviously agree to accept such email from
them.

The fact that you missed it, didn't read it, your spouse or child
deleted it or it was spam filtered will be irrelevant.  The same goes
for old fashioned postal mail -- it doesn't affect their legal standing
for sending you the notice even if you claim the mailman lost it, your
mailbox was hit by thieves, your spouse/kids tossed it, etc.

When absolute reliability is required, most will use services
(email/web-based or postal or even hand-delivered) that require a
signature, ID check or other the like.  Web tools often have
"return-receipts" that work when you read it after logging in for
example, and the old "you've been served" works well for various legal
issues.

David

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

Ian Eiloart wrote, On 6/16/09 10:21 AM:
I believe that successful (on their own terms) demo projects exist in China,
Iran, Cuba, and North Korea.

More seriously: the trend over the past 20 years has been to *reduce*
structured accountability on the Internet. Anyone who wants to only accept
mail that they can be certain is from identifiable and/or trusted senders
can do so now, using mature open standards that have multiple interoperable
implementations including free software.

AOL, CompuServe, Prodigy, The Source, Delphi, MCIMail, and just about every
entity that ever received a classful allocation of address space enforced
accountability on their users. More recently, the PGP user community and PGP
Inc., Netscape, Microsoft, Thawte, and Verisign have all made their own
valiant attempts to spread the use of tools that would support widespread
user-level accountability for email. All major MTA's implement mandatory TLS
encryption for transport and submission, mandatory authentication for
transport and submission, and mandatory strict X.509 certificate
verification, yet most also warn against using any of those except for
encryption and authentication for submission and opportunistic encryption
for transport without demanding cert verification. Most users of classical
(i.e. POP/IMAP/MAPI/SMTP) MUA's use ones that can support message-level
digital signatures and encryption, but the use of those capabilities for
general Internet email is rare.

Figuring out a way to get the tools for online accountability into
essentially universal use without a pre-existing adjunct authoritarian
polity and without creating the tools for rapid creation of a new
authoritarian polity would be a very interesting and challenging research
goal. I think it is outside of IRTF scope.





_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg

At 10:34 16-06-2009, Alessandro Vesely wrote:
>Yes, but everybody else has the right to consider me a fool for
>that. What unacceptably affects reliability is that I could claim I
>never received them since they ended up in the spam folder.

You should read the terms of service before making such claims.

>They'll eventually have to, if they get no acknowledge.

It's cheaper to discontinue the service for that user.

>Hm... sound? Vernon's list is not really helpful, except for trying
>and discourage potential submitters. Reviewing all relevant RFCs is
>a good advice, except that RFCs don't mention why they failed to be
>effective anti-spam solutions.

The point is that before submitting a new proposal, you should read
previous proposals and figure out why they failed to be
effective.  You can then avoid making the same mistakes.

Regards,
-sm

_______________________________________________
Asrg mailing list
Asrg@...
http://www.irtf.org/mailman/listinfo/asrg