> From: Billy Biggs <vektor@dumbterm.net> > ... > I see no demand from spammers to standardize on a method of marking > 'unsoclicited commercial email' (vs 'requested/business related > commercial email' or 'personal correspondence'?), but maybe such a > header or flag would aid governments to pass laws. ... Spam already carries a mark that spammers have so far failed to remove. Spam is bulky. If you have a mechanism that identifies bulk mail as it arrives, then you need only add another mechanism that decides whether it is solicited to reject most spam. Sample implementations of that idea include Vipul's Razor (see http://cloudmark.com), Brightmail's product, and the DCC. I think the DCC is the best idea, but I may be biased. The DCC is currently hitting more than 80% of spam. See http://www.rhyolite.com/anti-spam/dcc/ or http://www.dcc-servers.net/dcc/ ] From: Henning Schulzrinne <hgs@cs.columbia.edu> ] And it is likely that standard tools, including return routability and ] white lists, will work less and less. I've now received spam that had a ] valid From address from within my own organization - if you have enough ] email addresses, that's easily accomplished. I've been watching spam for some time. As far as I can tell, forged headers and envelope values including From values are less common as percentage of the total than they were during Spamford's day. I speculate that is because header forgery is now a crime or a civil tort in many jurisdictions. } From: Ted Gavin <tedgavin@NEWSGUY.COM> } ... } Until network operators and Mail Content Providers come to agreement on } how to properly format commercial e-mail that isn't spam, there's no way } to differentiate Responsible Commercial E-mail from spam. } ... Spam is not necessarily commercial mail and so whether it is "responsible" is irrelevant, no matter what that might be. Spam is best defined as unsolicited bulk mail. Its content is irrelevant. All that matters is whether it is unsolicited and bulk. Bulk is the critical "scaling" aspect, because if only 1% of the 20,000,000 business in only the U.S. decided to send you monthly reminders of their existence, your mailbox really would be useless. > Until > marketers understand and accept that spam is not a question of content, > rather a question of consent, we'll still have people blasting e-mails > out, but hiding behind the statement "we're not spammers. The people who > send pr0n and herbal viagra e-mails are spammers." It is sad that is also nonsense, because people who are able to make telephone or in-person "cold calls" are incapable of understanding that their message might not be welcome. You will never make those marketers understand; you can only block them and make them fear your laws. Laws can help, but are not perfect, as the years long fights against junk faxes from American BlastFax, 21Century, and Fax.com have shown. (see http://www.junkfaxes.org/ ) { From: Caitlin Bestler <caitlinb@rp.asomi.net> { My initial minimalist approach is to propose a standard { whereby the source of an email can be authenticated, { allowing receivers and relayers the option of rejecting or { simply segregating email without authenticated sources. That is a popular but obviously nonsensical idea. If you want authenticated mail, you already have it in SMIME, PGP, SMTP-AUTH, and SMPT-TLS, just to name three. The reason you probably don't use those today is that they cut you off from old friends or relatives with new addresses. In other words, the key distribution problem is fatal. The fact that the sender of a message is authenticated implies nothing about the contents of the message, whether you want it, or how many other people received substantially identical copies. You can't know whether a stranger wants to send you spam or really is your long lost rich uncle telling you about a change in his will Authenticated spam is still spam. | From: Karl Auerbach <karl@cavebear.com> | ... | I'm slowly working on an idea (not yet clearly formed) to constipate the | TCP stacks of those sending spam. That's an old but wrong-headed idea. Look on the net for "teergrube" for implementations. It is wrong-headed because it assumes obviously false things about spamware as well as ordinary email. As anyone who as run a mailing list knows, you cannot delay spam more than it is already delayed by zillions of sick SMTP servers. Spamware just blasts and forgets. If the target is too slow, then maybe it will be hit on the next spew. Vernon Schryver vjs@rhyolite.com