Paul Hoffman wrote: > So far on this thread, we have heard from none of the "large-scale > mail carriers", although we have heard that the spam problem is > costing them millions of dollars a year. That should be a clue to the > IETF list. If there is a problem that is affecting a company to the > tune of millions of dollars a year, and that company thinks that the > problem could be solved, they would spend that much money to solve > it. Please note that they aren't. And that would be because they can't do it in isolation. They need a system wide standard everyone is building to, to make your argument below about cost of untrusted mail moot. > > I have spoken to some of these heavily-affected companies (instead of > just hypothesizing about them). Their answers were all the same: they > don't believe the problem is solvable for the amount of money that > they are losing. They would love to solve the spam problem: not only > would doing so save them money, it would get them new income. Some > estimate this potential income to be hundreds of millions of dollars > a year, much more than they are losing on spam. But they believe that > the overhead of the needed trust system, and the cost of losing mail > that didn't go through the trust system, is simply too high. We agree the trust infrastructure has to provide as much or more value than it costs. The reason they are concerned about the cost of loosing untrusted mail stems from the deployment in isolation scenario. Provide a standard that has appropriate value for cost, define it to run in parallel so nothing is lost, and deployment will happen. Taken another way, how would the IETF react if the large carriers decided to go off and solve this problem amongst themselves with an undocumented protocol? I predict there would be an outcry that the big players were ignoring standards and bullying the market place. If the IETF continues to consider it a research project, their hand will be forced to take some action and the result might not be in the IETF's favor. That was somewhat the point of the thread subject, in that they are already feeling the pressure and taking action which reduces the utility of ranges of IP addresses. > > You might disagree with them, and based on that disagreement you > might write a protocol. But don't do so saying "the big carriers will > want this" without much more concrete evidence as to their desires. The real cost is not in the big carrier equipment or engineering, it is in the millions of person hours per day lost to configuring filters, waiting for the delivery of what gets past the filters, and hitting delete ~100 times. Yes there is cost in the middle, but it is minor in comparison, and will likely be comparable or slightly higher to run the proposed trusted mail system. The question is, will the value of that approach outweigh the cost? Obviously I suspect it will. YMMV ... Tony