Harald Tveit Alvestrand <harald@xxxxxxxxxxxxx> wrote: > > the reason you don't see a lot of spam on IETF lists is because it's > sent to the list administrators, and they filter it by hand. Clearly, this cannot continue (unless we come up with some way to pay people to perform this service). > The chief beneficiaries of automatic spam detection and deletion in the > current IETF setup is the list administrators. I am really in no position to criticize the use of SpamAssassin. I started using it for my personal account just before I left for IETF-58, and have little hope of turning it off. (It flags as spam roughly 4,000 emails per week.) But I think we should stop short of endorsing it. It is, frankly, wrong to propagate to the list any email which we consider to be likely spam. We should instead come up with a way to verify/authenticate/intuit/whatever that it is an individually-written message considered to be on-topic by some person we have no reason to distrust. SpamAssassin is a technical marvel -- and I suspect it could be useful as a sorting tool to distinguish messages which deserve to be distributed immediately vs. messages which need further verification. But that further verification should be done _before_ anything is distributed to the list. If the SpamAssasin filtering were applied _during_ the SMTP session to ietf.org and a descriptive error (with URL) was returned (rather than "250 - OK"), then we would have done everything we reasonably could to notify an honest sender that we needed further verification. (And, of course, any other content-processing tool could be used instead of SpamAssassin -- indeed I'm not sure any useful purpose is served by publishing which particular content-assessment tool we use.) If we can't process during the SMTP session, then -- as a short- term stopgap -- it is reasonable to flag messages for some automated processing before distributing to the list. (None of this is to criticize anyone who runs SpamAssassin at their own site to apply more rigorous rules -- I'm probably doing so myself, even if unintentionally.) What I do wish to call into question is the wisdom of passing the SpamAssasin headers to the list. I believe it creates the potential for confusion as to what is or is not a legitimate message. -- John Leslie <john@xxxxxxx>