Yakov Shafranovich wrote:
This discussion got me thinking about the need to state clearly that the
IETF's goal is not to solve the spam problem.
Inadequate design cannot be corrected?
The *possibility* of spam is due to an Internet design based on an honor system for the end points. The model being that the connection was less trusted than the end points. Access to the end points was granted under an honor system and usage rules were enforceable.
Reality showed that the model was upside down for commercial operation. The end points cannot be controlled and are in fact less trusted than the connection. Anyone can connect to the network. There is no honor system. Usage rules are not enforceable -- users can hide and change their end points.
The original design relied on the human assumption that someone would enforce the rules. In a commercial world, for some reason or another, the network operators either cannot or do not want to enforce the rules. If the network operators are able to enforce usage rules, that can make a difference without resorting to any changes in the underlying architechture.
What I read above is denial that the spam problem was made possible by a design developed under the auspices of the IETF.
The design is not what caused the problem, its one of the factors that is contributing to the problem. All I am saying is that the IETF's role is limited to the standards-related solutions.
This is good but can I motion that we now move to the second stage of problem solving?
Go ahead - I am looking for any kind of solutions that the IETF can take on in order to reduce the problem. Many solutions have been revolving around trust - but in the world where a computer can be easily hijacked, trust becomes harder to maintain.
One example of what the ASRG has been looking at is a distributed web of reputation. Each MTAs or domain can publish a list of MTAs that it knows, including basic statistics on how long the MTA has been sending mail, average volume, etc. In addition to that basic information, you can also publish additional information such as "I think this is a spammer because SpamAssasin detects 99% of all email from that MTA as spam", etc. The basic statistical information can be used to detect zombies and the extended information can be used to allow like-thinking domains to make joint decisions. The question of how much difference this would make is up for debate, and there are questions of how a new MTA can be introduced into the system, "rule of the mob", etc.
Yakov