On Tue, 16 Mar 2004, Ed Gerck wrote: > Dean Anderson wrote: > > > > On Tue, 16 Mar 2004, Ed Gerck wrote: > > > What information theory says is that the probability of detecting > > > spam is less than 100%. > > > > No, information theory doesn't say that at all. > > Sure it says, and that's why a spam filter will never be 100% > effective. I guess we agreed on this before ;-) I think you must have missed my message noting our disagreement. http://www.ietf.org/mail-archive/ietf/Current/msg24213.html > Now, you may want to refer to that mythical element, the 'spam-free' > protocol, a protocol that an information theory model says cannot > be built. I guess we also agreed before that a 'spam-free' protocol > is impossible. The IETF should not attempt to develop it. > > Thus, in asking for IETF technical solutions for spam, it is > obvious that I do not mean spam filters or 'spam-free' protocols. > We would all be very happy with a protocol that is almost > spam-free -- in fact, I believe we would be quite happy with 90% > at this time. Me thinks we don't need 100% ;-) > > An IETF technical solution to reduce spam is doable. Your comment > on 'spam-free' is useful-free ;-) The IETF cannot reduce spam either. Protocol changes are simply gratiutious. One might say that there is very little spam on X.400 mail systems. But it is simply because spammers aren't interested, not because X.400 has some special immunity. Spammers will simply adapt to any gratuitous change. At best, only a temporary reduction would be obtained, until the spammers adapt. After they adapt, there is no reduction. However, I think there are things that show some promise that might be harder to adapt to, such as automated text summarization, bayesian filters, mail agents that filter on the user's interest in the message subject, and such. I think these are worth pursuing, but these are not subjects for the IETF. Further, there are still inverse methods for spammers, so even these will simply be temporary. But I think the benefit of intelligent agents and summarization and interest filtering could be very beneficial in filtering even non-spam mail. Ages ago, managers had secretaries filter there postal mail and phone calls. I'd love to have a 'secretary' filter my email, so that I could subscribe to noisy lists and see only the messages that I was interested in. But this is technology that isn't a protocol, nor does it seem to be in need of a protocol, so there is little or no reason for the IETF to be involved. > > No, it is quite useful: The IETF can do nothing to prevent spam. > > ;-) this mantra is becoming a spam. Or perhaps it is the mantra that the IETF can do something to reduce spam. > > > What interests the IETF are technical spam solutions, for example, > > > that would prevent email that comes from unidentifiable or rogue > > > senders/MTAs to be ever received. > > > > The only thing that can acheive this is to turn off the computer. > > No, it's a matter of degree. Even if not all spam is preventable, > preventing email address spoofing (even to a degree) would have > a range of benefits. For example, I would no longer receive > those "undelivered" messages for email that I purportedly sent, > but actually never did. And people receiving email from me could > actually trust to some extent the outcome of their filters. And, > to be clear, I'm not talking about PKI. Actually, I want to receive those bounced messages. Otherwise I don't know if someone is out there trying to abuse me. Often, the perpetrator can be identfied from these bounce messages, since they usually include the original message and its mail headers, which give an IP address and a time of use. But it is easy to delete messages from "Mailer Daemon" if you don't want them. The problem here is to distinguish the real you from the not-real you. Or rather, to distinguish the unauthorized not-real you from both the authorized not-real-you and the real-you. Real users use relays. Real users also use agents, like cron jobs to send email. How do you know the cron job is not a spammer? It might be abuse. It might not be abuse. We don't know until we check on it. There is no way to avoid this check. RMX can't work, because real users need to be able to use a wide range of relays, which depends on their physical location as well as their arrangements for outsourcing, as well as the service offerings of multiple providers. For example, Av8 Internet provides relay services for users of earthlink, because those users have leased line services from Av8, but email services from Earthlink, and earthlink doesn't do relay service outside its IP address space. How is the relay to know if the message is really from you or not really from you? Password (or per-user account) style authentication (such as SMTP AUTH) hasn't had any effect on spam, and it doesn't scale well, and isn't widely supported. Passwords can be stolen by viruses, or by disgruntled users if they are well-known. If you exclude PKI, then spoofing is easy. If you add PKI, then how do we know that the private key has not been stolen by a virus? Much or most of the junk/spam is now sent from viruses. They can certainly start using the infected users identity if necessary. We should be glad that they aren't. Forcing them to use the users identity would be another way to shoot ourselves in the foot. But none of this would reduce spam, because spammers would simply adapt. > > The IETF can specify protocols with certain features, say PKI, but doing > > so will not prevent spam, since the IETF (nor anyone else) cannot specify > > a 'spam-free' protocol. This is a result of information theory. > > Because it can't be perfect, it can't be done? No one needs perfection. > All we need is to have a degree of spam-freeness that is acceptable. No. But what we are left with is a whack-a-mole solution that is no better than what we have now. All we can do is automate that whack-a-mole procedures. And of course, spammers can automate the avoidance procedures. These are constraints that are imposed by information theory, and the fact that spammers want to abuse the mail system. > Sterilized milk is not bacteria-free, it just has a reduced count > of bacteria -- which count is low enough to guarantee its stated > shelf life. Bacteria are not as smart as people trying to abuse the system. Assuming that spammers will be no smarter than bacteria is just another false assumption. Though, perhaps we are getting to the core assumptions that people making these proposals are relying on. --Dean