<<< Date Index >>>     <<< Thread Index >>>

Re: [IP] more on more on anti-Goodmail coalition resorts to misquotes



this is simply not true. Goodmail is completely dependent on an opt-in model, and has its own auditing system to ensure that its sender-customers behave.

On what are you basing your assertions?

Esther Dyson

At 04:31 PM 3/22/2006, David Farber wrote:


Begin forwarded message:

From: Dana Blankenhorn <dana@xxxxxxxxxx>
Date: March 22, 2006 3:48:56 PM EST
To: dave@xxxxxxxxxx
Subject: Re: [IP] anti-Goodmail coalition resorts to misquotes

The big reason for massive mistrust in the e-mail area is that the
U.S. uses a different definition of spam than the rest of the world.

We have legalized "spam that is not spam," unsolicited bulk e-mail
with a legitimate purpose from a legitimate vendor. That's the basis
of the CAN-SPAM Act, that's the basis of this AOL Goodmail system.

Given the failure of the U.S. to meet the global opt-in model, you're
not going to get the level of trust needed to make this or any other
system work.

The rule should be simple -- proven, audited opt-in lists or it's spam.

There are companies that audit lists for permission. Like Whitehat.
They've been around a long time. Yet they have been ignored, because
U.S. companies think they have a "right" to spam.

Goodmail is going to result in paid spam getting through and free opt- in mail being blocked. That is the plain, simple fact of the matter.

Dana Blankenhorn   dana@xxxxxxx
Editor: voic.us   http://www.voic.us


----- Original Message ----- From: "David Farber" <dave@xxxxxxxxxx>
To: <ip@xxxxxxxxxxxxxx>
Sent: Wednesday, March 22, 2006 2:13 PM
Subject: [IP] anti-Goodmail coalition resorts to misquotes




Begin forwarded message:

From: Dave Crocker <dcrocker@xxxxxxxx>
Date: March 22, 2006 10:31:20 AM EST
To: dave@xxxxxxxxxx
Cc: ip@xxxxxxxxxxxxxx
Subject: Re: [IP] anti-Goodmail coalition resorts to misquotes

>    The opposition to Goodmail's
> scheme is not based on the idea that change is wrong, but rather
that
> this particular idea is flawed.

Dave, et al,

Unfortunately, the opposition to the announced scheme is not
sufficiently careful or constructive to permit such a benign
assessment.

By way of example please consider Cindy Cohn's remarkably facile:
There are plenty of ways to do "certified" or "digitally signed"
email
without having ISPs choose winners and charge per message.

Apparently Cindy has not noticed that spam and phishing have been
with us for quite a long time.  To date, nothing has reduced its
occurrence.  If the problem were so easy to fix, does she really
think that we wouold already have fixed it?

Indeed there are likely to be many different techniques that are
useful. Schemes are easy to describe but they are extremely
difficult  to make practical and even more difficult to get
adopted.  If it is  so easy, Cindy, why haven't you promoted one
and gotten it used? It turns out that the world is full of anti- spam proposals that are not practical. This has even prompted a
whimsical-but-useful form to  use, to explain why a proposal won't
work.  Take a look at <http:// craphound.com/spamsolutions.txt>.

The announced scheme applies to a specific sub-set of email:
Legitimate bulk email with a high requirement for assured
delivery.  The opposition effort has arbitrarily chosen to
exaggerate this into  dire predictions for which there is no basis.

What was announced certainly describes an important change in email
service, and email certainly is an important human communication
tool. So it is of course reasonable to question the scheme and
look  for flaws and dangers.  However there is a difference between
asking  serious questions, versus resorting to rabid hyperbole and
misrepresentation.

Turning concerns into hysteria guarantees that serious public
discussion about this important topic is impossible.

More than a few people believe that spam and phishing are bad
things. These nasty uses of email occur in sufficient scale and
with  sufficient impact to affect the viability of email (and are
expected  to have similar effect on other services, like instant
messaging.)   The Bad Actors who send the nasty messages have
proven to be  astonishingly creative and well-organized.  All the
indications are  that these problems are here to stay.  Indeed, if
we look at the  behavior of these Bad Actors and then look for
similarities in the  bricks-and-mortar world, we find that their
behavior exactly mimics  that of criminals.  As the Internet grew
to encompass global scale  and diversity, we should not have been
surprised that the Dark Side  appeared in cyberspace, along with
everyone else.  We also therefore  should not expect to fully
eradicate it from cyberspace, any time  soon. The most we can hope
for is to reduce it to tolerable levels.

How can we do that?

So far, the primary technique has been with filtering at the
receiver's service. (Some larger operators also apply filters on
their outbound mail.) There are two problems with filtering:  One
is  that effective filters require constant vigilance and
adaptation  against new techniques; this is, effectively, an arms
race with the  usual implication of infinitely escalating
consumption of resources.   The second problem is that filters are
heuristics and therefore they  make errors; the worst errors are
false positives that lose  legitimate mail. A problem with
filtering at the receive-side of the  equation is that failing to
stop mail from Bad Actors at its source  burdens the entire
Internet with the considerable overhead of  carrying and detecting
the bad stuff.

What we need are methods of exerting basic traffic quality control
*at the source*. As Rich Kulawiec noted, some operators do do
filtering at the source and some operators are quite effective at
squelching questionable email. More should do so.  However the
task  is currently rather more difficult than Rich implies and it
often is  impossible.  For example, spammers use an army of
compromised  machines and can distribute their traffic to an extent
that permits  them to operate just under the thresholds imposed by
operators, and  they can otherwise tailor their traffic pattern to
stay under  operators' radar.

So it is not enough to look only for Bad Actors.  We need to have
a  means of identifying and differentially handling Good Actors. We
need  to add a Trust Overlay to email, to focus on affirmative
knowledge  about Good Actors.

This will identify authors and distributors of legitimate mail,
through a chain of accountability back to the source. It needs to
be  based on a mechanism that is safe and reliable (e.g., using
digital  signatures) and it needs to support using a variety of
assessment  (reputation) mechanisms.

These Good Actors can announce their accountability for specific
pieces of mail, and the rest of the chain of email operators can
make  handling decisions based on that Actor's reputation. As
solid  accountability becomes possible, it becomes easier to
identify where  problem mail entered the handling chain and to
squelch it at its source.

Note, however, that I said *a variety* of sources of assessment
will  be available. We see that variety in the bricks-and-mortar
world, and  there is no reason to assume that the Internet should
or will be  different. Email is used in many ways.  A scheme that
helps for one  kind of use may well not be appropriate for others.

There already are efforts underway in the standards arena and the
commercial sector, to pursue the development of a trust overlay.
The announced scheme adds to these efforts; it will not replace
them. The announced scheme pertains to third-party assessment of
senders of legitimate bulk mail for which delivery is critical.

Messing with any social system warrants caution.  Email certainly
qualifies as a social system. So concern about the implications of
making changes to email is essential. There are certain to be
appropriate limits for any single scheme that is developed as part
of  this trust overlay. I am confident that one example is that
personal mail will require something different than assured- delivery bulk mail. I am equally confident there are others.

It really would help quite a lot, to have those who are seriously
concerned about the implications of change to put some effort into
serious analysis and dialogue, rather than instantly jumping to
polarizing hyperbole.

Email is too important and too complex to be trivialized.


d/

p.s. I discuss much of this in more detail in a recent article in
The Internet Protocol Journal, at <http://www.cisco.com/web/about/ ac123/ ac147/archived_issues/ipj_8-4/anti-spam_efforts.html>. The
issue also  has a related article by John Klensin.

p.p.s. In the interest of full disclosure I should note that I am
on  the technical advisory board for Habeas, which is also in the
reputation business. However, I do not speak for them.
--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>


-------------------------------------
You are subscribed as dana@xxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting- people/



-------------------------------------
You are subscribed as edyson@xxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/



Esther Dyson              Always make new mistakes!
Editor, Release 1.0

CNET Networks
20th floor - last elevator
104 Fifth Avenue (at 16th Street)
New York, NY 10011    USA

+1 (212) 924-8800


Flight School, Aspen, June 15-16  at http://www.release1-0.com/events
current status (with pictures!) at http://www.flickr.com/photos/edyson/
book: Release 2.0 (Broadway Books)




-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/