As one who has a longstanding interest in the topic of junk mail filtering,
I have a question or two about the suggestions from Jeffrey Goldberg...
In message <[EMAIL PROTECTED]>,
Jeffrey Goldberg <[EMAIL PROTECTED]> wrote:
>As such, it would be useful if AOL and others
>...
> (2) Set up a vetting proceedure for either individual lists or
> hosts or subnets for lists with certain characteristics.
I'm curious how this would work, what would be involved, and how effective
it would be in the end anyway.
I have no good basis for making an estimate of the total number of E-mail
mailing list currently in existance, worldwide, but if pressed, I would
offer a guess that there must be in excess of a million e-mail mailing
list.
Assuming that guess is corrrect (or in the right ballpark anyway) you are
talking about AOL (and others) keeping a database of perhaps as many as a
million different ``vetted'' mailing lists, right?
Even assuming that such a list could be constructed (and maintained, on an
ongoing basis) at a reasonable cost, how would it be used? Are you suggesting
that the data base should contain the envelope sender addresses of all of
the vetted mailing lists, and that each mail message that arrives at
AOL (or elsewhere) should have its envelope sender address looked-up in that
data base? Or where you suggesting that the domain name and/or IP address
of the host sites for the vetted mailing lists should be what's stored in
the data base, and that the sending IP or domain name of each incoming mail
messages should be looked up in the data base?
In either case, even if it was feasible to construct and maintain such a
data base, and even if the processing involved in constantly doing lookups
against it were modest, I have to wonder (aloud) how effective it would be
in the long run anyway. If a spammer found out that a given envelope
sender address was on AOL's whitelist, don't you think that he would just
forge that envelope sender address onto his outgoing spams? Alternatively,
if the whitelist data base is a list of sender IP addresses, don't you
think that spammers would just poke around and try to find one of those
whitelisted IP addresses that happens to sport an open/unsecured mail
relay, and then just push all of their spam through that (in order to
circumvent any other filtering that might be in place)?
> The vetting proceedure should require a fair amount of information
> from the list manager (or the mailing list system manager...
_This_ is the statement that actually motivated me to write this response...
because I *really* wonder about the feasibility of this part of your pro-
posed solution.
Let's say that I am an ISP (perhaps even AOL), and that you are a mailing
list owner/administrator. Now let's say that I send you a short questionare,
and ask you to fill it out and send it back to me if you want to be able
to send mail to my users. What will be your reaction? What will be the
reaction fo the typical mailing list administrator? Will you graciously
comply with my simple request? Will you fill out the form and send it back
to me? Or will you instead send me back a terse message in which you tell
me (a) to take a flying leap, and (b) that I need you (and your list) more
than you need me?
These are NOT retorical questions. I honestly don't know how mailing list
administrators would react to any sort of procedure or mechanism which, in
effect, asks them to prove that they are NOT spammers, and which will deny
them the ability to send mail to one's local user base if they fail to comply
with the procedure. I'm sure that some percentage of list admins would be
understanding, and that they would just comply (as long as the request
seemed polite and inoffensive enough), but I suspect that there are many
more who would take offense, and who would never comply, no matter how
trivial or easy complying might be, and that there would be an even larger
number who wouldn't take offense, but would just ignore the request because
they feel that they are too busy to be answering silly questions from ISP.
> The vetting proceedure ...
> ... may also include requiring a real address of an individual or
> individuals responsible for the mailing list system...
Couldn't the envelope sender address on the mailing list messages themselves
serve this purpose?
In general, shouldn't mail sent to _that_ address end up being read by the
list owner?
When, if ever, should this not be the case?
P.S. I don't know how many of you realize it, but the need to cater to
(and to allow for) legitimate opt-in mailing lists is *the* central
issue/problem as regards to spam fighting/filtering.
If it weren't for the need to allow for legitimate opt-in mailing lists,
we, collectively, (meaning the net as a whole) could have solved the e-mail
spam problem a long time ago. It's downright trivial to distinguish be-
tween personal one-on-one mail and ``bulk'' mail, but as the problems some
of you have had sending your legitimate opt-in mailing list traffic to
AOL have emphasized, not all ``bulk'' mail is bad. And separating the
`good'' bulk from the ``bad'' bulk is in fact the only really difficult
technical problem for anyone trying to do spam filtering.
As one possible solution to this problem, the idea of building and main-
taining a registry of ``legitimate opt-in'' mailing lists does in fact
have some merit, but as noted above, it also has some problems.
I think that the scaling problems could in fact be solved, but that would
take some serious work. As regards to the building and maintaining of the
registry, I myself would be happy to build and maintain exactly such a
registry, and to make it available (as a service) to all Internet sites,
but the main reason why neither I nor anyone else has ever tried to create
such a registry is because of the likelihood that list owners simply would
not cooperate in sufficient numbers to make the whole thing work.
(In anyone wants to take issue with that last assertion, please feel free.
I'd like nothing better than to be convinced that list owners would, in fact,
cooperate with such an effort.)
