--On Monday, April 30, 2001 10:18 AM -0400 James M Galvin <[EMAIL PROTECTED]>
wrote:
> I've often wondered if it was practical to create a list of "Certified
> Non-Spammers." If you think about it that's what AOL is doing, but in
> their case it's for private use.
You could make such a CNS list, but aside from the Sisyphean task of
keeping it current, the next question is how you use it.
If you use it to allow messages that appear to be FROM somebody on the CNS
list, then it will be exploited by spammers. Keep in mind that the actual
return address is becoming all but irrelevant to spammers, because they
don't want return mail - they want you to click on a URL in the message
body. So they would be happy to mail out spam for preteen goat ravishers
etc, that looks like it's FROM [EMAIL PROTECTED] if that's what
it takes to get waved through the gate.
For what it's worth I think those ad hoc rules of AOL's are baby/bathwater
BS as well.
What we really need (or perhaps already have and I just don't know where to
find it) is an authenticating mechanism between mail gateways - something
that gets you safely across "untrusted hops" and into someone's trusted
domain.
For example, just baby simple, suppose you are BigISPCo and I, the
proprietor of BeeKeeping-L, register with you (I don't think we can skip
that part) as a mailing list. (How do you know I'm not a spammer? By
manual inspection and a hard limit on recipients that I estimate up front,
like 1500 total.) You assign me a password or key of some kind. I use
that key as follows:
From: beekeeping-admin
To: [EMAIL PROTECTED]
X-Auth-Key: 2103482035
request-new-id
Now your daemon recognizes my key and sends me a new id that's good for one
mailing:
From: [EMAIL PROTECTED]
To: beekeeping-admin
next-id 534953234
Now the above request is RARE, done at the beginning of the world when I
first register, or when I need to "reset" because software was reinstalled
or I suspect some other problem. NORMALLY what happens is that I always
have a most recent 'id' (like 534953234 above) that I keep in a file
somewhere, and I SUPPLY it in ONE list mailing:
From: beekeeping-admin
To: Bee Keepers <[EMAIL PROTECTED]>
Subject: Bee Keepers Digest V4 #178
X-List-Id: 534953234
Today's topics:
...
and when I do, I expect a NEW id to be sent from the list gate:
From: [EMAIL PROTECTED]
To: beekeeping-admin
old-id 534953234
next-id 927491323
whereupon I start sending that ID instead. The listgate could update my ID
after every mailing, or it could do it once a day, once a week, after a
spam alert, or whatever.
Obviously this would take some processing on both ends. Biggest problem on
my end is that I don't want to send that ID out to non-BigISPCo
listmembers. In fact if you generalize and assume this idea somehow became
popular, you would tend to have N different "current id's" outstanding for
N different ISPs that you have members in, and any one of them could be
updated, and you don't want to mix them. So segregating by addressee
domain would have to be done before the ID was added to the headers.
There are other wrinkles to be ironed out, that's for sure, but IF you had
something like this, then as an ISP you could legitimately treat anyone
who's NOT registered, but who attempts more than N deliveries a day, as a
spammer, without worrying about killing legit lists.
