At 08:51 AM 4/22/2002 -0700, Bart Schaefer wrote: >On Mon, 22 Apr 2002, Eric S. Johansson wrote: > > > in any case, if one is going to be successful in fighting spam, one needs > > to look at solutions other than filtering, blacklisting network > connections > > and ports, and legislation especially if one wants to preserve end to end > > connectivity and the ability for any node on Internet to participate > > fully. My experimentation with camram is an attempt to provide another > > part of the solution. > >The trouble is that any solution that places a burden on the sender is >lousy social engineering.
unfortunately, you just defined life. Everything we do that involves learning or adapting ourselves puts a burden on the human. Learning to use e-mail in the first place places a burden on the sender. Telling a story, writing a letter, buying a stamp, sending a telegram, dialing a telephone all put burdens on the sender. Therefore, you just described most human communications as lousy social engineering. You may not see it as such but all human communication is a learned process. None of it is innate. Of all of them, dealing with Internet and software vagaries are probably the least innate. You've just accumulated enough scar tissue from using bad UI software so that you cannot recognize the pain anymore. >As a user of email for personal correspondence, I exchange a lot of email >with people who have zero technical ability. They'd be upset, and in some >cases offended, that I think I can require them to install extra software >just to communicate with me. As a business owner, I *want* to get email >from potential customers I've never heard from before. Anything that >makes it harder for them to send me email is detrimental to my business. >Unless/until the sender's end of the system is universally deployed, I >can't afford to use it as a filter. These are valid points. However, weren't these people with zero technical ability offended and upset that you required them to use e-mail software to communicate with you when paper and pencil was more familiar and already has a very fast and effective delivery mechanism? As a business owner, don't you have a mailbox or a telephone so that people you've never heard from can communicate with you? After all, why should you expect them to do anything new when they have something that already works. Granted, these counter-examples are probably irritating but I am trying to show how your points are objections without foundation if you look at the larger world. They also show me that you haven't understood the system or I haven't explained properly. There's nothing in the camram system to stop a legitimate e-mail user from getting e-mail to you even without sending a coin. There are a variety of mechanisms in place to drop the burden after the initial communications. I'm also surprised to hear you say you can't afford anything that make it harder for people to send e-mail. With the level of false positives one gets with any filtering system (not just pick on spamassassin), I'm surprised you would use any form of spam protection. In any case, it may be that you really can't afford to use camram as a filter but I'll ask you to withhold judgment until I've got the first prototype done and then I would appreciate your feedback on its operation. >Unfortunately, as a sender, I have more disincentives to deploying the >system than incentives. It's one more bit of software to install and keep >updated, it makes my computer work harder and my email go out slower, it >doesn't reduce the amount of spam I get, and it doesn't significantly >increase the number of people to whom I can successfully send mail. Why >should I bother? good points. First, obviously, I believe it will reduce the amount of spam you get which is the first why you should bother. The second why you should bother is that camram also provides 0 UI opportunistic encryption for e-mail which enhances in transit privacy. The system has some flaws but that's OK. It would be a small step towards improving e-mail privacy. Obviously, I will know more as I eat my own dog food and live with the filters in place. When it gets good enough, I'll even turn off spamassassin and see how it holds up to the onslaught. Yes it does make your computer work harder, and yes it will make your e-mail go out slower but remember that the slowdown only happens in the early phases of communicating with someone. Also, the perception of the slowdown can be managed. The slowdown is comparable to DNS lookup times and the response times of many mail servers *from the users perspective*. If we push the process into background, then the user doesn't need to sit and wait but can continue on with other tasks. The goal is to eventually get vendors to include this technology into the e-mail clients. The only way it will happen is through demonstration of effectiveness and demand driven by ISPs and other customers. I already have one medium sized ISP interested and others are sniffing around. >Historical precedent is that no extension to the email infrastructure can >really succeed until it's included by the major user-agent manufacturers >as a default part of the popular clients. End users simply won't go to >the effort to install add-ons. Network Associates is dropping PGP because >they've found that out the hard way. What is the incentive for Microsoft >or AOL to incorporate something like this into their clients? true. End users don't go to the effort to install add-ons such as flash, RealAudio, Acrobat, etc.. PGP died because it's user interface sucked. Heck, I have PGP sitting in my taskbar and I don't use it as I have to keep typing the #$&*$)(*& pass phrase every time. Then there's the royal pain in the ass of importing keys and signing keys and all those things that are really easy to screw up because user interfaces so bad. If you had a way of just sending e-mail to someone without doing anything to turn on encryption, it would have succeeded far better. Unfortunately the "crypto security at the cost of everything else" folks would have totally panned such an interface even though it would have been a good incremental improvement. >Consider the free email services (hotmail, yahoo, etc.), or even AOL's >web-based mail interface. How many users do they have to support? How >many non-spam messages a day do their servers generate? I'll bet the >total dwarfs the biggest spammers by many orders of magnitude -- and think >about the number of messages they must *receive*, even discounting spam. >How much computing power will *they* have to deploy to make this kind of >system work? What makes you think it would ever happen? let me say it again. The coin generation happens client side. All of the encryption public key activity happens client side. This means they would not have to deploy any computing power. They would need to run a Java program client side to do the calculations and pass the information back to the server. Yes, it's work. Doing anything to defeat spam is work. Get over it. >The fact is that the only people who do have an incentive to support the >sending end of such a system are those who will profit from having their >email get through no matter what. Guess who that is. spammers are inherently lazy. I've done enough of the math to show that it will slow them down significantly, which means this reduces their revenue. Reduction in revenue means it's less profitable which will drive out some spammers. Yes, the financial aspects won't take effect until you get a significant number of people with the camram style filters. In the meantime, small-scale users of the camram system should see a significant drop in spam with minimal false positives. I suggest if you want to debate this further, that we take it off list because it is significantly of the topic for spamassassin and I feel that I have already impose enough on the other members of the list. ---eric _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
