Thursday, January 18, 2007

Criteria for judging proposed "solutions" to the problem of spam


You will find a document which outlines an idea I've had for a while.

The thrust of the document is that while we don't know what the silver
bullet solution for spam is we do know some of the characteristics
which we expect it to exhibit.

We also know that very many ideas are presented on the list which
fail to meet one or more of those criteria, this draft is intended to
provide a reference which describes those criteria, and could be used
as a partial statement of requirements for a technique to solve the
problem of spam.

Obviously this is just my own 2c at the moment, so let me know, preferably on the asrg list) what
your opinions are and I'll modify, abandon or replace this as

FYI the abstract reads:

"The Internet Research Task Force Anti-Spam Research Group (ASRG) is
frequently presented with proposals for techniques for managing spam
from authors who wish to elicit an expert critique of their
proposals. In many cases proposals fall foul of issues and risks
which are well known and understood by members of the ASRG. This
Internet Draft is intended to enumerate and explain a number of the
more important of the criteria which tend to be applied. This
document will then serve as a normative checklist for anyone wishing
to present a technique to the ASRG."


Anonymous said...

A typo?

"Proposed Technique SHOULD have A net costs which reduce..."

Looks like this "A" does not belong here. Or maybe I'm wrong (not a native English sp.)

Anonymous said...

Another typo (section 2.3.9):

"operators trying to achieve the benefits of the Proposed Technique and not through compulsion or altuism"

should have been "altRuism" I guess.

Danny said...

Oops, thanks.

Dave Brondsema said...

I know it's not appropriate as part of the document itself, but could you give some examples of the trust systems that you mention in the document? I'm aware of many of the identity systems, but I'm not aware of any trust systems that are in use.

Danny said...


I'm thinking about the trust provided by commercial "root CA" organisations like verisign and thawte, and about the peer trust provided by things like pgp, also the notion of non commercial trust relationships such as might be facilitated by organisations like apache by signing keys as a non commercial root for people who they "know". To a lesser extent governments might also choose to take a role in this verification of identity.
You have to remember that we use one certificate, but it has two purposes the obvious one is encryption, the less well understood is (via the signing of the keys) a chain of trust.
These processes of identity verification are already well supported by technology, no anti-spam solution needs to confuse the issue by re-inventing this.

blog comments powered by Disqus

I know nothing, I'm not a fortune teller, and you'd be insane to think that I am. This disclaimer was cribbed from an email footer I once received. It is so ridiculous I had to have it for myself.

Statements in this blog that are not purely historical are forward-looking statements including, without limitation, statements regarding my expectations, objectives, anticipations, plans, hopes, beliefs, intentions or strategies regarding the future. Factors that could cause actual results to differ materially from the forward looking statements include risks and uncertainties such as any unforeseen event or any unforeseen system failures, and other risks. It is important to note that actual outcomes could differ materially from those in such forward-looking statements.

Danny Angus Copyright © 2006-2013 (OMG that's seven years of this nonsense)