I still don't plan on using TMDA, but I respectfully disagree with
Glenn's reasoning against it.
(a) violates the principle of least surprise *on both sides*
The only person who would be surprised would be the first-time
sender. There's no reason the recipient would be surprised, assuming
they know they are using TMDA.
In the Blackberry example given, email would only fail to get
through if you were emailing that person for the very first time. (Your
very first email to someone is, "come pick me up at the airport"?)
And, there are many reasons emails might not through. If you're in
a hurry and you made a typo in the To: address you'd still be put out.
So the only thing I take away from this example is that addresses
like "[email protected]" should not use TMDA... and that
people should verify airport pick-up times.
(b) Depends on humans to do something that can easily be implemented with
technology
This statement implies that Spam is a solved problem. I use all the
technologies you mentioned, and I still get ~40 spams per day.
(c) Does what you want to try hardest never to do when killing spam: Cause a
false positive. In a world where you scrap for every last cent...
By this definition, every "customer contact" form or "customer
support" forum on the web that uses CAPTCHA is an unreasonable risk to
new business opportunities. CAPTCHA is considerably more inconvenient
than Reply > Send.
(I'm also careful NOT to use not only rfc-ignorant, but *any* blocker who
deliberately or otherwise commits collateral damage. Just. Don't.)
Really? I don't think you mean that.
If somebody sends a faked "unsubscribe" to this list and you get an
unwanted ("collateral") confirmation, will you *really* blacklist this
list's admin address?
If a co-worker turns on a vacation auto-responder, and someone sends
them a faked message so you get an unwanted ("collateral") out-of-office
message, will you *really* blacklist your co-worker?
I think the point that TMDA is no more dangerous than mailing lists,
or "vacation", or a Trac support site (with notifications turned on),
still stands.
--Derek
On 12/18/2009 01:49 PM, Glenn Stone wrote:
On Fri, Dec 18, 2009 at 01:18:30PM -0800, Derek Simkowiak wrote:
I still don't use TMDA, because I'm more on the admin side of the
fence, but in principle I don't see why TDMA couldn't solve the spam
problem
TMDA
(a) violates the principle of least surprise *on both sides*. If I
send you an email from my Blackberry saying "hey, I'm on the Oakland flight
instead of SFO" and then turn off the Blackberry because *I'm on the
flight*, I'll never get the TMDA challenge, and you'll never get the
message.... and we'll both be Put Out...
(b) Depends on humans to do something that can easily be implemented with
technology. Greylisting, bouncing a message on a 450 Try Again message, is
*already part of the RFC's*, is a mature technology, and will kill 90%++ of
the spam out there on its own. Its downfall is when a machine gets zombied
and you're getting spam from an otherwise legit address... but that's why
you have Bayesian analysis software of some sort as a last line of defense.
(c) Does what you want to try hardest never to do when killing spam: Cause a
false positive. In a world where you scrap for every last cent, you never
want an email to get snagged that could be questionable but could be worth
six, seven, eight figures. With TMDA *every email* is a false positive
unless somebody actively does something about it. Not what you want.
(I'm also careful NOT to use not only rfc-ignorant, but *any* blocker who
deliberately or otherwise commits collateral damage. Just. Don't.)
Yes, I'm an intractable BOFH. I have my reasons. Hopefully they're clear.
-- Glenn
