[AUUG-Talk]: ACA says that Anti-spam laws are working...

[Michael Paddon]

Ben Elliston writes:
> Won't greylisting be circumvented once the spammers think it's posing a 
> big enough problem?  Won't they start running their own MTAs and 
> pipeline the message delivery, only adding ~15 minutes to the overall 
> time it takes to spam a few million recipients?

Welcome to the arms race.

In practice, this means that effective anti-spam techniques mean being 
ahead of the curve. Which sort of sucks, because it encourages people who 
have good anti-spam ideas to (a) keep them secret, or (b) try to make a
commercial killing before it becomes obsolete.

The only way off the merry-go-round is to change the rules of the game.

An interesting parallel is the anti-virus world. You either get to keep 
updating lame virus detection signatures for ever, or you switch to an
operating system with a real security model.

Does this suggest that we can't really fix spam without switching to a
mail transport with a real security model? Probably. Is this likely to
happen? Probably not. Just as the majority of computer users think it is
reasonable have to suffer BSODs and reinstall every now and then, I predict 
a world where email users just put up with spam and periodically change 
their email addresses every now and then. I hope I am wrong.

The only anti-spam effort that seems to have long term viability is SPF,
and it is not clear that it will be adopted, and that it won't be subject 
to massive abuse anyway.

The moral: you don't add security, you design it in at the start.