[Asrg] A paper/project worth considering (found it!)

Daniel Feenberg feenberg at nber.org
Sun Dec 14 15:16:40 PST 2008 

On Sun, 14 Dec 2008, Rich Kulawiec wrote:

> On Thu, Dec 04, 2008 at 11:18:47AM -0500, Chris Lewis wrote:
>> We have a TIS button.  I have no reason to believe that the error rate
>> on hitting it is even as bad as 5%.
>
> Interesting.  As I mentioned elsewhere, I recently went through nearly
> 5 years of feedback loop reports from AOL and found that the error
> rate was 100.00% -- every report ever filed was wrong.  (I think I
> also mentioned that I found cases where users reported *their own
> messages* to mailing lists as spam.)

I have to say that this precise sounding figure "100%" comes from using 
an incorrect base. If you sent a million messages and get one incorrect 
spam report, the error rate is .0001%, not 100%. You are getting a 
nonsense number because you are using the wrong base - a common error when 
dealing with percentages.

Dividing by the number of reports rather than the number of messages 
provides no way for AOL to ever have anything other than 100% error rate, 
assuming you do not send spam. Now, if you want to claim AOL spam reports 
are poor evidence, you at least have to tell us the number of good 
messages. Otherwise, the deck is stacked against AOL in a totally unfair 
manner - there is no way for the users to have any error rate other than 
100% (or undefined, if there are no reports).

Daniel Feenberg

>
> I have no reason to think AOL's users are any better or worse at this
> than Comcast's or Yahoo's or any other ISP/mail provider.  (I should
> conjecture that Chris's users are better -- well, they'd have to be in
> order to keep the error rate that much lower!)
>
> I think at the scale of the Internet, users are awful at telling spam
> from not-spam: if they were good at it, phishing would be a non-problem.
>
>
> But let me put all of these conversation about end-user abilities
> aside and look at this a different way.  Anti-spam policy is as much a
> security function as, say, firewall configuration; and there's no way
> I'd even consider giving users the ability to affect that.  It's all
> very populist to give users these controls, but I think it's terribly
> misguided and reflects a lack of realization that spam can be as much
> of a security threat as malicious packets.  Analyzing such threats
> and devising effective counter-measures to them requires trained,
> experienced people -- moreover, it requires people who have the
> responsibility for doing so.
>
> What I'm arguing (and I've argued this elsewhere) is that it's not
> the role of end users to set anti-spam policy (in whole or in part)
> any more than it's their role to set firewall policy.  It's not their
> job, and they're terrible at it.
>
> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> https://www.irtf.org/mailman/listinfo/asrg
>

More information about the Asrg mailing list