Re: paralysis
On Sun, 7 Mar 2004, Michael Thomas wrote: Paul Hoffman / IMC writes: At 8:19 AM -0800 3/6/04, Michael Thomas wrote: So... instead of pointing out the obvious that there is no silver bullet, wouldn't it be a lot more productive to frame this debate in terms of what incremental steps could be taken to at least try to change the overall climate? Only if such framing includes the costs of the steps. To date, most of the initial proposals we have seen on this (and many other) lists have three attributes in common: - They don't list the obvious problems - They don't even guess at the costs of those problems - They don't have an analysis of how hard or easy it will be for spammers to adapt to the proposal Fine. Truth in advertising is wonderful. Then what? From what I can tell, anything that falls short of perfection then gets summarily executed. What metrics do you suggest when the answer is less than perfect that doesn't result in paralysis? That seems to be the real breakdown here. There is no real breakdown here, and perfection isn't the issue. A proposal doesn't have to be perfect; it has to be realistic and not obviously flawed. It seems fairly obvious that any serious proposal for anything, let alone a complex problem such as spam abatement, should include a feasibility and cost/benefit analysis. This is SOP throughout business, government, academe, engineering -- why should IETF proposals and discussions be exempted from this? Vernon is pointing out that most of the discussion on this topic on this list in the recent past has omitted these components, and propose solutions over and over again that have either been proposed in the past but rejected as infeasible or expensive or that have been TRIED in the past, are implemented now, and that are not provING (now, in real time) to be tremedously effective in preventing spam. In a previous reply his remark about some of the proposals being innumerate was dead on the money -- in most cases a very simple analysis of the actual numbers demonstrates that a proposed measure, after being implemented at great expense and inconvenience, will only affect a tiny fraction of the problem (for example) or will not have any effect at all. There are several things one should accept in any discussion of spam abatement. The first and foremost (one that might well go at the very head of the principles statement we were discussing last week) is that there MAY BE NOTHING THAT THE IETF CAN DO at the protocol level to control spam, at least not directly. If you prefer this phrased in a prettier way, it may be that any measures that WOULD result in an abatement of spam are all cures that are worse than the disease, either because of astronomical costs or because they would necessitate removing some desired/fundamental property from email (such as the ability to receive mail from strangers without a complex dance that would be even more annoying and stultifying to electronic communication than spam is). My memory isn't what it used to be (and it was never very good) but here is a short list of what I have heard proposed recently as ways of abating spam (and in some cases, other forms of network abuse such as viruses as well): a) Add a cost per message. Bill Gates himself came out in public favor of this in the newspaper over the weekend. (A cynical public is invited to wonder why.) Pros: Some people estimate that a cost of as little as $0.01/message would deter spammers. [Who these people are and why their guess is any better than mine remains unsaid. I personally note that costs of anywhere from a dime to a dollar plus the hassle of having to physically handle paper, envelopes, postage do not seem to have the slightest effect on the direct advertising fraction in my real mailbox on a daily basis, with a persistent noise (advertising) to signal (all other forms of communication combined) ratio that easily exceeds 2:1.] It is believed (by these same people) that everyday users won't mind paying the cost in time or money because they don't send much mail. Cons: I don't want to pay any cost per message. I don't want to solve a puzzle to send mail. I don't want to have to solve a puzzle eight thousand times to send mail via a list. I don't want to have to manage a cost-based apparatus. The freedom of the Internet is far more valuable to me than spam abatement and this is a cure worse than any disease. Note that I'm just giving MY response to this proposal. I send twenty or thirty pieces of mail a day and there are other cheaper methods of controlling spam. Finally, I strongly suspect that the people who are estimating that cost will deter spammers are at least in some cases people who stand to make money hand over fist charging it. The fundamental premise here seems to be that we are more able and willing to pay a higher cost for mail than spammers, in spite of the fact
Re: paralysis
Robert G. Brown [EMAIL PROTECTED] wrote: ... here is a short list of what I have heard proposed recently as ways of abating spam (and in some cases, other forms of network abuse such as viruses as well): a) Add a cost per message... The fundamental premise here seems to be that we are more able and willing to pay a higher cost for mail than spammers... Nonetheless, this might be useful for some parts of the 'net. If Bill Gates wants to run MSN.com in such a way that he collects a penny per email accepted there, I'm happy to let him try. ;^) b) Require all mail to be electronically signed... People can already sign their mail digitally if they wish... I'd expect this to have absolutely no impact on spam at all besides making my internal whitelist whiter... Digitally-signed whitelisting would be a very good thing -- rendering forgery of From addresses nearly harmless. But few of us believe it will be implemented widely. c) ... require all mail to come from people you know, or people you consent to receive mail from... I consider the abilty to receive mail from strangers an essential feature of email... Most of us on this list would agree. Others won't -- for example many parents would want this model for their children. d) ... Only accept mail from clean networks. I personally believe that tightening up the regulation of networks might well help abate the spam nuisance... Obviously, not all networks _will_ tighten regulation of spam. For those that don't, a dose of cost-per-message seems appropriate. There is a time lag problem here as well -- blacklists are often trying to catch up with the rapidly changing spammer identities. There is definitely room for improvement there. some superlarge domains (e.g. yahoo, hotmail) are effectively impossible to blacklist... because there are too many friendly strangers mixed in with the evil spammers that abuse their services. A small cost-per-message might change attitudes here... AUPs tend to be actual contracts and have to be dickered out by lawyers. Enforcment is not cheap, which is why many providers throw up their hands and refuse to deal with the problem or blame somebody else. A small cost-per-message might change attitudes here, too. Some SPs may have a vested interest in NOT controlling the problem, as they profit (indirectly) from spammers working through their domains. Very important point here! So long as we insist on subsidizing such SPs, we're going to keep increasing the spam load. Still, this DOES seem to me at least to be a place where the IETF might make some small contribution, perhaps by working out a clean partitioning of the responsibility that everybody seems to want to avoid and getting it written into future AUPs from the top down, possibly by integrating this process with e). I'm not quite sure what you're proposing: if you mean that IETF should define the responsibilities of each SP, I'd advise against it. If you mean defining a machine-readable language for encoding AUP policy, that might be useful. If you mean defining a protocol for third parties to express opinions about the effectiveness of AUP enforcement by various domains, I think that _would_ be useful. e) How about if we write some laws and regulations REQUIRING them to deal with the problem with fines and other penalties for noncompliance... This approach seems to be gradually moving forward of its own accord, driven by considerable public dissatisfaction with spam. But is this anything other than damage to be routed around? f) Filters. This is a very robust and dynamic solution, and is unlikely to go away unless/until things like legal measures and improved AUPs ameliorate the problem (if they ever do). It can be implemented by individuals at the user level. It can be implemented by sysadmins at the domain level. Not an IETF concern... Filters and other intelligent agents COULD be implemented by SPs at the transport level to identify clients that are spamming, Tell you what -- why don't _you_ start the SP that does this? and if it ever WERE implemented at this level and the SPs came down on AUP violators like a ton of bricks with contractual monetary penalties, the spam problem might really significantly abate. ... when the SPs are put out of business by the lawsuits... I'm afraid it's _much_ safer for a SP to publish a policy that certain IP addresses are assigned to poorly-monitored customers than to actually interrupt their traffic. And there _is_ a role for IETF in defining a protocol for publishing such policy. It's safer still for third-parties to publish such policy, just less accurate. Third-parties are _now_ publishing IP ranges that shouldn't be trusted, with the result that SPs that use those third-party blacklists get a lot of grief for blocking too much. It would be a substantial improvement if blacklists
Re: paralysis
On Sun, 7 Mar 2004, Vernon Schryver wrote: (Recent example technical issues: SMTP-TLS does not imply commericial PKI, except in the sense that commercial PKI is the only working(?) model of large scale key distribution. No law, standard, or anything else prohibits an SMTP relay from using the same authenticator on output that it used on input for a message.) Sorry to inject specifics into a meta discussion, but the above is technically wrong. Mathematical reality imposes some prohibitions. All the realy has is the certificate and the public key. It will not be able to reuse that without the private key, and it won't be very likely to compute the private key. So the relay can't use the authenticator given by the client for exactly the same reasons that you can't have a transparent https proxy. If such a proxy were transparent, it would be able to pose a man-in-the middle attack. SMTP-TLS has a role to prevent snooping the message during some transfers. The most significant threat to SMTP snooping comes from the users' shared LAN or shared cable connection. TLS is especially useful during such initial transfers to the relay, which has more controlled access to the internet. However, this has no anti-spam benefit. The authenticator certificates (TLS can be anonymous, but we'll assume for sake of argument that they aren't anonymous) would be given out by the ISPs just like regular user accounts. We already know that spammers/abusers will use stolen or disposable user accounts. PKI isn't an anti-spam solution, except for very small groups who leverage the non-scalability and lack of widespread use of PKI to their benefit. But in those cases, it isn't the PKI that is operative, it is the non-scalability that is operative. Simply by creating a secret header, which only their small group knows, they obtain the same solution, which has the same scaling properties. That is, if the secret is widely known, then spammers may learn it. Similarly, if every residential ISP gives certificates to every user, then spam will come signed by those certificates, either disposable or stolen. A comparable solution is to setup a private network that doesn't connect to the internet. But we don't see online services disconnecting from the internet, or just blocking all email from the internet. While disconnecting from the internet would perhaps block a lot of spam, it isn't what the users want or purchased. Indeed, if the online service is large enough, it will still have a spam/abuse problem. As I've said before, the problem is essentially identical to that of covert or sneaky channels in Information Theory. But I have some hopes that nearly all spam/abuse is sent by a relatively few miscreant script kiddies. I see that the first CAN-SPAM civil case has been filed. This will certainly be interesting. I expect that once these script kiddies have been caught and properly punished, that the spam/abuse problem will be reduced to the norm of other anti-social behaviors, and that things will drop back to less than 1% of mail being abusive. But the question of punishment is partly upto the technical community. If we keep giving script kiddies jobs and promotions in spite of abusive behavior, then we'll keep giving positive reinforcement to the script kiddie behavior pattern. The best thing we can do is make sure that such activity is career limiting. It is no different from the accounting scandals and insider trading scandals. If the participants are hired back into responsible positions with pay raises, then there will be no incentive to have honest executives or auditors. Nearly all of the spam abusers that I've caught have been IT people or administrators who work (or worked) for ISPs. Some have been caught and fired. Others have been caught (or abuse traced to a ISPs non-customer network--where a call to said ISP results in a yell to someone to knock it off), and their activities essentially ignored so long as they stopped. That is really the wrong message, and the abuse will no doubt continue. In most such cases, they just stop temporarilly, and when they think the heat is off, they start doing something else abusive. P.S. I said last week that we get relay abuse whenever I defend the uses of open relays. Well, on schedule, we had two relay abuse attempts this weekend from Tiawanese proxies (haven't had a relay abuse attempt for some time). Something over 20,000 messages from the first one, and I haven't looked at the report for the second, but I'd guess its about the same. All abuse was blocked. It is always interesting to review the recipient list of such abuse. A funny thing about this case is that the very first recipient was a [EMAIL PROTECTED], and nearly all of the rest were to .tw and .cn addresses. So, was [EMAIL PROTECTED] the abuser? or just a known target of the abuser? Perhaps it is just a bogus address that would tell the abuser (if at starnetinc.com) that the relay abuse
Re: paralysis
Paul Hoffman / IMC writes: At 8:19 AM -0800 3/6/04, Michael Thomas wrote: So... instead of pointing out the obvious that there is no silver bullet, wouldn't it be a lot more productive to frame this debate in terms of what incremental steps could be taken to at least try to change the overall climate? Only if such framing includes the costs of the steps. To date, most of the initial proposals we have seen on this (and many other) lists have three attributes in common: - They don't list the obvious problems - They don't even guess at the costs of those problems - They don't have an analysis of how hard or easy it will be for spammers to adapt to the proposal Fine. Truth in advertising is wonderful. Then what? From what I can tell, anything that falls short of perfection then gets summarily executed. What metrics do you suggest when the answer is less than perfect that doesn't result in paralysis? That seems to be the real breakdown here. Mike
Re: paralysis
MT So... instead of pointing out the obvious that MT there is no silver bullet, wouldn't it be a lot MT more productive to frame this debate in terms of MT what incremental steps could be taken to at least MT try to change the overall climate? Serious discussions about spam control acknowledge the fact of limited, incremental benefit, significant deployment costs, potential impact on basic modes of legitimate email, and the like. Unfortunately, serious discussion is rather rare. What is missing from most proposals is any interest in such careful consideration about ramifications. Instead, efforts to explore real costs and real efficacy are met with the usual plea that this is an emergency and we have to do _something_. Emotional responses that block legitimate review, in favor of premature action fall under the category of hysteria. The IETF MARID BOF showed that serious discussion is, in fact, possible. One simply needs to insist on it and encourage it when it happens. d/ -- Dave Crocker dcrocker-at-brandenburg-dot-com Brandenburg InternetWorking www.brandenburg.com Sunnyvale, CA USA tel:+1.408.246.8253
Re: paralysis
At 3:03 PM -0800 3/7/04, Michael Thomas wrote: From what I can tell, anything that falls short of perfection then gets summarily executed. The majority of the anti-spam proposals being actively discussed are variants on the prove the sender is who he says he is. None of these are perfect, yet: - they are being actively discussed in the ASRG - they are being actively discussed on the [EMAIL PROTECTED] mailing list - there was a BOF about them last week in Seoul - some people are creating experimental implementations and looking at the results This seems different than summarily executed. --Paul Hoffman, Director --Internet Mail Consortium
Re: paralysis
From: Dave Crocker Serious discussions about spam control acknowledge the fact of limited, incremental benefit, significant deployment costs, potential impact on basic modes of legitimate email, and the like. Unfortunately, serious discussion is rather rare. What is missing from most proposals is any interest in such careful consideration about ramifications. No, let's be honest no matter how impolitic. What's out of order from most anti-spam discussions is anything that might squelch the urgent, exciting, and positive talk. That certainly includes consideration of inconvenient ramifications and obvious technical issues. The taboos also cover any sentiment like Ok, I'll implement this and report back soon with results. (Recent example technical issues: SMTP-TLS does not imply commericial PKI, except in the sense that commercial PKI is the only working(?) model of large scale key distribution. No law, standard, or anything else prohibits an SMTP relay from using the same authenticator on output that it used on input for a message.) Instead, efforts to explore real costs and real efficacy are met with the usual plea that this is an emergency and we have to do _something_. That's true only in the sense of urgent pleas that _other_ people to do something. Every month or so, I check the ASRG archives. If there has been a change in the last year, I can't see it. It's all urgent, and devoid of anything like reports of actions. Even survey and BCP documents start and then fade into the mist. I just now checked https://www1.ietf.org/mail-archive/working-groups/asrg/current/maillist.html to see if I'm being unfair. Of course this problem is endemic to the Standards Process. It's worse with spam because the problem hard verging on unsolvable and few if any of the participants are trying to ship a product before market window closes, graduate students trying to complete a thesis, others trying to publish papers before the grant runs out, or mail system operators trying to avoid drowning. There are vendors and so forth, but they see that it might make sense to ship, install, or test a white box with Linux and SA but it is silly to spend any salaries or time on proposals that can't have any effects before the spam problem is finished by other effects. ... The IETF MARID BOF showed that serious discussion is, in fact, possible. One simply needs to insist on it and encourage it when it happens. If http://www.imc.org/ietf-mxcomp/mail-archive/msg00067.html is reasonably accurate, then I beg to differ. As far as I can see, it could be a summary of the most useful content of ASRG mailing list from March and April, 2003. = ] From: Paul Hoffman / IMC ] ... ] The majority of the anti-spam proposals being actively discussed ] are variants on the prove the sender is who he says he is. None of ] these are perfect, yet: Given the shift of many major spammers from forging domain names to using their own throw-aways like xxcdfm1.com, pointlesstomovehere.com, and attractiveinternetnews.com, not perfect is an understatement. ] - they are being actively discussed in the ASRG Somehow actively discussed is doesn't quite convey continually discussed round and round without any change. Vernon Schryver[EMAIL PROTECTED]
Re: paralysis
--On 7. mars 2004 15:03 -0800 Michael Thomas [EMAIL PROTECTED] wrote: Fine. Truth in advertising is wonderful. Then what? From what I can tell, anything that falls short of perfection then gets summarily executed. What metrics do you suggest when the answer is less than perfect that doesn't result in paralysis? That seems to be the real breakdown here. acknowledge the non-perfection, say that in your estimation, the benefit is still greater than the cost, and march on. ((we're starting to get there (I think) with the proposals presented at the MARID BOF - while they don't solve anything, IMHO, they have a couple of significant benefits, which seems likely to be larger than their cost.)) the idea that you should stop trying because you've been publicly ridiculed is one that has always struck me as somewhat strange. Either you believe in your ideas even after you've carefully considered the objections raised, or you don't. If you don't, you should give up. If you still believe in them, you're still alive.
paralysis
Vernon Schryver writes: [] You know, it's quite elucidating seeing the banter about the subject of spam, especially between you and Paul but what strikes me more is the overarching dynamic going on: for (;;) { 1) proposal is made 2) proposal is classified into one of several general buckets 3) proposal is deconstructed by those who've seen this many many times 4) no silver bullet is uncovered } In the mean time, the exponential curve of spam keeps on moving along the X axis for ever greater values of X. So... instead of pointing out the obvious that there is no silver bullet, wouldn't it be a lot more productive to frame this debate in terms of what incremental steps could be taken to at least try to change the overall climate? To perhaps move things in a direction that might be in our favor? To perhaps be open to making some mistakes and/or no-ops? We know spammers are smart and adaptable. The problem is that in our paralysis, we are not. Mike
Re: paralysis
From: Michael Thomas [EMAIL PROTECTED] ... So... instead of pointing out the obvious that there is no silver bullet, wouldn't it be a lot more productive to frame this debate in terms of what incremental steps could be taken to at least try to change the overall climate? To perhaps move things in a direction that might be in our favor? To perhaps be open to making some mistakes and/or no-ops? Am I interfering with incremental debate framing, climate changing, or designing, implementing, testing, and deploying possible solutions that might be mistakes and no-ops? I hope not and I don't think so. In about 1997 Paul Vixie mentioned the notion of spam checksum clearinghouses. I pointed out the obvious problems, but 6 or 9 months later hacked a form of the idea into sendmail. The DCC is now resisting about 350,000,000 spam/week. When I heard about greylisting, I pointed out some obvious problems, but worked hard to add it to the DCC client code. That a problem seriously wants a solution does not imply that it has one. That personal immortality, matter transmission, and communicating consent to receive mail sound nice does not imply that they are possible or that they would solve more problems than they would create. Either way, lists of problems from wet bankets like me should not stop anyone from designing, implementing, testing and deploying, unless they need to sell a lot of stock beforehand. We know spammers are smart and adaptable. The problem is that in our paralysis, we are not. Whose paralysis do you mean, Kemo Sabe? Outside the mass media, mailing lists, and usenet, plenty is being done about spam. Some efforts have been more effective than others. Others such as laws have more future hope than past performance. Filter effectiveness above 95% is common. Reasonably spam free mailboxes that are open to mail from perfect strangers are more readily available today then they were 3 years ago. Nothing so far have been or will be a silver bullet. Unless you believe vague handwaving or swallow any of several brands of patent medicine, there is no prospect of a FUSSP (Final Ultimate Solution to the Spam Problem). By itself, framing debates is not productive unless you're only interested in debates. Few of those who do more talking and writing about spam than administrating anti-spam mechanisms, designing, writing or deploying code, enforcing laws, or anything else that directly affects spam in more than their personal mailboxes are contributing to solutions. Vernon Schryver[EMAIL PROTECTED]