Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Mon, Mar 31, 2014 at 12:17:19AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): > On Mar 30, 2014, at 16:40 , Måns Nilsson wrote: > > Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, > > Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore > > (patr...@ianai.net): > >>> On Mar 29, 2014, at 3:15, Måns Nilsson wrote: > >>> Quoting John R. Levine (jo...@iecc.com): > >>>>> Ergo, ad hominem. Please quit doing that. > >>>>> As a side note I happen to run my own mail server without spam filters > >>>>> -- it works for me. I might not be the norm, but then again, is there > >>>>> really a norm? (A norm that transcends SMTP RFC reach, that is -- > >>>> > >>>> I know a lot of people who run a lot of mail systems, and let's just > >>>> say you're so far out in the long tail we need a telescope to see > >>>> you. > >>> > >>> I will not debate with people who resort to humiliation techniques > >>> when questioned. > >> > >> I will not argue whether you were humiliated as that is something only you > >> can decide. > > > > The puny attempt at "master suppression technique"[0] was identified > > as such and countermeasures were launched. No damage done. > > I was serious. Your reaction .. well, I shouldn't say anything more lest you > call me puny again. (What were you saying about humiliation techniques? Glad > to see you would never be hypocritical.) My apologies. I was not refering to your statement -- if that was not clear I should most certainly have written more clearly. > >> However, John was still factually correct. No big deal, lots of people are > >> humiliated by facts. Although I admit I didn't find the quote above > >> terribly humiliating myself. > > > > You have a point. Further, I do not debate the truth in the statement. My > > personal email system IS small -- I did even state that -- but that does > > not mean I do not run larger systems for others, nor does it mean that > > the general public should dismiss my ideas and only listen to people > > who brag about their acquaintances. There are other much more compelling > > reasons not to do as I say. > > You misunderstand. Or perhaps I did? > > I read John's statement to be in reference to your stance, i.e. running > without spam filters. Not that your server is small. I read "you handle no big amount of e-mail and I know people who do and therefore you should STFU and not bother us with your silly ideas about following standards" in Johns message, and while that might seen like one of many interpretations of what was written, it is an interpretation I hope to be not so far out on the insulted fringe so as to be silly. > John can clarify if he likes. But either way, running without spam filters is > beyond unusual these days. Indeed. > My personal server is run with very few filters, all of which REJECT or > accept and send to a box I read. I have no "spam folder". So while I am not > as far down the tail as you are, I am definitely out of the mainstream. The > only reason I mention that is so you don't go researching for another reason > to "identify" my comments as anything except exactly what they say. Oh, I'm not hoping to pick a fight. Bad move to pick fights with people that function as mediators. > >> Also, realize that John has already done more to stop spam in his career > >> then you and your thousand closest friends ever will. (E.g. Look up > >> abuse.net.) Again not humiliation, just a fact. > >> > >> Feel free to plonk me as well. I won't be humiliated. :-) > > > > I won't. There is a clear divide between politely pointing out facts > > and abusing facts to tell people that their opinion does not matter. > > > > And, for the record, I do not support spamming in any form. But the > > mitigation techniques MUST NOT impose undue constraints on the legitimate > > use of e-mail, even when it is not vetted by passing it through big > > insecure monitored US webmail providers. > > I like your use of MUST. > > However, I think you'll find your definition of "undue" and most of the rest > of the Internet's is vastly different. I'm fully aware of that. The clear separation between network and application that is at the core of IP is easily compromised by the best intentions. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I selected E5 ... but I didn't hear "Sam the Sham and the Pharoahs"! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/30/2014 11:17 PM, Patrick W. Gilmore wrote: On Mar 30, 2014, at 16:40 , Måns Nilsson wrote: Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 29, 2014, at 3:15, Måns Nilsson wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there [snip] However, I think you'll find your definition of "undue" and most of the rest of the Internet's is vastly different. Seems like I got chased off of NANOG for less, in years gone by... -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 30, 2014, at 16:40 , Måns Nilsson wrote: > Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar > 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): >>> On Mar 29, 2014, at 3:15, Måns Nilsson wrote: >>> Quoting John R. Levine (jo...@iecc.com): >>>>> Ergo, ad hominem. Please quit doing that. >>>>> As a side note I happen to run my own mail server without spam filters >>>>> -- it works for me. I might not be the norm, but then again, is there >>>>> really a norm? (A norm that transcends SMTP RFC reach, that is -- >>>> >>>> I know a lot of people who run a lot of mail systems, and let's just >>>> say you're so far out in the long tail we need a telescope to see >>>> you. >>> >>> I will not debate with people who resort to humiliation techniques >>> when questioned. >> >> I will not argue whether you were humiliated as that is something only you >> can decide. > > The puny attempt at "master suppression technique"[0] was identified > as such and countermeasures were launched. No damage done. I was serious. Your reaction .. well, I shouldn't say anything more lest you call me puny again. (What were you saying about humiliation techniques? Glad to see you would never be hypocritical.) >> However, John was still factually correct. No big deal, lots of people are >> humiliated by facts. Although I admit I didn't find the quote above terribly >> humiliating myself. > > You have a point. Further, I do not debate the truth in the statement. My > personal email system IS small -- I did even state that -- but that does > not mean I do not run larger systems for others, nor does it mean that > the general public should dismiss my ideas and only listen to people > who brag about their acquaintances. There are other much more compelling > reasons not to do as I say. You misunderstand. Or perhaps I did? I read John's statement to be in reference to your stance, i.e. running without spam filters. Not that your server is small. John can clarify if he likes. But either way, running without spam filters is beyond unusual these days. My personal server is run with very few filters, all of which REJECT or accept and send to a box I read. I have no "spam folder". So while I am not as far down the tail as you are, I am definitely out of the mainstream. The only reason I mention that is so you don't go researching for another reason to "identify" my comments as anything except exactly what they say. >> Also, realize that John has already done more to stop spam in his career >> then you and your thousand closest friends ever will. (E.g. Look up >> abuse.net.) Again not humiliation, just a fact. >> >> Feel free to plonk me as well. I won't be humiliated. :-) > > I won't. There is a clear divide between politely pointing out facts > and abusing facts to tell people that their opinion does not matter. > > And, for the record, I do not support spamming in any form. But the > mitigation techniques MUST NOT impose undue constraints on the legitimate > use of e-mail, even when it is not vetted by passing it through big > insecure monitored US webmail providers. I like your use of MUST. However, I think you'll find your definition of "undue" and most of the rest of the Internet's is vastly different. -- TTFN, patrick signature.asc Description: Message signed with OpenPGP using GPGMail
Re: why IPv6 isn't ready for prime time, SMTP edition
On Sat, Mar 29, 2014 at 7:40 PM, John R. Levine wrote: > The numbers you list in your argument against a micropayment >> system being able to function are a fraction of the number of >> transactions Facebook deals with in updating newsfeeds for >> the billion+ users on their system.[0] >> > > ... which is completely irrelevant because they don't have a double > spending problem. Sheesh. It's easy to scale up stuff that is trivially > parallelizable.* > Apparently, in the intervening 10 years since you wrote that, you might have missed some advances in the state of the art in computer science. http://arxiv.org/abs/0802.0832v1 I quote from the abstract: " Contrary to the commonly held belief that this is fundamentally impossible, we propose several solutions that do achieve a reasonable level of double spending prevention" I suggest you update your 'commonly held belief' that the double spending problem is intractable. ;) > > Also, I wrote that ten years ago. Add an extra zero or two to the numbers > if you want, but it doesn't make any difference. Perhaps the number of zeroes doesn't make a difference; but solving the double spending problem would seem to play a much bigger role in making a difference to your conclusion from ten years ago. Note that one of the concepts around the double spending problem is that of offline spending being able to happen in massively large scale in very short time before the network is rejoined; however, in the case of email, that situation is largely a dead end; if you're not online, you're not going to be making very many mail connections. What may have been seen as impossible ten years ago may now be completely feasible. ^_^; > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. http://jl.ly > > * - a term of art, look it up > > Thanks! Matt
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/30/2014 12:11 AM, Barry Shein wrote: I don't know what "WKBI" means and google turns up nothing. I'll guess "Well Known Bad Idea"? Since I said that I found the idea described above uninteresting I wonder what is a "WKBI" from 1997? The idea I rejected? Also, I remember ideas being shot down on the ASRG (Anti-Spam Research Group) list primarily because they would take ten years to gain acceptance. Over ten years ago. Maybe they were bad ideas for other reasons. Some certainly were. But there's this tone of off-the-cuff dismissal, oh that would take TEN YEARS to gain traction, or that's a WKBI, which I don't find convincing. I read your paper, for example, and said it's a nice paper. But I don't find it compelling to the degree you seem to want it to be because it mostly makes a bunch of assumptions about how an e-postage system would work and proceeds to argue that the particular model you describe (and some variants) creates impossible or impractical hurdles. But what if it worked differently? At some point you're just reacting to the term "e-postage" and whatever it happens to mean to you, right? Imagine living in a world where this system is implemented. Then imagine ways to break it. The first thing I can think of is money laundering through hundreds of source and destination email accounts. The second is stolen identities or credit cards where the money doesn't exist to begin with (Who pays when this happens?) Third is administrative overhead. Banks/paypal/exchanges/someone is going to want a cut for each transaction, and they deserve one since they're going to end up tracking all of them and need to be able to reverse charges when something goes wrong. But then you have a central point of failure and central monitoring point so you want to involve multiple exchanges, banks, etc. Then you've got a dictatorship somewhere who says they want an extra $0.03 tacked on to each transaction, only it's not $0.03 it's famously unstable currency here> so any mail that goes to that country has to have custom rules that fluctuate multiple times a day. Then there is my mom, who knows just enough about computers to send cat pictures and forward me chain letters. She'll not understand that email costs something now, or how to re-up her email account when it runs out. The administrative burden will either fall to me or her ISP, and each phone call to the ISP probably costs them $$ because they must pay a live human to walk someone through email. You can't really say you've exhaustively worked out every possibility which might be labelled "e-postage". Only a particular interpretation, a fairly specific model, or a few. When people talked of "virtual currency" over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? Bitcoin might well be a lousy solution. But there it is nonetheless, and despite the pile of papers which argued that this sort of thing was impossible or nearly so. Note: Yes, I can also argue that Bitcoin is not truly a virtual currency. Sometimes a problem is like the Gordian Knot of ancient lore which no one could untie. And then Alexander The Great swung his sword and the crowds cried "cheat!" but he then became King of Asia just as prophesized. > > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", > Please consider the environment before reading this e-mail. http://jl.ly The answer is that you can't do this to SMTP. Nobody will ever have the answers to all the questions involved with adding cost transactions to the protocol. The only way to do this is to reboot with a new protocol that people start to adopt, and the only way they'll do that is if it's markedly better than the old way. You have to remember some people when given the choice of paying for email or accepting 10 spams/day will opt for accepting a little spam. The good news is, with email consolidated into 5 or so large providers and most people using webmail or exchange, you've got an opportunity to change the backend. Not much software has to be modified, but you do need those large providers to buy-in to the idea.
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): > Composed on a virtual keyboard, please forgive typos. > > > On Mar 29, 2014, at 3:15, Måns Nilsson wrote: > > Quoting John R. Levine (jo...@iecc.com): > >>> Ergo, ad hominem. Please quit doing that. > >>> As a side note I happen to run my own mail server without spam filters > >>> -- it works for me. I might not be the norm, but then again, is there > >>> really a norm? (A norm that transcends SMTP RFC reach, that is -- > >> > >> I know a lot of people who run a lot of mail systems, and let's just > >> say you're so far out in the long tail we need a telescope to see > >> you. > > > > I will not debate with people who resort to humiliation techniques > > when questioned. > > I will not argue whether you were humiliated as that is something only you > can decide. The puny attempt at "master suppression technique"[0] was identified as such and countermeasures were launched. No damage done. > However, John was still factually correct. No big deal, lots of people are > humiliated by facts. Although I admit I didn't find the quote above terribly > humiliating myself. You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say. > Also, realize that John has already done more to stop spam in his career then > you and your thousand closest friends ever will. (E.g. Look up abuse.net.) > Again not humiliation, just a fact. > > Feel free to plonk me as well. I won't be humiliated. :-) I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Vote for ME -- I'm well-tapered, half-cocked, ill-conceived and TAX-DEFERRED! [0] http://en.wikipedia.org/wiki/Master_suppression_techniques signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On Sat, 29 Mar 2014 18:05:39 -0700, Matthew Petach said: > system, which does 100,000,000 transactions/day. Facebook's > presentation talks about doing billions *per second*, which if I Fortunately for Facebook, they don't have to worry about double-spending problems, and you don't have to worry that much about authentication and security, because you control both ends of the transaction. It's easy to scale when you don't have to worry about the hard parts. pgpBs7y8e5qBc.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 23:26 o...@delong.com (Owen DeLong) wrote: > > On Mar 29, 2014, at 1:31 PM, Barry Shein wrote: > > > > > On March 29, 2014 at 08:28 o...@delong.com (Owen DeLong) wrote: > >>> So if a spammer or junk mailer could, say, trick you into accepting > >>> mail in those schemes then they get free advertising, no postage > >>> anyhow. > >> > >> Sure, but how would they trick you into saying ?I wanted this > >> advertising? once you?ve actually seen that it is advertising. > > > > I dunno, but they trick people all the time, isn't that what the > > entire phishing industry is based on? > > > > I guess the real point is that this idea that one would be sorting > > through their email saying don't charge for this one I want it, charge > > for this one, I don't, etc is not a good idea. > > I was envisioning a system more where you white-listed your known contacts > up front, > then only needed to say ?refund this one and add to white-list? or ?refund > this one? when > confronted with one that wasn?t already white-listed that you didn?t feel > was spam. Introducing a refunding system adds a lot of complexity for not much advantage. Think through the mechanics of this whitelisting system, i.e., the bookkeeping and msgs back and forth. (eliding some stuff we mostly agree on) > > > > What about the costs of anti-spam technology? And all the other > > problems spam incurs? I thought that's why we were here. > > Reality is those costs are pretty much sunk at this point as well, mostly > embedded into the price of internet access and mail services as they exist > today. Sure, there might be some long term reductions in those costs if this > worked out, but at what relative price? What about the "attention" costs, when nobody for example looks at an Amazon mail or even a useful msg from their bank because they're too busy deleting everything that isn't absolute top-priority (like from a relative or lover.) They're just swamped. Anyhow, I guess either spam is a big problem or it isn't. Everything I say is based on the premise that spam is a big problem. If it isn't then we are truly wasting our time here. > > >> Please present your definition of SPAM. I don?t see how a shipping > >> notification, a transaction receipt, etc. could possibly be considered > >> SPAM. > > > > My whole point is I don't WANT to have a definition of spam, except as > > a bad memory. > > > > I'm trying to figure out how to change the ecology/economics so spam > > is difficult, a minor problem. > > I get what you want, but I don?t see it as a solution due to the negative > consequences described elsewhere in the thread. Well, if you don't see spam as much of a problem then surely most anti-spam proposals are going to seem too costly, right? > > > > That's sort of like saying my car can drive down the road perfectly > > well with some gasoline etc, why do I need to pay taxes for police? > > I often find myself wondering exactly that? Usually after trying to get some > service or other that the police are supposed to be providing. > > Nonetheless, I get your point. OTOH, the city council, as a body, doesn?t > pay taxes for police. Neither does the city, which owns quite a fleet of > vehicles. So, what is your equivalent in this regime to the ?tax exempt > organization?? Maybe I haven't had enough coffee yet but I truly don't understand what you're asking here. > > > > Recipients wouldn't pay in my scheme. > > OK, turn it around and you aren?t paying a separate fee for the mailman to > drive by your place each day to see if you have any outgoing mail, either. You must live in some low-density population area, here in Boston the letter carriers won't take outgoing mail. I tried one day and the guy just sneered "put it in a box, that's all I'd do with it!" Obviously there are people emptying those mailboxes but it's...where are we going with this? > > > If you mean that legitimate senders have to pay and somehow recover > > that cost, well, we all pay for police and other security. Security is > > often like that. When you pay for a prison you pay to house prisoners, > > any benefit to you is at best abstract (they're not on the streets > > etc.) > > I don?t pay the USPS any separate taxes to support the postal inspectors. > That?s rolled up into the postage. > > >> Further, if someone sends me something I don?t want, I can mark it > >> ?refused, return to sender? and the post office is obliged to do so and I > >> don?t pay anything for it. > > > > This is probably getting off-track, but are you sure about that with > > the USPS? > > Yes. For most mail, you can. Third Class and Bulk, not so much, they?ll tell > you to throw it away. I don?t pay anything for that, either. Ok, nothing stops you in this scheme from returning an email to the sender. Maybe it could even be made free, probably just like
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/30/14, 10:03 AM, Barry Shein wrote: > > The problem is the world is a very sloppy place and tends to function > in spite of proofs that "bumblebees can't fly" etc. when there's a > need. which is fortunately, mythology based on catastrophically bad modeling so your analogy is spot on. > > R's, > > John > > > > PS: Sometimes a WKBI really is a WKBI. > signature.asc Description: OpenPGP digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 30, 2014 at 04:47 jo...@iecc.com (John Levine) wrote: > >When people talked of "virtual currency" over the years, often arguing > >that it's too hard a problem, how many described bitcoin with its > >cryptographic mining etc? > > None, but it shouldn't be hard to look at the way bitcoin works and > realize why it'd be phenomenally ill suited for e-postage, just for > technical reasons. I told Satoshi so in 2009. I wasn't suggesting bitcoin was a model for e-postage, only that a lot of papers were written saying systems like bitcoin were more or less impossible (usually based on the double-spending problem.) But bitcoin seems to have gained quite a bit of traction nonetheless though it may well still be a bad idea. The problem is the world is a very sloppy place and tends to function in spite of proofs that "bumblebees can't fly" etc. when there's a need. > R's, > John > > PS: Sometimes a WKBI really is a WKBI. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
Sent from my BlackBerry 10 smartphone on the Rogers network. Original Message From: John Levine Sent: Saturday, March 29, 2014 11:35 PM To: nanog@nanog.org Subject: Re: why IPv6 isn't ready for prime time, SMTP edition >IF the overriding problem is due to an inability to identify and >authenticate the identification of the sender, then let us work on >establishing a protocol for identifying the sender and authenticating >the identification of the sender and permitting the receiver to accept >or deny acceptance of traffic by reference to that identification. We've got DKIM, SPF, S/MIME, and PGP. What more do you want? R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 29, 2014, at 1:31 PM, Barry Shein wrote: > > On March 29, 2014 at 08:28 o...@delong.com (Owen DeLong) wrote: >>> So if a spammer or junk mailer could, say, trick you into accepting >>> mail in those schemes then they get free advertising, no postage >>> anyhow. >> >> Sure, but how would they trick you into saying “I wanted this advertising” >> once you’ve actually seen that it is advertising. > > I dunno, but they trick people all the time, isn't that what the > entire phishing industry is based on? > > I guess the real point is that this idea that one would be sorting > through their email saying don't charge for this one I want it, charge > for this one, I don't, etc is not a good idea. I was envisioning a system more where you white-listed your known contacts up front, then only needed to say “refund this one and add to white-list” or “refund this one” when confronted with one that wasn’t already white-listed that you didn’t feel was spam. >>> We're getting lost in the metaphors methinks. >> >> I don’t think so, I think we’re having differing visions of how it would >> work in detail. > > Well, that's always the problem at some point. Lacking a specific, > detailed proposal one tries to work out how it might work, look for > inherent flaws in the idea, show stoppers. > > This is basically brainstorming. Yep… Wasn’t a criticism, merely an effort to home in on a more accurate problem description for the communications failures so we weren’t trying to solve the incorrect cause. > So offering to not charge you because you wanted that mail makes no > sense, right? But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. >>> >>> FIRST: There's a typo/thinko in my sentence! >>> >>> Should be: >>> >>> So offering to not charge THE SENDER because THE RECIPIENT wanted >>> that mail makes no sense, right? >>> >>> SECOND: >>> >>> In response, someone has to scale resources to match volume. >>> >>> But maybe my typo/thinko confused this because you know that, sorry. >> >> Yes, but those costs are essentially already sunk in existing internet >> access. The cost of transmission is already paid by all parties involved. >> This wouldn’t be intended to subsidize that. The reason for splitting the >> postage between the recipient and the recipient ISP was to aid in recovery >> of the costs of administering the postage process. > > What about the costs of anti-spam technology? And all the other > problems spam incurs? I thought that's why we were here. Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price? >> Please present your definition of SPAM. I don’t see how a shipping >> notification, a transaction receipt, etc. could possibly be considered SPAM. > > My whole point is I don't WANT to have a definition of spam, except as > a bad memory. > > I'm trying to figure out how to change the ecology/economics so spam > is difficult, a minor problem. I get what you want, but I don’t see it as a solution due to the negative consequences described elsewhere in the thread. >>> Just like my analogy with the post office, they wouldn't deliver mail >>> for free just because the recipient wanted it. >> >> That postage is already being paid for email… You pay for internet access >> and so do the spammers, so the idea that your proposed e-postage is a >> payment related to the delivery of the mail is absurd from the beginning. > > Again, we're talking about spam and the harm it does, the costs it > incurs. And phishing etc. > > That's sort of like saying my car can drive down the road perfectly > well with some gasoline etc, why do I need to pay taxes for police? I often find myself wondering exactly that… Usually after trying to get some service or other that the police are supposed to be providing. Nonetheless, I get your point. OTOH, the city council, as a body, doesn’t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the “tax exempt organization”? The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send. >>> >>> The vast majority of paper mail I get from my bank accounts is useful >>> and informative and often legally important. >>> >>> But every one of them has postage attached. >> >>
Re: why IPv6 isn't ready for prime time, SMTP edition
>When people talked of "virtual currency" over the years, often arguing >that it's too hard a problem, how many described bitcoin with its >cryptographic mining etc? None, but it shouldn't be hard to look at the way bitcoin works and realize why it'd be phenomenally ill suited for e-postage, just for technical reasons. I told Satoshi so in 2009. R's, John PS: Sometimes a WKBI really is a WKBI.
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 22:34 jo...@iecc.com (John R. Levine) wrote: > > > Don't forget "Vanquish was a complete failure, so why would this be > > > any different?" and "do I want Phil Raymond to sue me for violating > > > the patent on this exact scheme?" > > > > That was a specific reply by me to a specific suggestion of a > > mechanism refunding e-postage to the sender if one wanted an e-mail or > > leaving the charge if not. > > > > As I said I think it's overly complex in implementation and not of > > much benefit. > > > > I don't see where Vanquish does any of this from the product site tho > > I could look at the patents, they might cover more than they used in > > products of course. > > Really, this is a WKBI from 1997. Look at the patent if you don't believe > me. I don't know what "WKBI" means and google turns up nothing. I'll guess "Well Known Bad Idea"? Since I said that I found the idea described above uninteresting I wonder what is a "WKBI" from 1997? The idea I rejected? Also, I remember ideas being shot down on the ASRG (Anti-Spam Research Group) list primarily because they would take ten years to gain acceptance. Over ten years ago. Maybe they were bad ideas for other reasons. Some certainly were. But there's this tone of off-the-cuff dismissal, oh that would take TEN YEARS to gain traction, or that's a WKBI, which I don't find convincing. I read your paper, for example, and said it's a nice paper. But I don't find it compelling to the degree you seem to want it to be because it mostly makes a bunch of assumptions about how an e-postage system would work and proceeds to argue that the particular model you describe (and some variants) creates impossible or impractical hurdles. But what if it worked differently? At some point you're just reacting to the term "e-postage" and whatever it happens to mean to you, right? You can't really say you've exhaustively worked out every possibility which might be labelled "e-postage". Only a particular interpretation, a fairly specific model, or a few. When people talked of "virtual currency" over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? Bitcoin might well be a lousy solution. But there it is nonetheless, and despite the pile of papers which argued that this sort of thing was impossible or nearly so. Note: Yes, I can also argue that Bitcoin is not truly a virtual currency. Sometimes a problem is like the Gordian Knot of ancient lore which no one could untie. And then Alexander The Great swung his sword and the crowds cried "cheat!" but he then became King of Asia just as prophesized. > > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. http://jl.ly -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
>IF the overriding problem is due to an inability to identify and >authenticate the identification of the sender, then let us work on >establishing a protocol for identifying the sender and authenticating >the identification of the sender and permitting the receiver to accept >or deny acceptance of traffic by reference to that identification. We've got DKIM, SPF, S/MIME, and PGP. What more do you want? R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
Although that's useful for some situations it's a not at the heart of the spam problem, or is just one small facet at best. People you don't know, like perhaps me right now, will send you email which isn't spam, and which presumably you're ok with receiving. So, it's not the overriding problem with spam. On March 29, 2014 at 18:58 larryshel...@cox.net (Larry Sheldon) wrote: > On 3/29/2014 12:59 PM, Jimmy Hess wrote: > > > *Postage schemes as proposed with end users email clients 'attaching > > postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng > > Not in any conceivable future version of IP. > > And I insist that we are all wasting our time trying to make SMTP and > its supporting protocols (and their kin under IPX/SPC, Sperrylink, UUCP, > et alia) are not at the transport layer and nothing at the transport > layer is responsible for nor rich with solutions for their problems. > > IF the overriding problem is due to an inability to identify and > authenticate the identification of the sender, then let us work on > establishing a protocol for identifying the sender and authenticating > the identification of the sender and permitting the receiver to accept > or deny acceptance of traffic by reference to that identification. > > > -- > Requiescas in pace o email Two identifying characteristics > of System Administrators: > Ex turpi causa non oritur actio Infallibility, and the ability to > learn from their mistakes. >(Adapted from Stephen Pinker) -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0] ... which is completely irrelevant because they don't have a double spending problem. Sheesh. It's easy to scale up stuff that is trivially parallelizable.* Also, I wrote that ten years ago. Add an extra zero or two to the numbers if you want, but it doesn't make any difference. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly * - a term of art, look it up
Re: why IPv6 isn't ready for prime time, SMTP edition
> Don't forget "Vanquish was a complete failure, so why would this be > any different?" and "do I want Phil Raymond to sue me for violating > the patent on this exact scheme?" That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not. As I said I think it's overly complex in implementation and not of much benefit. I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course. Really, this is a WKBI from 1997. Look at the patent if you don't believe me. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, Mar 26, 2014 at 9:59 AM, John Levine wrote: > >That way? Make e-mail cost; have e-postage. > > Gee, I wondered how long it would take for this famous bad idea to > reappear. > > I wrote a white paper ten years ago explaining why e-postage is a > bad idea, and there is no way to make it work. Nothing of any > importance has changed since then. > > http://www.taugh.com/epostage.pdf > > R's, > John > > PS: Yes, I've heard of Bitcoins. > > Good lord. I love your page about how a micropayment handling system would have to be so immense it couldn't possibly be built, because otherwise someone would have built one by now. The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0] You're postulating needing something 100x the size of the credit card processing system, which does 100,000,000 transactions/day. Facebook's presentation talks about doing billions *per second*, which if I do the math right, puts it conservatively at almost 900,000x the scale of the credit card processing system; certainly well beyond the threshold of what you considered necessary to handle email micropayment transactions. I suspect your notion of "Creating a transaction system large enough for e-postage would be prohibitively expensive." is no longer true. Matt [0] https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/nishtala
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 22:37 jo...@iecc.com (John Levine) wrote: > >But I think it introduces all sorts of complexities for not much > >gain. Needs more thinking, including "is this really a problem that > >needs to be solved?" > > Don't forget "Vanquish was a complete failure, so why would this be > any different?" and "do I want Phil Raymond to sue me for violating > the patent on this exact scheme?" That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not. As I said I think it's overly complex in implementation and not of much benefit. I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course. HOWEVER: a) If you really were referring to the context of that remark, refunding postage to desired senders, not much problem since I don't see that as useful anyhow. b) If there's some broader context, well, patents can get licensed and otherwise negotiated so I don't know why anyone would be suing anyone. This reminds me of when I was working on a Rock & Roll 50th Anniversary site and we'd put up materials licensed for use by the site. And I'd get this non-stop stream of YOU WILL GET SUED! emails from people who merely visited the site, many DEMANDING we immediately produce proof to them that the material was properly licensed or take it down IMMEDIATELY! And they would be CHECKING! etc. Some would even phone the office and scream at me. None were owners or had any interest in the materials which, as I said, were all properly licensed. There was never any actual problem, not a hint. Gratuitous anecdote: The only (very tiny, funny) problem we ever had was when Elvis Presley Enterprises (which is, yes, that Elvis Presley) printed up T-shirts using some of our slogans which we clearly marked as TM. I sent them a letter offering a $0 license to print as many T-shirts as they like if they just mentioned us in their ads in some friendly way once in a while...LET'S TALK! I mean, hey, this is Elvis Presley Enterprises! Respect to The King. I got back this amazing letter from what must have been a strip mall lawyer, the stationery was truly cheesy (it had logs on it, some sort of good ol' boy western theme I guess), asserting that we had no rights in those slogans because we were NOT in the T-shirt/Apparel business (i.e., USPTO category.) I dropped the matter because it was just too silly to even respond to and figured if it ever seemed to make a difference I'd worry about it. They didn't seem to be selling too many of those T-shirts anyhow, and now they'd been informed and had acknowledged notice which is half the game. Nothing came of it. Not much came of the site either, unfortunately tho I did get to meet a lot of interesting people. Bo Diddley called me once to tell me how great he thought it all was and could he help! > R's, > John > > PS: You must have met him at one of the spam conferences. I met him a > few times. Maybe, I'm looking at his picture and his face doesn't ring a bell but he seems to be here in the Boston area so if there were a mutual interest I suppose a meeting would be easy enough. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/29/2014 12:59 PM, Jimmy Hess wrote: *Postage schemes as proposed with end users email clients 'attaching postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng Not in any conceivable future version of IP. And I insist that we are all wasting our time trying to make SMTP and its supporting protocols (and their kin under IPX/SPC, Sperrylink, UUCP, et alia) are not at the transport layer and nothing at the transport layer is responsible for nor rich with solutions for their problems. IF the overriding problem is due to an inability to identify and authenticate the identification of the sender, then let us work on establishing a protocol for identifying the sender and authenticating the identification of the sender and permitting the receiver to accept or deny acceptance of traffic by reference to that identification. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: why IPv6 isn't ready for prime time, SMTP edition
>But I think it introduces all sorts of complexities for not much >gain. Needs more thinking, including "is this really a problem that >needs to be solved?" Don't forget "Vanquish was a complete failure, so why would this be any different?" and "do I want Phil Raymond to sue me for violating the patent on this exact scheme?" R's, John PS: You must have met him at one of the spam conferences. I met him a few times.
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 08:28 o...@delong.com (Owen DeLong) wrote: > > So if a spammer or junk mailer could, say, trick you into accepting > > mail in those schemes then they get free advertising, no postage > > anyhow. > > Sure, but how would they trick you into saying ?I wanted this advertising? > once you?ve actually seen that it is advertising. I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on? I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea. As I said earlier what might work is when you sign up for some email (list, advertising, customer account) you can also enter some sort of cookie which the sender can use to charge against your epostage quota. But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including "is this really a problem that needs to be solved?" > > > We're getting lost in the metaphors methinks. > > I don?t think so, I think we?re having differing visions of how it would > work in detail. Well, that's always the problem at some point. Lacking a specific, detailed proposal one tries to work out how it might work, look for inherent flaws in the idea, show stoppers. This is basically brainstorming. > > >>> So offering to not charge you because you wanted that mail makes no > >>> sense, right? > >> > >> But this isn?t a charge for the post office and by the time you?re > >> connected to the internet, the cost of receiving the mail and > >> transporting it and the sender sending it is pretty much sunk by some > >> arguments. > > > > FIRST: There's a typo/thinko in my sentence! > > > > Should be: > > > > So offering to not charge THE SENDER because THE RECIPIENT wanted > > that mail makes no sense, right? > > > > SECOND: > > > > In response, someone has to scale resources to match volume. > > > > But maybe my typo/thinko confused this because you know that, sorry. > > Yes, but those costs are essentially already sunk in existing internet > access. The cost of transmission is already paid by all parties involved. > This wouldn?t be intended to subsidize that. The reason for splitting the > postage between the recipient and the recipient ISP was to aid in recovery > of the costs of administering the postage process. What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here. (trying to elide a lot...) > > Please present your definition of SPAM. I don?t see how a shipping > notification, a transaction receipt, etc. could possibly be considered SPAM. My whole point is I don't WANT to have a definition of spam, except as a bad memory. I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem. > > > Just like my analogy with the post office, they wouldn't deliver mail > > for free just because the recipient wanted it. > > That postage is already being paid for email? You pay for internet access > and so do the spammers, so the idea that your proposed e-postage is a > payment related to the delivery of the mail is absurd from the beginning. Again, we're talking about spam and the harm it does, the costs it incurs. And phishing etc. That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police? > > >> The vast majority of messages I get from Amazon are order confirmations, > >> shipping status reports, etc. Messages related to transactions I have > >> conducted with them. Yes, I get a little bit of SPAM from them and I > >> wouldn?t mind seeing them forced to pay me for those messages, but I > >> certainly don?t want to see them paying for every message they send. > > > > The vast majority of paper mail I get from my bank accounts is useful > > and informative and often legally important. > > > > But every one of them has postage attached. > > Yes, but you aren?t paying the USPS a fee for you to have a mailbox that the > mailman drives by whether you receive mail or not and neither is your bank. > I certainly don?t want to start double-paying for spam (or legitimate email > for that matter). Recipients wouldn't pay in my scheme. If you mean that legitimate senders have to pay and somehow recover that cost, well, we all pay for police and other security. Security is often like that. When you pay for a prison you pay to house prisoners, any benefit to you is at best abstract (they're not on the streets etc.) > > Further, if someone sends me something I don?t want, I can mark it ?refused, > return to sender? and the post office is obliged to do so and I don?t pay > anything for it. This is probably getting off-track, but are you sure about that with the USPS? You can mark it NSA
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, Mar 28, 2014 at 4:15 PM, Barry Shein wrote: > On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: > [snip] > I thought the suggestion was that a recipient (email, or by analogy > postal) could indicate they wanted an email which would cancel the > postage attached, that is, no charge to sender if they wanted it. > > So if a spammer or junk mailer could, say, trick you into accepting > mail in those schemes then they get free advertising, no postage > anyhow. > *Postage schemes as proposed with end users email clients 'attaching postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng Not in any conceivable future version of IP. *Believe end users being served by mail servers WON'T tolerate postage, or the extra difficulty in configuring their email client, even from a free service.Spam is a serious problem, and different mail users don't agree on exactly what messages are spam, BUT from end users' perspective: they all tend to agree that it is their provider's job to have made all the spam go away, but delivered all goodmail with 100% accuracy. Moreover, mail users expect, this should be 100% transparent, requiring no extra work from the mail user. Confirming that a message was OKAY, or that it was spam is definitely outside the compass of your average mail user. Therefore it would almost definitely be e-mail mailbox providers footing the bill on behalf of their subscribers in any 'charge postage' scheme that ever had a reasonable chance of working. Must be completely transparent to end users. Any treatment for spam ultimately needs to have some conceivable way of being implemented to be less harmful and annoying than the disease. Therefore: Must not have any significant burdens for at least 95% of legitimate users, and the burden of the 5% of legitimate users must be low and worth it. Email hosting providers still just have to use the flat rate monthly service fee to recover their costs, AND costs have to be low enough that free mail providers can still work -- supported by advertising : users will revolt against SP, if there are extra charges. Therefore "Postage must be optional". Perhaps, by separating mail into multiple classes, and requiring postage only for certain classes. Such as "Unpostaged Email" --- Extreme spam filtering, likely deliverability issues (what we have today) "Bulk Class Email" --- subject to reduced spam filtering, reduced postage, Only available to authorized SMTP senders. "First class Email" --- Intended for private correspondence, greater postage, reduced spam filtering "Priority Email"--- Intended for extremely urgent messages, high postage, for time sensitive matters very little or no spam filtering. And the process by which SMTP operators could reach agreement to charge each other for traffic, and on what rate should be standard,is difficult to conceive. Postage would incentivize SMTP operators: to scrutinize users' traffic and limit abuse or excessive mail outflow from any one user. But who could say... that a particularly lucrative spam campaign won't come from the spammer attached with the proper postage? > In theory SMTP providers could do this... exchange postage between SMTP operators and completely hide it from end users, but the problem is it requires agreement... and consistent rules, otherwise e-mail perhaps becomes too expensive: or not sufficiently predictably inexpensive. Now if SMTP providers charge each other postage... postage SPENT should be offset by postage RECEIVED. When e-mail conversations are mostly symmetrical --- for example: two users e-mailing each other, then the ratio of messages OUT to messages INshould be pretty close to 1.0, or at least not 1000 to 1; Which means the two SMTP servers could charge each other postage, but the postage spent is offset by postage received. This would be different for commercial bulk mailers ("legitimate" or otherwise), AND as a result --- they would pay. Shifting some costs back from sender to receiver of the message. And... perhaps the commercial mailers _should_ bear costs. As commercial mailings create support costs (when false positive'd by spam filters), And... additional storage cost (before the user downloads their message from their POP3 mailbox). Also large-scale bulk mail consumes bandwidth, memory, and processing power. So... how could it work technically... One possibility: a SMTP server proves postage deposited, by each presenting a cryptocurrency wallet address in the HELO banner and the 250 reply; for the smtp transaction to proceed, the sending server needs to be challenged to prove it has the balance to pay --- and challenged then to p
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 2:15 PM, Barry Shein wrote: > > On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: >>> Advertising is a valuable commodity. Free advertising is particularly >>> valuable, ROI with I close to zero. >> >> But it’s only free if you send it to yourself and then approve it. Any >> message you send to someone else who doesn’t want it isn’t free. > > I thought the suggestion was that a recipient (email, or by analogy > postal) could indicate they wanted an email which would cancel the > postage attached, that is, no charge to sender if they wanted it. Yes, but you’d have to say “I wanted this” effectively after receiving and opening the mail, knowing what was inside, not before. > So if a spammer or junk mailer could, say, trick you into accepting > mail in those schemes then they get free advertising, no postage > anyhow. Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising. > We're getting lost in the metaphors methinks. I don’t think so, I think we’re having differing visions of how it would work in detail. >>> So offering to not charge you because you wanted that mail makes no >>> sense, right? >> >> But this isn’t a charge for the post office and by the time you’re connected >> to the internet, the cost of receiving the mail and transporting it and the >> sender sending it is pretty much sunk by some arguments. > > FIRST: There's a typo/thinko in my sentence! > > Should be: > > So offering to not charge THE SENDER because THE RECIPIENT wanted > that mail makes no sense, right? > > SECOND: > > In response, someone has to scale resources to match volume. > > But maybe my typo/thinko confused this because you know that, sorry. Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process. >> This is an effort to provide a financial disincentive for spamming. > > Did I say that or you? I agree! > > Possibly with myself. Which judging by my just previous comments is > not always a given. I said it, but I’m glad we are in agreement. >>> If you want to attach e-postage you have to go get some and that can >>> be a contract which says you don't do that, if you have multiple >>> accounts you split it among your accounts or buy more. And if you do >>> what you describe you understand that it is criminal fraud. Click >>> Agree [ ] before proceeding, or similar. >> >> Because spammers are all on the up and up and never commit fraud in order to >> send their SPAM, right? > > I'm trying to create an economics around enforcement. > > But it's helpful to convince the relatively honest public that what > you describe is a serious crime tantamount to counterfeiting. Yes, that would be very helpful. > And we don't want to be in a situation like we were in 1996 where we > were debating whether Spam is even a crime. Sadly, we seem to be in a situation where we have no good legal definition of the crime and where the criminal definition of SPAM has been so badly watered down by regulators as to neuter any attempts to regulate it out of existence or prosecute it criminally. Worse, even if it is a crime in jurisdiction A, it becomes very difficult to prosecute a spammer in jurisdiction B for sending SPAM to a recipient in jurisdiction A. > Enforcement is your usual avoidance, detection, recovery, sort of > affair. But there has to be an economics pushing it or it gets mostly > ignored (except for people complaining about spam.) Yep. > Compare and contrast for example spamming vs RIAA style enforcement of > copyright violations. I would not say that RIAA is the shining example to emulate, but, yes for this particular concept, I think you have the right idea. >> No, it assumes that most of the messages I get from Amazon are NOT SPAM. > > And I'm arguing we need to change our attitudes on this. > > This whole idea that because the recipient wants it it isn't "spam" is > wearing thin. Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM. > Just like my analogy with the post office, they wouldn't deliver mail > for free just because the recipient wanted it. That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning. >> The vast majority of messages I get from Amazon are order confirmations, >> shipping status reports, etc. Messages related to transactions I have >> conducted with them. Yes, I get a little bit of SPAM from them and I >> wouldn’t mind se
Re: why IPv6 isn't ready for prime time, SMTP edition
Composed on a virtual keyboard, please forgive typos. > On Mar 29, 2014, at 3:15, Måns Nilsson wrote: > Quoting John R. Levine (jo...@iecc.com): >>> Ergo, ad hominem. Please quit doing that. >>> As a side note I happen to run my own mail server without spam filters >>> -- it works for me. I might not be the norm, but then again, is there >>> really a norm? (A norm that transcends SMTP RFC reach, that is -- >> >> I know a lot of people who run a lot of mail systems, and let's just >> say you're so far out in the long tail we need a telescope to see >> you. > > I will not debate with people who resort to humiliation techniques > when questioned. I will not argue whether you were humiliated as that is something only you can decide. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) -- TTFN, patrick
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Thu, Mar 27, 2014 at 10:32:42AM -0400 Quoting John R. Levine (jo...@iecc.com): > >Ergo, ad hominem. Please quit doing that. > >As a side note I happen to run my own mail server without spam filters > >-- it works for me. I might not be the norm, but then again, is there > >really a norm? (A norm that transcends SMTP RFC reach, that is -- > > I know a lot of people who run a lot of mail systems, and let's just > say you're so far out in the long tail we need a telescope to see > you. I will not debate with people who resort to humiliation techniques when questioned. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I feel like a wet parking meter on Darvon! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: > > Advertising is a valuable commodity. Free advertising is particularly > > valuable, ROI with I close to zero. > > But it?s only free if you send it to yourself and then approve it. Any > message you send to someone else who doesn?t want it isn?t free. I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it. So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. We're getting lost in the metaphors methinks. > > > So offering to not charge you because you wanted that mail makes no > > sense, right? > > But this isn?t a charge for the post office and by the time you?re connected > to the internet, the cost of receiving the mail and transporting it and the > sender sending it is pretty much sunk by some arguments. FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry. > > This is an effort to provide a financial disincentive for spamming. Did I say that or you? I agree! Possibly with myself. Which judging by my just previous comments is not always a given. > > If you want to attach e-postage you have to go get some and that can > > be a contract which says you don't do that, if you have multiple > > accounts you split it among your accounts or buy more. And if you do > > what you describe you understand that it is criminal fraud. Click > > Agree [ ] before proceeding, or similar. > > Because spammers are all on the up and up and never commit fraud in order to > send their SPAM, right? I'm trying to create an economics around enforcement. But it's helpful to convince the relatively honest public that what you describe is a serious crime tantamount to counterfeiting. And we don't want to be in a situation like we were in 1996 where we were debating whether Spam is even a crime. Enforcement is your usual avoidance, detection, recovery, sort of affair. But there has to be an economics pushing it or it gets mostly ignored (except for people complaining about spam.) Compare and contrast for example spamming vs RIAA style enforcement of copyright violations. Spamming? The occasional shutdown of a botnet tho those may be more motivated by DDoS and phishing. Copyright? Megaupload, wham, Bit torrents, wham, site takedowns, RIAA lawsuits, wham wham wham. Lawyers, guns, and money. What's the difference? Clear monied interests in the latter. > > >>> Who can't operate with 1M msgs/day? > >>> > >>> Well, maybe Amazon or similar. > >>> > >>> But as I said earlier MAYBE THEY SHOULD PAY ALSO! > >> > >> I, for one, don?t want my Amazon prices increased by a pseudo-tax on the > >> fact that they do a large volume of email communications with their > >> customers. They have enough problems trying to get IPv6 deployed without > >> adding this to their list of problems. > > > > That assumes that spam is free for them, and you. Including "free" as > > in "stealing your time?. > > No, it assumes that most of the messages I get from Amazon are NOT SPAM. And I'm arguing we need to change our attitudes on this. This whole idea that because the recipient wants it it isn't "spam" is wearing thin. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. It's a fundamentally broken idea and spam is its bastard offspring. > The vast majority of messages I get from Amazon are order confirmations, > shipping status reports, etc. Messages related to transactions I have > conducted with them. Yes, I get a little bit of SPAM from them and I > wouldn?t mind seeing them forced to pay me for those messages, but I > certainly don?t want to see them paying for every message they send. The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important. But every one of them has postage attached. But maybe there could be some way to reverse charges like you can with fedex and similar. When you sign up with Amazon et al you also enter your (free) e-postage cert (whatever, some cookie) giving them permission to charge against it for some list of mutually agreeable emailings like order confirms and maybe even marketing materials. There are some implementation details involved but it doesn't strike me as a crazy idea. > > >>> We really need to get over the moral component of spam content (and > >>> senders' intentions) and see it for what it is: A free ride anyone > >>> would take if available. > >> > >> I disagree.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 6:30 AM, Brandon Ross wrote: > On Fri, 28 Mar 2014, Owen DeLong wrote: > >> This assumes a different economic model of SPAM that I have been lead to >> believe exists. >> >> My understanding is that the people sending the SPAM get paid immediately >> and that the people paying them to send it are the ones hoping that the >> advertising/phishing/etc. are acted on. > > Fine, then the people paying the people who do the spamming have more of an > incentive to pay higher rates and more spammers. It doesn't really matter > how may layers of abstraction there are, the point is that the main motivator > has become more attractive. Perhaps… But I’m not convinced. Today we have more than sufficient motivation to continue to game the system and virtually no incentive to make the system less open to gaming. While I agree this would increase economic incentives to game the system slightly, it would also add some rather strong incentives to improve security and make the process of gaming much harder. Perhaps this isn’t a good solution, but it certainly cannot be argued that what we are doing so far is working. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014 06:22:32 -0700, Owen DeLong said: > This assumes a different economic model of SPAM that I have been lead to > believe exists. > My understanding is that the people sending the SPAM get paid immediately and > that the people paying them to send it are the ones hoping that the > advertising/ > phishing/etc. are acted on. Only because we haven't given them a way to monetize it immediately. pgpIKbGXYKjph.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014, Owen DeLong wrote: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 5:27 AM, Brandon Ross wrote: > On Thu, 27 Mar 2014, Owen DeLong wrote: > >> On Mar 27, 2014, at 1:38 PM, Brandon Ross wrote: >> >>> On Thu, 27 Mar 2014, Owen DeLong wrote: >>> On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: Please explain in detail where the fraud potential comes in. >>> >>> Spammer uses his botnet of zombie machines to send email from each of them >>> to his own domain using the user's legitimate email address as From:. >>> Spammer says it was unsolicited and keeps the full $.10/email that victim >>> users have deposited into this escrow thing. >>> >>> Sounds a lot more profitable than regular spam. >> >> You say this like having a tax on running a botted computer on the internet >> would be a bad thing. > > Heh, perhaps not... > >> I agree that it would provide a bit of profit to the spammers for a very >> short period of time, but I bet it would get a lot of bots fixed pretty >> quick. > > I don't think so. The motivations to continue to game the system are much > stronger under this scheme because the profits are immediate and direct. A > spammer no longer has to just hope that the advertising, phishing or whatever > they are up to is acted upon by the user, instead they get a somewhat > immediate cash payout that's not dependent on the user. This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 1:38 PM, Brandon Ross wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. You say this like having a tax on running a botted computer on the internet would be a bad thing. Heh, perhaps not... I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. I don't think so. The motivations to continue to game the system are much stronger under this scheme because the profits are immediate and direct. A spammer no longer has to just hope that the advertising, phishing or whatever they are up to is acted upon by the user, instead they get a somewhat immediate cash payout that's not dependent on the user. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 10:31 PM, Barry Shein wrote: > > On March 27, 2014 at 12:14 o...@delong.com (Owen DeLong) wrote: >> >> On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: >> >>> >>> On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? >>> >>> It's a fine idea but too complicated. >>> >>> Look, the (paper) post office doesn't say "oh, you WANTED that mail, >>> ok, then we'll return the cost of postage to the sender!" >>> >>> Why? Because if they did that people would game the system, THEY'D >>> SPAM! >> >> How would they benefit from that? > >> From what, being able to send free paper mail? I think that would be > considered a benefit by most junk mail advertisers. But see next... > >> SPAM — Pay, say $0.10/message. >> Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM >> you sent to yourself. >> Or, claim you didn’t want the SPAM and get $0.05/message for each message >> you received while the >> original provider keeps the other $0.05. >> >>> And it would take way too much bookkeeping and fraud identification etc. >> >> Please explain in detail where the fraud potential comes in. >> >> By my interpretation, you’d have to somehow get more back than you deposited >> (not really possible) in order to profit from sending SPAM this way. > > Well, it's advertising, so they do. > > Advertising is a valuable commodity. Free advertising is particularly > valuable, ROI with I close to zero. But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free. > So offering to not charge you because you wanted that mail makes no > sense, right? But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. This is an effort to provide a financial disincentive for spamming. > >>> Let's take a deep breath and re-examine the assumptions: >>> >>> Full scale spammers send on the order of one billion msgs per day. >>> >>> Which means if I gave your account 1M free msgs/day and could >>> reasonably assure that you can't set up 1,000 such accts then you >>> could not operate as a spammer. >> >> Not sure how you enforce these user account requirements or how you avoid >> duplicative accounts. > > If you want to attach e-postage you have to go get some and that can > be a contract which says you don't do that, if you have multiple > accounts you split it among your accounts or buy more. And if you do > what you describe you understand that it is criminal fraud. Click > Agree [ ] before proceeding, or similar. Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right? >>> Who can't operate with 1M msgs/day? >>> >>> Well, maybe Amazon or similar. >>> >>> But as I said earlier MAYBE THEY SHOULD PAY ALSO! >> >> I, for one, don’t want my Amazon prices increased by a pseudo-tax on the >> fact that they do a large volume of email communications with their >> customers. They have enough problems trying to get IPv6 deployed without >> adding this to their list of problems. > > That assumes that spam is free for them, and you. Including "free" as > in "stealing your time”. No, it assumes that most of the messages I get from Amazon are NOT SPAM. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send. >>> We really need to get over the moral component of spam content (and >>> senders' intentions) and see it for what it is: A free ride anyone >>> would take if available. >> >> I disagree. I see it as a form of theft of service that only immoral thieves >> would take if available. > > How can it be a theft of service if we're not charging anything? I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so. > Well, if they use others' resources it's a theft of those resources, > such as botnets, is that what you mean? Botnets, my mail server, my disk storage, my network, etc. where my mail is processed… All of the above. > But by morality I me
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 1:38 PM, Brandon Ross wrote: > On Thu, 27 Mar 2014, Owen DeLong wrote: > >> On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: >> >> Please explain in detail where the fraud potential comes in. > > Spammer uses his botnet of zombie machines to send email from each of them to > his own domain using the user's legitimate email address as From:. Spammer > says it was unsolicited and keeps the full $.10/email that victim users have > deposited into this escrow thing. > > Sounds a lot more profitable than regular spam. You say this like having a tax on running a botted computer on the internet would be a bad thing. I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 27, 2014 at 12:14 o...@delong.com (Owen DeLong) wrote: > > On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: > > > > > On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: > >> > >> Actually, a variant on that that might be acceptable? Make e-postage a > >> deposit-based thing. If the recipient has previously white-listed you or > >> marks your particular message as ?desired?, then you get your postage > >> back. If not, then your postage is put into the recipients e-postage > >> account to offset the cost of their emails. > >> > >> Thoughts? > > > > It's a fine idea but too complicated. > > > > Look, the (paper) post office doesn't say "oh, you WANTED that mail, > > ok, then we'll return the cost of postage to the sender!" > > > > Why? Because if they did that people would game the system, THEY'D > > SPAM! > > How would they benefit from that? >From what, being able to send free paper mail? I think that would be considered a benefit by most junk mail advertisers. But see next... > SPAM ? Pay, say $0.10/message. > Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM > you sent to yourself. > Or, claim you didn?t want the SPAM and get $0.05/message for each message > you received while the > original provider keeps the other $0.05. > > > And it would take way too much bookkeeping and fraud identification etc. > > Please explain in detail where the fraud potential comes in. > > By my interpretation, you?d have to somehow get more back than you deposited > (not really possible) in order to profit from sending SPAM this way. Well, it's advertising, so they do. Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. Look, we can get lost in metaphors, but the point is that by the time the post office gets your mail to your doorstep virtually all the cost is sunk. So offering to not charge you because you wanted that mail makes no sense, right? > > Let's take a deep breath and re-examine the assumptions: > > > > Full scale spammers send on the order of one billion msgs per day. > > > > Which means if I gave your account 1M free msgs/day and could > > reasonably assure that you can't set up 1,000 such accts then you > > could not operate as a spammer. > > Not sure how you enforce these user account requirements or how you avoid > duplicative accounts. If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar. > > > Who can't operate with 1M msgs/day? > > > > Well, maybe Amazon or similar. > > > > But as I said earlier MAYBE THEY SHOULD PAY ALSO! > > I, for one, don?t want my Amazon prices increased by a pseudo-tax on the > fact that they do a large volume of email communications with their > customers. They have enough problems trying to get IPv6 deployed without > adding this to their list of problems. That assumes that spam is free for them, and you. Including "free" as in "stealing your time". Also, companies like Amazon probably wouldn't mind being able to out-capitalize spammers and others in competing for your eyeballs. They could probably put a price on that. They're well aware that when they send you an email that says that some new book related to one you bought is available that the ad is surrounded by dozens if not hundreds of spam messages and likely you'll delete them all without reading. So that's already a cost to them in terms of wasted advertising effort and lost sales. I'd say we need to ask Amazon et al whether they'd see it as an economic plus if by paying a small amount of e-postage they could wipe out or seriously reduce all the chaff? Would that be a net positive or net negative to their bottom line? Although I can certainly understand skepticism about whether this approach would deliver effectively I don't think the business case, the dollar value of reducing spam significantly, is disputable. You'd always rather be the only billboard on the highway rather than just one in a hundred. Even if it costs you more (obviously up to a point.) > > > We really need to get over the moral component of spam content (and > > senders' intentions) and see it for what it is: A free ride anyone > > would take if available. > > I disagree. I see it as a form of theft of service that only immoral thieves > would take if available. How can it be a theft of service if we're not charging anything? Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean? But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other
Re: why IPv6 isn't ready for prime time, SMTP edition
>What if Google, Apple, Sony or some other household brand, sold a TV with >local mail capabilities, instead of pushing >everyone to use their hosted services? It would suck, because real users check their mail from their desktops, their laptops, and their phones. Your TV would not have the sophisticated mail sorting, archiving, and searching of the large mail systems. And, of course, when its cheap SSD flaked, you'd lose all your saved mail. I swear, this whole conversation feels like I've fallen through a wormhole into 1998.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 11:15 AM, Barry Shein wrote: > > On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: >> >> Actually, a variant on that that might be acceptable… Make e-postage a >> deposit-based thing. If the recipient has previously white-listed you or >> marks your particular message as “desired”, then you get your postage back. >> If not, then your postage is put into the recipients e-postage account to >> offset the cost of their emails. >> >> Thoughts? > > It's a fine idea but too complicated. > > Look, the (paper) post office doesn't say "oh, you WANTED that mail, > ok, then we'll return the cost of postage to the sender!" > > Why? Because if they did that people would game the system, THEY'D > SPAM! How would they benefit from that? SPAM — Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05. > And it would take way too much bookkeeping and fraud identification etc. Please explain in detail where the fraud potential comes in. By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way. > Let's take a deep breath and re-examine the assumptions: > > Full scale spammers send on the order of one billion msgs per day. > > Which means if I gave your account 1M free msgs/day and could > reasonably assure that you can't set up 1,000 such accts then you > could not operate as a spammer. Not sure how you enforce these user account requirements or how you avoid duplicative accounts. > Who can't operate with 1M msgs/day? > > Well, maybe Amazon or similar. > > But as I said earlier MAYBE THEY SHOULD PAY ALSO! I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems. > We really need to get over the moral component of spam content (and > senders' intentions) and see it for what it is: A free ride anyone > would take if available. I disagree. I see it as a form of theft of service that only immoral thieves would take if available. > Ok, a million free per acct might be too high but whatever, we can all > go into committee and do studies and determine what the right number > should be. > > I'd tend towards some sort of sliding scale myself, 100K/day free, > 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like > that. > > Why would it work? > > Because that's how human society works. > > People who are willing to pay their $10K/mo will demand something be > done about freeloaders, enforcement has to be part of the cost > overhead. But who charges these fees and how do they enforce those charges against miscreants that are sending from stolen hosts, bots, fraudulent IP addresses, etc.? > And it'd create an economy for hunting down miscreants. So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well). My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object. > P.S. And in my vision accepting only email with valid e-postage would > be voluntary though I suppose that might be "voluntary" at the > provider level. For example someone like gmail at some point (of > successful implementation of this scheme) might decide to just block > invalid e-postage because hey your gmail acct is free! Let someone > else sell you rules you prefer like controlling acceptance of invalid > e-postage yourself. Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
Scott, You are exactly right, in the current environment the things I'm suggesting seem unrealistic. My point is that it doesn't have to work the way it does today, with the webmail providers, the mail originators and the spam warriors all scratching each others' backs. There has been a LOT of work done to make webmail easy and everything else practically impossible, even if you do know how it works. What if Google, Apple, Sony or some other household brand, sold a TV with local mail capabilities, instead of pushing everyone to use their hosted services? If it doesn't work because we are blocking it on purpose, customers would demand that we make it work. Since this isn't a well known option today, casual (non tech) users don't know that they should be demanding it. As far as why someone would want an MTA, it doesn't take long to explain the benefits of having control over your own email instead of having a third party reading it all. The problem is that instead users are told they can't have it. MTAs are built into every user operating system and they would work just fine if the email community wasn't going out of their way to exclude them. The lack of rDNS is just one of the many ways to identify and discriminate against end users who haven't bought their way into the club. Spam is not a big problem for everyone. It's at a different scale for individuals and for large sites with many users. -Laszlo On Mar 26, 2014, at 2:58 PM, Scott Buettner wrote: > This is totally ignoring a few facts. > > A: That the overwhelming majority of users don't have the slightest idea what > an MTA is, why they would want one, or how to install/configure one. ISP/ESP > hosted email is prevalent only partially to do with technical reasons and a > lot to do with technical apathy on the part of the user base at large. Web > hosting is the same way. A dedicated mailbox appliance would be another cost > to the user that they would not understand why they need, and thus would not > want. In a hypothetical tech-utopia, where everyone was fluent in bash (or > powershell, take your pick), and read RFCs over breakfast instead of the > newspaper, this would be an excellent solution. Meanwhile, in reality, > technology frightens most people, and they are more than happy to pay someone > else to deal with it for them. > > B: The relevant technical reason can be summarized as "good luck getting a > residential internet connection with a static IP" > > (If your response includes the words "dynamic DNS" then please see point A) > > (Also I'm just going to briefly touch the fact that this doesn't address spam > as a problem at all, and in fact would make that problem overwhelmingly > worse, as MTAs would be expected to accept mail from everywhere, and we > obviously can't trust end user devices or ISP CPE to be secure against > intrusion) > > Scott Buettner > Front Range Internet Inc > NOC Engineer > > On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote: >> Maybe you should focus on delivering email instead of refusing it. Or just >> keep refusing it and trying to bill people for it, until you make yourself >> irrelevant. The ISP based email made more sense when most end users - the >> people that we serve - didn't have persistent internet connections. Today, >> most users are always connected, and can receive email directly to our own >> computers, without a middle man. With IPv6 it's totally feasible since >> unique addressing is no longer a problem - there's no reason why every user >> can't have their own MTA. The problem is that there are many people who are >> making money off of email - whether it's the sending of mail or the blocking >> of it - and so they're very interested in breaking direct email to get 'the >> users' to rely on them. It should be entirely possible to build 'webmail' >> into home user CPEs or dedicated mailbox appliances, and let everyone deal >> with their own email delivery. The idea of having to pay other people to >> host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP >> thread is basically covering the same ground. It boils down to: we have an >> old crappy system that works, and we don't want to change, because we've >> come to rely on the flaws of it and don't want them fixed. In the email >> case, people have figured out how to make money doing it, so they certainly >> want to keep their control over it. >> >> -Laszlo >> >> >> On Mar 26, 2014, at 2:07 PM, Lamar Owen wrote: >> >>> On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member. >>> ... >>> >>> As has been mentioned, this is old hat. >>> >>> There is only one surefire way of doing away with
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: > > Actually, a variant on that that might be acceptable? Make e-postage a > deposit-based thing. If the recipient has previously white-listed you or > marks your particular message as ?desired?, then you get your postage back. > If not, then your postage is put into the recipients e-postage account to > offset the cost of their emails. > > Thoughts? It's a fine idea but too complicated. Look, the (paper) post office doesn't say "oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender!" Why? Because if they did that people would game the system, THEY'D SPAM! And it would take way too much bookkeeping and fraud identification etc. Let's take a deep breath and re-examine the assumptions: Full scale spammers send on the order of one billion msgs per day. Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer. Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be. I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that. Why would it work? Because that's how human society works. People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead. And it'd create an economy for hunting down miscreants. There really is none now, outside of the higher profile DDoS or phishing sort of activities. I claim it wouldn't take much of this to shut down spammers. P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
This is totally ignoring a few facts. A: That the overwhelming majority of users don't have the slightest idea what an MTA is, why they would want one, or how to install/configure one. ISP/ESP hosted email is prevalent only partially to do with technical reasons and a lot to do with technical apathy on the part of the user base at large. Web hosting is the same way. A dedicated mailbox appliance would be another cost to the user that they would not understand why they need, and thus would not want. In a hypothetical tech-utopia, where everyone was fluent in bash (or powershell, take your pick), and read RFCs over breakfast instead of the newspaper, this would be an excellent solution. Meanwhile, in reality, technology frightens most people, and they are more than happy to pay someone else to deal with it for them. B: The relevant technical reason can be summarized as "good luck getting a residential internet connection with a static IP" (If your response includes the words "dynamic DNS" then please see point A) (Also I'm just going to briefly touch the fact that this doesn't address spam as a problem at all, and in fact would make that problem overwhelmingly worse, as MTAs would be expected to accept mail from everywhere, and we obviously can't trust end user devices or ISP CPE to be secure against intrusion) Scott Buettner Front Range Internet Inc NOC Engineer On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote: Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it. -Laszlo On Mar 26, 2014, at 2:07 PM, Lamar Owen wrote: On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.)
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Wed, Mar 26, 2014 at 03:35:48PM -0400 Quoting John R. Levine (jo...@iecc.com): > >>It must be nice to live in world where there is so little spam and > >>other mail abuse that you don't have to do any of the anti-abuse > >>things that real providers in the real world have to do. > > > >What is a real provider? And what in the email specifications tells us > >that the email needs and solutions of any one individual, as long as they > >are following protocol (which I'm quite convinced Mark is) are "unreal"? > > A real provider is one that provides mail for real users, as opposed > to someone who plays RFC language lawyer games. I only have a few > dozen users, but I can assure you I use a whole lot of different > filtering approaches including DNSBLs to keep my users' mailboxes > usable. Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- the necessity to stick to protocol is not under debate) > I must say it's pretty amusing that someone who works for the > organization that published the original DNSBL seems to be ranting > against them. The ability to change ones mind when circumstances change is usually seen as advantageous. Why not here? -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 This is a NO-FRILLS flight -- hold th' CANADIAN BACON!! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thursday, March 27, 2014 09:48:09 AM Jim Popovitch wrote: > > But a significant portion of it routes through London :-) > > *cough *cough co.tz to co.za, etc., etc. Perhaps, but that does not mean it's all served by South African ISP's. The London trombone is a separate issue. Mark. signature.asc Description: This is a digitally signed message part.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thu, Mar 27, 2014 at 3:38 AM, Mark Tinka wrote: > > Not all of 41/8 is served by South Africa :-). > But a significant portion of it routes through London :-) *cough *cough co.tz to co.za, etc., etc. -Jim P.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wednesday, March 26, 2014 08:26:14 PM Lamar Owen wrote: > You don't. Their upstream(s) in South Africa would bill > them for outgoing e-mail. Not all of 41/8 is served by South Africa :-). Mark. signature.asc Description: This is a digitally signed message part.
Re: why IPv6 isn't ready for prime time, SMTP edition
LoL Spellcheck… Helping you correctly spell the incorrect word every time. Owen On Mar 26, 2014, at 1:03 PM, Lamar Owen wrote: > On 03/26/2014 03:56 PM, Lamar Owen wrote: >> >> Most of the phishing e-mails I've sent don't have a valid reply-to, from, or >> return-path; replying to them is effectively impossible, and the >> linked/attached/inlined payload is the attack vector. >> >> >> > Blasted spellcheck Now that everybody has had a good laugh; I've not > 'sent' *any* phishing e-mails, but I have *seen* plenty. Argh. >
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 26, 2014, at 7:07 AM, Lamar Owen wrote: > On 03/25/2014 10:51 PM, Jimmy Hess wrote: >> >> [snip] >> >> I would suggest the formation of an "IPv6 SMTP Server operator's club," >> with a system for enrolling certain IP address source ranges as "Active >> mail servers", active IP addresses and SMTP domain names under the >> authority of a member. >> > ... > > As has been mentioned, this is old hat. > > There is only one surefire way of doing away with spam for good, IMO. No one > is currently willing to do it, though. > > That way? Make e-mail cost; have e-postage. No, I don't want it either. > But where is the pain point for spam where this becomes less painful? If an > enduser gets a bill for sending several thousand e-mails because they got > owned by a botnet they're going to do something about it; get enough endusers > with this problem and you'll get a class-action suit against OS vendors that > allow the problem to remain a problem; you can get rid of the bots. This > will trim out a large part of spam, and those hosts that insist on sending > unsolicited bulk e-mail will get billed for it. That would also eliminate a > lot of traffic on e-mail lists, too, if the subscribers had to pay the costs > for each message sent to a list; I wonder what the cost would be for each > post to a list the size of this one. If spam ceases to be profitable, it > will stop. > > Of course, I reserve the right to be wrong, and this might all just be a pipe > dream. (and yes, I've thought about what sort of billing infrastructure > nightmare this could be.) Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
>How about something much simpler? We already are aware of bandwidth caps at >service providers, there could just as >well be email caps. How hard would it be to ask your customer how many emails >we should expect them to send in a day? Once again, I encourage my competitors to follow your advice. R's, John PS: There are plenty of giant botnets that only send a trickle of mail from each infected host, but the aggregate amount is enormous.
RE: why IPv6 isn't ready for prime time, SMTP edition
>>>Would it make it more unique; if I suggested creation of a new distributed >>>Cryptocurrency something like 'MAILCoin' to track the memberships in the >>>club and handle voting out of abusive mail servers: in a distributed >>>manner, to ensure that no court could ever mandate that a certain IP >>>address be accepted into the club? >>>Not necessarily. But I haven't yet heard of any meaningful attempt to >>>implement something like that. Obviously with IPv4; way too many >>>"legacy" mail servers exist that will never bother to implement new >>>protocols and practice improvements even basic things, such as SMTP >>>rejecting invalid recipients instead of sending unsolicited bounce replies >>>to senders (forged by spammers). How about something much simpler? We already are aware of bandwidth caps at service providers, there could just as well be email caps. How hard would it be to ask your customer how many emails we should expect them to send in a day? We don't need to be precise about it, just within an order of magnitude. For example, I could say that a residential user should not be over 750 a day and for a commercial user you could find out their projection and add to it to allow a reasonable headroom. Now, the service provider is protecting us from pwned systems within their network. If I get a residential customer asking for 100,000 emails per day I just might have some questions for them. It also seems that it would be easy for the service provider to send an alert to the customer telling them that they have hit their cap and make it easy for them to lift the cap if the traffic is actually legitimate. If they are lifting their cap too often you could investigate or run their outbound email through some type of filtering solution to see how it scores. Now, the providers that implement that system could be allowed to send me email and the ones that don't can't send me email. If this was adopted widely, it would put a lot of pressure on the service provider to get on-board. In that case your filters do not need to be that granular. This is not a spam proof solution but would cut down on the very high volume abusers. It also helps deal with the service providers that condone that sort of stuff and will punish them because you are going to lose customers fast if email from that provider is generally not accepted. Maybe if we start scoring against the originating service provider, instead of address blocks and stop accepting email from them, they might do something about the high volume offenders. Steven Naslund Chicago IL
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 26, 2014 at 16:59 jo...@iecc.com (John Levine) wrote: > > I wrote a white paper ten years ago explaining why e-postage is a > bad idea, and there is no way to make it work. Nothing of any > importance has changed since then. > > http://www.taugh.com/epostage.pdf It's a fine white paper, I just read it again. But it does tend to make the best the enemy of the good. I remember during the metered bandwidth arguments many years ago people asserting similarly that it was (practically) impossible to implement, would just anger people, was full of holes (hey I can't completely control my bandwidth usage, some outsider could run it up!), etc. Yet, here we are in a world of (mobile) bandwidth caps etc. Big money has a way of focusing efforts. I actually think we're just not quite there yet as horrid as spam is. This is what I alluded to in my previous message. The next leg will be when the line between "spam" as in questionable content and commercial "ham" grows fuzzier and fuzzier. There are for examplee about 1,000 Fortune 1,000 companies, many of which can name any of us legitimate business contacts. And many of them have dozens if not hundreds of sub-divisions (e.g., insurance brokers) who also would qualify as not spam under commonly accepted definitons (and CAN-SPAM.) And they will be motivated by the same things which motivated spammers: (nearly) Free access to our eyeballs, push technology. My guess is the next generation solution won't be motivated by end-users being overwhelmed though that will be cited. It will be motivated by the opportunity to outcapitalize access to our eyeballs as they realize no one is reading the thousands of pieces of ham per day, let alone the spam. This is independent of reputation and similar identity services as a filter: They're all legitimate! Every one of the 5,000 messages you got that day were perfectly legitimate, anyone you ever gave your credit card to for example. Anyhow, obviously I can go on and on, it's a complex subject. But I think the solutions will be driven by the creation of economics around the problem, just as they often are in real life. And a lot of the leakage can be mitigated merely by big men with big sticks once money is a factor, rather than magic algorithms (though they will help of course.) -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 03:56 PM, Lamar Owen wrote: Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector. Blasted spellcheck Now that everybody has had a good laugh; I've not 'sent' *any* phishing e-mails, but I have *seen* plenty. Argh.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 02:59 PM, valdis.kletni...@vt.edu wrote: You *do* realize that the OS vendor can't really do much about users who click on stuff they shouldn't, or reply to phishing emails, or most of the other ways people *actually* get pwned these days? Hint: Microsoft *tried* to fix this with UAC. The users rioted. Yep, I do realize that and I do remember the UAC 'riots.' But the OS vendor can make links that are clicked run in a sandbox and make said sandbox robust. A user clicking on an e-mail link should not be able to pwn the system. Period. Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/26/2014 2:16 PM, Paul Ferguson wrote: to a paid service (e.g. "If you are not paying for a service, you are the product."). That needs to be engraved in the glass screens of every device, like the "G.O.A.L" at the bottom of the rear-view mirror of some semi-truck tractors. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: why IPv6 isn't ready for prime time, SMTP edition
It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are "unreal"? A real provider is one that provides mail for real users, as opposed to someone who plays RFC language lawyer games. I only have a few dozen users, but I can assure you I use a whole lot of different filtering approaches including DNSBLs to keep my users' mailboxes usable. I must say it's pretty amusing that someone who works for the organization that published the original DNSBL seems to be ranting against them. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/26/2014 11:45 AM, Lamar Owen wrote: > So, what other ways are there to make unsolicited commercial > e-mail unprofitable? Well, perhaps not by punishing legitimate SMTP senders who have done nothing wrong. Don't get me wrong -- I already *pay* to send mail. I migrated all of my personal e-mail off of free webmail platforms some time ago to a paid service (e.g. "If you are not paying for a service, you are the product."). - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMzJ50ACgkQKJasdVTchbItSQD8DKy1yGJ68b4yNgl0ttoGMjHs RtLTqY6vunNnzgvcXlUBAMLeosoLBKQTcjYkZAYnLqObjXJU4EZQN60vjI0C+FUY =exPx -END PGP SIGNATURE-
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, 26 Mar 2014 10:07:22 -0400, Lamar Owen said: > it; get enough endusers with this problem and you'll get a class-action > suit against OS vendors that allow the problem to remain a problem; you > can get rid of the bots. You *do* realize that the OS vendor can't really do much about users who click on stuff they shouldn't, or reply to phishing emails, or most of the other ways people *actually* get pwned these days? Hint: Microsoft *tried* to fix this with UAC. The users rioted. pgprmHf6kydFb.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Lamar Owen wrote: > On 03/26/2014 01:38 PM, Tony Finch wrote: > > Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. > > You don't. Their upstream(s) in South Africa would bill them for outgoing > e-mail. You mean Nigeria. So how do I get compensated for dealing with the junk they send me? Tony. -- f.anthony.n.finchhttp://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: North 4 or 5, becoming variable 3 or 4, then east 4 or 5 later. Slight or moderate, but rough in southwest Plymouth. Rain or showers. Good, occasionally moderate.
Re: why IPv6 isn't ready for prime time, SMTP edition
Lamar Owen wrote: > > The entity with whom they already have a business relationship. Basically, if > I'm an ISP I would bill each of my customers, with whom I already have a > business relationship, for e-mail traffic. Do this as close to the edge as > possible. Ooh, excellent, so I can deliver loads of spam to them and charge them for it! Tony. -- f.anthony.n.finchhttp://dotat.at/ Biscay: Northwest 4 or 5, becoming variable 4. Moderate or rough. Rain or showers. Good, occasionally moderate.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 01:42 PM, John Levine wrote: And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? Where do you expect them to send the bill? The entity with whom they already have a business relationship. Basically, if I'm an ISP I would bill each of my customers, with whom I already have a business relationship, for e-mail traffic. Do this as close to the edge as possible. And yes, I know, it will happen just about as soon as all edge networks start applying BCP38. I'm well aware of the limitations and challenges, but I'm also well aware of how ungainly and broken current anti-spam measures are. One of the things I pointed out in that white paper is that as soon as you have real money involved, you're going to have a whole new set of frauds and scams that are likely to be worse than the ones you thought you were solving. Yes, and this is the most challenging aspect. Again, I'm not saying e-postage is a good idea (because I don't think it is), but the fact of the matter is, like any other crime, as long as e-mail unsolicited commercial e-mail is profitable it will be done. So, what other ways are there to make unsolicited commercial e-mail unprofitable?
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Tue, Mar 25, 2014 at 10:45:00PM -0400 Quoting John R. Levine (jo...@iecc.com): > >None of this is REQUIRED. It is forced on people by a cartel of > >email providers. > > It must be nice to live in world where there is so little spam and > other mail abuse that you don't have to do any of the anti-abuse > things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are "unreal"? There are scalability issues that single out the mega-class providers as something special. But those are no reason to go around debating the realness of other email handling organisations. Also, the accept/reject policies of email recipients are subject to individual evaluation and implementation at each MX host. Attempts at describing the state of email as other than that are false and should be discarded[0]. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Content: 80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds TARTAR SAUCE like an 8" by 10" GLOSSY ... [0] I'm sorry for the wording here, I just had to recall a paraphrased instruction from when Sweden had a psyops defence organisation. "Varje meddelande om att motståndet skall uppges är falskt." signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 01:38 PM, Tony Finch wrote: Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail. Postage, at least for physical mail, is paid by the sender at the point of ingress to the postal network. Yes, there are ways of gaming physical mail, but they are rarely actually used; the challenge of an e-mail version of such a system would be making it dirt simple and relatively resistant to gaming; or at least making gaming the system more expensive than using the system. And let me reiterate: I don't like the idea, and I don't even think it is a good idea. But how else do we make spamming unprofitable? I'd love to see a real solution, but it just isn't here yet.
Re: why IPv6 isn't ready for prime time, SMTP edition
>And I also remember thinking at the time that you missed one very >important angle, and that is that the typical ISP has the technical >capability to bill based on volume of traffic already, and could easily >bill per-byte for any traffic with 'e-mail properties' like being on >certain ports or having certain characteristics. Yeah, I'm well aware >of the technical issues with that; I never said it was a good idea, but >what is the alternative? Where do you expect them to send the bill? R's, John PS: The alternative is to deal directly with spam issues, rather than replacing them with even worse e-postage issues. One of the things I pointed out in that white paper is that as soon as you have real money involved, you're going to have a whole new set of frauds and scams that are likely to be worse than the ones you thought you were solving.
Re: why IPv6 isn't ready for prime time, SMTP edition
Lamar Owen wrote: > the typical ISP has the technical capability to bill based on volume of > traffic already, and could easily bill per-byte for any traffic with > 'e-mail properties' like being on certain ports or having certain > characteristics. Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. -- f.anthony.n.finchhttp://dotat.at/ Lundy, Fastnet, Irish Sea: Northwest veering east 4 or 5, occasionally 6 later in Irish Sea. Moderate or rough. Showers. Good, occasionally moderate.
Re: why IPv6 isn't ready for prime time, SMTP edition
In article <911cec5c-2011-4c8d-9cc1-89df2b4cb...@heliacal.net> you write: >Maybe you should focus on delivering email instead of refusing it Since there is at least an order of magnitude more spam than real mail, I'll just channel Randy Bush and encourage my competitors to take your advice. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 12:59 PM, John Levine wrote: That way? Make e-mail cost; have e-postage. Gee, I wondered how long it would take for this famous bad idea to reappear. I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf And I remember reading this ten years ago. And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? I agree (and agreed ten years ago) with your assessment that the technical hurdles are large, but I disagree that they're completely insurmountable. At some point somebody is going to have to make an outgoing connection on port 25, and that would be the point of billing for the originating host. I don't like it, and I don't think it's a good idea, but the fact of the matter is that as long as spam is profitable there is going to be spam. Every technical anti-spam technique yet developed has a corresponding anti-anti-spam technique (bayesian filters? easy-peasy, just load Hamlet or the Z80 programmer's manual or somesuch as invisible text inside your e-mail, something I've seen in the past week (yes, I got a copy of the text for Zilog's Z80 manual inside spam this past week!). DNS BL's got you stopped? easy peasy, do a bit of address hopping.) The only way to finally and fully stop spam is financial motivation, there is no 'final' technical solution to spam; I and all my users wish there were.
Re: why IPv6 isn't ready for prime time, SMTP edition
>That way? Make e-mail cost; have e-postage. Gee, I wondered how long it would take for this famous bad idea to reappear. I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf R's, John PS: Yes, I've heard of Bitcoins.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, Mar 26, 2014 at 10:07:22AM -0400, Lamar Owen wrote: > That way? Make e-mail cost; have e-postage. This is a FUSSP. It has been quite thoroughly debunked and may be dismissed instantly, with prejudice. ---rsk
Re: why IPv6 isn't ready for prime time, SMTP edition
Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it. -Laszlo On Mar 26, 2014, at 2:07 PM, Lamar Owen wrote: > On 03/25/2014 10:51 PM, Jimmy Hess wrote: >> >> [snip] >> >> I would suggest the formation of an "IPv6 SMTP Server operator's club," >> with a system for enrolling certain IP address source ranges as "Active >> mail servers", active IP addresses and SMTP domain names under the >> authority of a member. >> > ... > > As has been mentioned, this is old hat. > > There is only one surefire way of doing away with spam for good, IMO. No one > is currently willing to do it, though. > > That way? Make e-mail cost; have e-postage. No, I don't want it either. > But where is the pain point for spam where this becomes less painful? If an > enduser gets a bill for sending several thousand e-mails because they got > owned by a botnet they're going to do something about it; get enough endusers > with this problem and you'll get a class-action suit against OS vendors that > allow the problem to remain a problem; you can get rid of the bots. This > will trim out a large part of spam, and those hosts that insist on sending > unsolicited bulk e-mail will get billed for it. That would also eliminate a > lot of traffic on e-mail lists, too, if the subscribers had to pay the costs > for each message sent to a list; I wonder what the cost would be for each > post to a list the size of this one. If spam ceases to be profitable, it > will stop. > > Of course, I reserve the right to be wrong, and this might all just be a pipe > dream. (and yes, I've thought about what sort of billing infrastructure > nightmare this could be.) >
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.)
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 10:16:37PM -0500, Jimmy Hess wrote: > Would it make it more unique; if I suggested creation of a new distributed > Cryptocurrency something like 'MAILCoin' [...] This is attempt to splash a few drops of water on the people who own the oceans. It won't work, for the same reasons that the last 1,723 very similar proposals won't work. ---rsk
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 11:35:57PM -, John Levine wrote: > It has nothing to do with looking down on "subscribers" and everything > to do with practicality. When 99,9% of mail sent directly from > consumer IP ranges is botnet spam, and I think that's a reasonable > estimate, [...] Data point: it's an extremely reasonable estimate. If anything, though, it's an underestimate: the actual rate has several more 9's in it. And if the sending host (a) has generic rDNS and/or (b) fingerprints as Windows, then it approaches 100% so closely as to not be worth arguing about. There is no point in performing any checks other than these on SMTP connections from such hosts. There is no reason to permit the conversation to continue to the DATA stage and to scrutinize the message contents. These actions are both wasteful and superfluous. The only correct action to take at this point is to issue an SMTP reject and end the conversation. It's a pity that this is true. But a decade-plus after the botnet problem became well-known, I can't name an ISP which has developed and deployed an effective mitigation strategy against them. So far it's been band-aids (blocking port 25) and PR (press conferences and initiatives and task forces etc.). ("botnet takedowns" are meaningless fluff and merely fodder for self-congratulatory press conferences. All those systems in the botnet are still compromised. All those systems are still vulnerable to the same attack vectors that resulted in their initial compromise. And quite likely before the ink is dry on the accompanying press release, other botnet operations will harvest them for use in their own operations. Meet the new boss, same as the old boss.) ---rsk
Re: why IPv6 isn't ready for prime time, SMTP edition
Laszlo Hanyecz wrote: > The usefulness of reverse DNS in IPv6 is dubious. For most systems yes, but you might as well have it if you are manually allocating server addresses. Tony. -- f.anthony.n.finchhttp://dotat.at/ Faeroes: Variable 4, becoming southeast 5 or 6. Moderate or rough. Fair. Good.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, Mar 26, 2014 at 4:16 AM, Jimmy Hess wrote: > Would it make it more unique; if I suggested creation of a new distributed > Cryptocurrency something like 'MAILCoin' to track the memberships in the > club and handle voting out of abusive mail servers: in a distributed > manner, to ensure that no court could ever mandate that a certain IP > address be accepted into the club? > "voting out" - in today's world we need to assume that spammers and other criminals have vastly more resources than what may be considered (sort of) good guys. For the same mechanism a CPU-bound cryptocurrency is not likely to succeed. -- Matthias
RE: why IPv6 isn't ready for prime time, SMTP edition
You only need Hotmail, Gmail, Yahoo on board and everyone will follow... They might even be able to dictate new SMTP RFCs. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -Oorspronkelijk bericht- Van: Jimmy Hess [mailto:mysi...@gmail.com] Verzonden: Wednesday, March 26, 2014 4:17 AM Aan: John R. Levine CC: NANOG list Onderwerp: Re: why IPv6 isn't ready for prime time, SMTP edition On Tue, Mar 25, 2014 at 9:55 PM, John R. Levine wrote: > I would suggest the formation of an "IPv6 SMTP Server operator's club," >> with a system for enrolling certain IP address source ranges as >> "Active > > Surely you don't think this is a new idea. > Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many "legacy" mail servers exist that will never bother to implement new protocols and practice improvements even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers). > R's, > John -- -JH
RE: why IPv6 isn't ready for prime time, SMTP edition
>Lacking reverse should be one of many things to consider with rejecting >e-mails, but should not be the only condition. And your opinion is just another one. Someone else has a different one. Resulting in the mess email is now. You won't believe the crap I read in bounces (it also gives a funny insight into the email chain/setup of a company). Email security (against spam) should be fixed. Properly. Fine grained complaining should be possible (to the sender and all intermittent parties, as well as external parties). Make some RFCs that work please. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -Oorspronkelijk bericht- Van: Brielle Bruns [mailto:br...@2mbit.com] Verzonden: Tuesday, March 25, 2014 9:57 PM Aan: nanog@nanog.org Onderwerp: Re: why IPv6 isn't ready for prime time, SMTP edition On 3/25/14, 11:56 AM, John Levine wrote: > I think this would be a good time to fix your mail server setup. > You're never going to get much v6 mail delivered without rDNS, because > receivers won't even look at your mail to see if it's authenticated. > > CenturyLink is reasonably technically clued so it shouldn't be > impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 10:08 PM, Rob McEwen wrote: > On 3/25/2014 10:51 PM, Jimmy Hess wrote: > > I would suggest the formation of an "IPv6 SMTP Server operator's club," > > That comes across too much like the failed FUSSP ideas. What happens > when spammers try to get onboard? Who is the arbitrator? How fast could > This is when you fall to other mechanisms, BUT you still raised the bar -- even if the spammers could get onboard -- your first choice of deny-by-default did have to fail first for that specific spammer. > they react? And then you have legit senders who get infections or > compromised accounts? Or what about a hoster who gets one bad-apple > Again. Perfection not claimed.There is no one cure. > reputation systems and established blacklists which have spent YEARS > fine tuning these things... can be best prepared to sort these things > about based on the reputation of the domain at the end of a sender's > So-called fine-tuned reputation systems and established blacklists seriously need help. They spent years fine-tuning those things, BUT none of them work that well, either, well; they mostly work --- except on occasion when they do not. > > 'should we whitelist this sender'... the spammers are ORDER OF > MAGNITUDES faster than that! And then you'd have too many legit orgs > that happen to be small.. that would be effectively blacklisted by not > being able to get "into the club". i would be a nightmare! > Organization size not a criteria. Only agreeing to follow whatever basic rules would be agreed upon, inclusive of mutual support and cooperation to address spam issues... Small legit orgs need the support more than anyone! Remember why FcRDNS works so well in the first place? Many spamming IPs are not intended to be mail servers in the first place. If the spammer was not running malicious code; there would be no SMTP client on that server. On the other hand... FcRDNS includes additional IPs that are also not intended to be mail servers. Requiring a Declarative assertion "This server IP address is definitely intended to originate messages to remote sites" Effectively limits spammers from just setting up a mail server on any random IP, by adding another pre-requisite on top of rDNS settings. -- -JH
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 9:55 PM, John R. Levine wrote: > I would suggest the formation of an "IPv6 SMTP Server operator's club," >> with a system for enrolling certain IP address source ranges as "Active > > Surely you don't think this is a new idea. > Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many "legacy" mail servers exist that will never bother to implement new protocols and practice improvements even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers). > R's, > John -- -JH
Re: why IPv6 isn't ready for prime time, SMTP edition
Maybe we could give everyone globally unique numbers and end to end connectivity. Then maybe the users themselves can send email directly to each other without going through this ESP cartel. -Laszlo On Mar 26, 2014, at 2:51 AM, Rob McEwen wrote: > On 3/25/2014 10:25 PM, Brielle Bruns wrote: >> >> Like I said in a previous response, if you are going to make rdns a >> requirement, why not make SPF and DKIM mandatory as well? > > many ISPs ALREADY require rDNS. So making that standard official for > IPv6 is isn't asking for much! It is a NATURAL progression. As I > mentioned in a previous message, i think IPv6 should go farther and > require FCrDNS, with the host name ending with the sender's actual real > domain so that proper identity is conveyed. (then when a spammer uses a > "throwaway domain" or known spammy domain... as the domain at the end of > the rDNS, they have only themselves to blame when the message is rejected!) > > SPF is somewhat "dead"... because it breaks e-mail forwarding > situations. Anyone who blocks on a bad SFP is going to have significant > FPs. And by the time you've dialed down the importance of SPF to prevent > FPs (either by the receiver not making too big of a deal about ir, or > the sender using a NOT strict SFP), it then becomes impotent. About the > only good usage of SPF is to change a domain's record to "strict" in > situations where some e-mail on that domain is being "picked on" by a > "joe job" where their address is forged into MANY spams over a period of > time. (not just the occasional hit that everyone gets). otherwise, SPF > is worthless. > > Maybe we should require DKIM for IPv6, too? But what I suggested about > FCrDNS seems like a 1st step to me. > > -- > Rob McEwen > +1 (478) 475-9032 > >
Re: why IPv6 isn't ready for prime time, SMTP edition
On 25 Mar 2014 22:55:19 -0400, "John R. Levine" said: > > I would suggest the formation of an "IPv6 SMTP Server operator's club," > > with a system for enrolling certain IP address source ranges as "Active > > mail servers", active IP addresses and SMTP domain names under the > > authority of a member. > > Surely you don't think this is a new idea. It can't be - it's listed on this very old page: http://www.rhyolite.com/anti-spam/you-might-be.html pgpT2jqNFk3nq.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, 25 Mar 2014 22:51:11 -0400, Rob McEwen said: > On 3/25/2014 10:25 PM, Brielle Bruns wrote: > > > > Like I said in a previous response, if you are going to make rdns a > > requirement, why not make SPF and DKIM mandatory as well? > > many ISPs ALREADY require rDNS. So making that standard official for > IPv6 is isn't asking for much! It is a NATURAL progression. There's still a lot of ancient mail servers out there in v4 land, that were set up before PTRs were pseudo-required by most places, so we end up cutting them some slack under a grandfather clause. There's probably less than a dozen ASNs that have mailservers that speak IPv6 that were deployed before requring PTRs became common, so they have much less of an excuse not to do so pgp5ekpmUAfN7.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/2014 10:51 PM, Jimmy Hess wrote: > I would suggest the formation of an "IPv6 SMTP Server operator's club," That comes across too much like the failed FUSSP ideas. What happens when spammers try to get onboard? Who is the arbitrator? How fast could they react? And then you have legit senders who get infections or compromised accounts? Or what about a hoster who gets one bad-apple customer. This isn't so simple! Not so black & white. Yet if we instead focus on "truthful labeling of identity", then established e-mail reputation systems and established blacklists which have spent YEARS fine tuning these things... can be best prepared to sort these things about based on the reputation of the domain at the end of a sender's FCrDNS. Then the free market will properly choose the best blacklists that block the most spam with the least FPs... and the "politics" of some club won't be a negative factor. NOTE: antispam blacklists don't effectively work like men with their feet on a desk smoking cigars asking, 'should we block this sender'... 'should we whitelist this sender'... the spammers are ORDER OF MAGNITUDES faster than that! And then you'd have too many legit orgs that happen to be small.. that would be effectively blacklisted by not being able to get "into the club". i would be a nightmare! -- Rob McEwen +1 (478) 475-9032
Re: why IPv6 isn't ready for prime time, SMTP edition
>I'm sure you are as vocal about outright rejecting messages for lack of >SPF (even if softfail) and lack of DKIM as you are about requiring rDNS? Interesting guess, but completely wrong. >Or perhaps making TLS mandatory, outright rejecting cleartext. Not until we have SMTP DANE. >Seems like the logical next step...Maybe too much overkill though, >right? Hard to define when you cross over that line. It's up to you. If you want people to accept your mail, you can send it the way they tell you to send it, since they are doing you a favor by accepting it all. If you just want to complain, I guess you post to nanog instead. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member. Surely you don't think this is a new idea. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 12:51 PM, Mikael Abrahamsson wrote: > On Tue, 25 Mar 2014, John Levine wrote: > >> It says a lot about the state of the art that people are still making >> uninformed guesses like this, non ironically. > > I have repeatedly tried to get people interested in methods of making it > possible for ISPs to publish their "per-customer" allocation size, so far > without any success. Most of the time I seem to get "we did it a certain > way for IPv4, it works, we don't want to change it" from people. > [snip] I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member. And certain internet domain names as "Active SMTP domains" authorized to originate mail for specific SMTP servers. And some agreed upon operational policies, such as implementation of TLS using a certificate signed by the CA or a recognized SMTP club appropriate processing of abuse requests, and prompt administrator attention in the event of an abuse complaint or other mail issue. With replacement of de-facto default accept with de-facto default deny. E.g. If you didn't bother joining one of the whitelisting clubs we subscribe to and enrolling your mail server. The expectation should become "Nobody on the internet is going to accept mail from you" Spam was a major problem with IPv4. With IPv6 we have an opportunity to set expectations that allow us to eliminate ad-hoc dedicated SMTP servers friendly to spammers, as an internet phenomenon. > IPv6 changes things. Lots of things. There will be a lot of work to catch > up. It's too bad that the part of the ecosystem that fights spam have woken > up so late. > -- > Mikael Abrahamssonemail: swm...@swm.pp.se > -- -JH
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/2014 10:25 PM, Brielle Bruns wrote: > > Like I said in a previous response, if you are going to make rdns a > requirement, why not make SPF and DKIM mandatory as well? many ISPs ALREADY require rDNS. So making that standard official for IPv6 is isn't asking for much! It is a NATURAL progression. As I mentioned in a previous message, i think IPv6 should go farther and require FCrDNS, with the host name ending with the sender's actual real domain so that proper identity is conveyed. (then when a spammer uses a "throwaway domain" or known spammy domain... as the domain at the end of the rDNS, they have only themselves to blame when the message is rejected!) SPF is somewhat "dead"... because it breaks e-mail forwarding situations. Anyone who blocks on a bad SFP is going to have significant FPs. And by the time you've dialed down the importance of SPF to prevent FPs (either by the receiver not making too big of a deal about ir, or the sender using a NOT strict SFP), it then becomes impotent. About the only good usage of SPF is to change a domain's record to "strict" in situations where some e-mail on that domain is being "picked on" by a "joe job" where their address is forged into MANY spams over a period of time. (not just the occasional hit that everyone gets). otherwise, SPF is worthless. Maybe we should require DKIM for IPv6, too? But what I suggested about FCrDNS seems like a 1st step to me. -- Rob McEwen +1 (478) 475-9032
Re: why IPv6 isn't ready for prime time, SMTP edition
None of this is REQUIRED. It is forced on people by a cartel of email providers. It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 8:08 PM, Paul Ferguson wrote: Also, please do*not* expect folks to toss anti-spam measures out the window just because they might move to v6. That would be naive. Of course not, been spending the last few months trying to adapt my own anti-spam measures to work properly for IPv6, as well as trying to figure out how to handle IPv6 listings in the AHBL's DNSbl. Its frustrating, but a necessity. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 8:03 PM, Robert L Mathews wrote: I don't quite see how this is anything to do with IPv6. It does when you've got the job of trying to convince people who know nothing about how the internet works why they should invest time in something new. Unless, I'm wrong in that we're trying to encourage people to go dual stacked and not be solely dependent on IPv4... If you set up an IPv4 mail server with no reverse DNS, your mail would be rejected by many servers, too. And there are certainly plenty of providers who won't let you configure the reverse DNS of an IPv4 address. Yup, there are, and i've been on those providers in the past that did not consider IPv4 rdns important either. Google does not outright reject mail from hosts with no IPv4 rdns, from what my quick test a moment ago showed. Your provider assigned you an IP address with no reverse DNS, and you set up a mail server on that IP address. Most people would say that was unreliable even before knowing you're talking about IPv6 instead of IPv4. Considering at the time of the deployment, I had no inclination that Google had enacted this policy, you can imagine my surprise, esp. after having said customer on an IPv4 addr previously that had no rdns either, and was sending mail to gmail fine. Call it unreliable all you want, there's more then a few mail servers out there with no rdns on both IPv4 and IPv6. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 7:58 PM, TJ wrote: In an attempt to get this thread back on topic: * Does Google require rDNS for IPv4 mail sources? After a quick test here, Google did not reject the mail from an IPv4 address that did not have rDNS. If so, doing so for IPv6 shouldn't be a surprise. Your current provider's inability to support rDNS for IPv6 is not a protocol failure, it is a provider failure. If not, is there an additional operational reason for them to do so in IPv6? ... and in that case, I'd come to the same end result, provider-failure. ... ? Google willing to accept collateral damage for IPv6 mailing hosts, but too severe of collateral damage for IPv4 ones that would affect too many customers? Like I said in a previous response, if you are going to make rdns a requirement, why not make SPF and DKIM mandatory as well? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/2014 9:24 PM, Brielle Bruns wrote: > Last time I checked, there is no RFC that states that using SMTP > transport is mandatory with the originator having rDNS (ipv4/ipv6). > It may be SUGGESTED or RECOMMENDED, but not MANDATORY or REQUIRED. It > is an arbitrary decision made by each mail provider. For IPv6, FCrDNS... using NOT "dynamic formatted" host names... and with the host name ending in the sender's main domain... *should* be mandatory. And +1 THOUSAND for everything that John Levine said in his last few messages! Additionally... [addressing this topic in general from here on, not talking specifically to Brielle...] I have a unique perspective on this... as I manage an anti-spam blacklist which blacklists many of the snowshoe spammers and "can-spam complient" spammers whose practices are 100% legal, and who are not sending to a single caught-you-red-handed honeypot trap. Many of them abuse blackhat and grayhat ESPs. Unfortunately, in some instanaces, that "abuse" is symbiotic ("wink wink"), where the blackhat ESP will know that a sender's practices are extremly suspect (or worse), but will look the other way in exchange for much needed revenue. In fact, with the worldwide economy still in somewhat of a drag for about the 6th year in the row, I'm seeing evidences that *some* ESPs are lowering their standards a little to even more accommodate this crap. Some once-proud ESP who claimed they never do this, are in fact doing it. Still, a HUGE deterrent is getting their IP reputation "soiled"up on senderbase.org and getting on many blacklists. That becomes a "safety net" that keeps some of these ESPs from going off the deep end. And, again, I'm on the front lines dealing with this everyday. Therefore, SCARCITY of IPv4 IPs... is a FEATURE.. NOT a bug when it comes to keeping ESPs under control. And it also gives hosters/datacenters motivation to likewise "police" potential customers because the hoster or datacenter is left with the damage long after they've kicked a spammer off of their network. ALL of that would "unravel"... ALL OF IT! ... if we all started using IPv6 for sending authenticated mail. (workstations sending mail to their own mail server could send via IPv6 all they wanted to.. that wouldn't be a problem at all) But if all or most MTAs switched to IPv6, it would be a nightmare and what is sad is that MANY people reading this message are STILL going to GREATLY underestimate my warning after reading this. There are, unfortunately, many poeple who won't listen to reason and logic and require a real world nightmare before they "believe"... much like a 2-year-old who doesn't believe his parents' warning to not touch a hot stove... until AFTER he touches it. But we don't all have that luxury, do we? IPv6 is a spammer's dream! But REQUIRING FCrDNS for IPv6 ... using a NOT "dynamic formatted" host name... and with the host name ending in the sender's main domain... would go a long way towards mitigating these problems as then there would be more "truth in sending" as the rDNS would then properly convey both reputation and identity to the sender. I wish that could becomes a universal IPv6 SMTP standard... yesterday! PS - but even then, I'm told that there may be issues with overrunning DNS caches should spammers send each spam from a unique IP and slowing down of processing of mail when rDNS lookups happen on each individual IP. To go back over the "root problem" that I never mentioned, a spammer would send out a million spams, each from a unique IP address, without even having that large of an IPv6 allocation. IPv6 MTAs is NOT something to be "rushed into". Anyone promoting rushing into that... is not very well informed. (to put it nicely).. or they are a spammer who can't wait for all the fun to commence. -- Rob McEwen
Re: why IPv6 isn't ready for prime time, SMTP edition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/25/2014 7:03 PM, Robert L Mathews wrote: > On 3/25/14, 6:24 PM, Brielle Bruns wrote: >> The problem is, it blows my cred and rep with my end users when >> on day one of getting them set up and fully running on IPv6, they >> can't e-mail the local school district, or their business >> partners, because the other end uses Google mail. It makes me >> look like an idiot, and they start questioning why should they >> waste time/money on getting to be IPv6 ready. > > I don't quite see how this is anything to do with IPv6. > > If you set up an IPv4 mail server with no reverse DNS, your mail > would be rejected by many servers, too. And there are certainly > plenty of providers who won't let you configure the reverse DNS of > an IPv4 address. > > Your provider assigned you an IP address with no reverse DNS, and > you set up a mail server on that IP address. Most people would say > that was unreliable even before knowing you're talking about IPv6 > instead of IPv4. > Also, please do *not* expect folks to toss anti-spam measures out the window just because they might move to v6. That would be naive. - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMyNqkACgkQKJasdVTchbLmvgEA14CAn9T40qTwPwWMksDxMptb tROSknvz1UftBJNZqrsA+wfqdNtseWZinWAlGIs7AnaIsWb+A21iQovv0rRW1Nny =Wdwe -END PGP SIGNATURE-
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 6:24 PM, Brielle Bruns wrote: > The problem is, it blows my cred and rep with my end users when on day > one of getting them set up and fully running on IPv6, they can't e-mail > the local school district, or their business partners, because the other > end uses Google mail. It makes me look like an idiot, and they start > questioning why should they waste time/money on getting to be IPv6 ready. I don't quite see how this is anything to do with IPv6. If you set up an IPv4 mail server with no reverse DNS, your mail would be rejected by many servers, too. And there are certainly plenty of providers who won't let you configure the reverse DNS of an IPv4 address. Your provider assigned you an IP address with no reverse DNS, and you set up a mail server on that IP address. Most people would say that was unreliable even before knowing you're talking about IPv6 instead of IPv4. -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
Re: why IPv6 isn't ready for prime time, SMTP edition
In an attempt to get this thread back on topic: * Does Google require rDNS for IPv4 mail sources? If so, doing so for IPv6 shouldn't be a surprise. Your current provider's inability to support rDNS for IPv6 is not a protocol failure, it is a provider failure. If not, is there an additional operational reason for them to do so in IPv6? ... and in that case, I'd come to the same end result, provider-failure. ... ? /TJ
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 5:35 PM, John Levine wrote: In article<3d7d0845-cb25-4c05-8fab-f5728c860...@heliacal.net> you write: >The OP doesn't have control over the reverse DNS on the AT&T 6rd. Ah, OK, you're saying that their IPv6 isn't ready for prime time. >One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around >forever. It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, we have better things to do than to spend a lot of our money expensively filtering that spam for the benefit of the GWL who is too cool to relay through a mail server with a real name. I'm sure you are as vocal about outright rejecting messages for lack of SPF (even if softfail) and lack of DKIM as you are about requiring rDNS? Or perhaps making TLS mandatory, outright rejecting cleartext. Seems like the logical next step...Maybe too much overkill though, right? Hard to define when you cross over that line. Last time I checked, there is no RFC that states that using SMTP transport is mandatory with the originator having rDNS (ipv4/ipv6). It may be SUGGESTED or RECOMMENDED, but not MANDATORY or REQUIRED. It is an arbitrary decision made by each mail provider. Obviously, Google will do whatever they want, which is within their right. Doesn't mean though, that I can't express my disgust/annoyance in them doing it and for the added hassle it causes me. --- I hope you understand where I'm coming from, John. I'm a huge supporter of IPv6 deployment - and have been using every opportunity I have had at my disposal to bring it to my end users, and make them excited about it too. The problem is, it blows my cred and rep with my end users when on day one of getting them set up and fully running on IPv6, they can't e-mail the local school district, or their business partners, because the other end uses Google mail. It makes me look like an idiot, and they start questioning why should they waste time/money on getting to be IPv6 ready. These kind of issues are things we are trying to avoid, but seem to be shooting ourselves in the foot on, even if unintentionally. Everything is a tradeoff, and in this case, I don't believe the tradeoff is worth the hassle it can cause. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
In message , "John R. Levine" writes: > > Or he could just not like NSL and the fact the ISP's are required > > to abide by them. If people want their email going through where > > it can be snooped apon that is their perogative. Just don't force > > people to have to use I-WILL-SNOOP-ISP!!! > > Who said anything about being required to use your ISP's mail server? I > don't think I have, ever. You need to use one with a static IP and > reasonable rDNS, which could be anywhere. There you go forcing people to jump through unnecessary hoops to send email. No you do not need a static address to send email. No you do not need a PTR record to send email. None of this is REQUIRED. It is forced on people by a cartel of email providers. > Also, if the snoops are interested enough in you to drop an NSL on your > ISP, you have worse problems than running your own mail server will solve. > > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. http://jl.ly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: why IPv6 isn't ready for prime time, SMTP edition
Or he could just not like NSL and the fact the ISP's are required to abide by them. If people want their email going through where it can be snooped apon that is their perogative. Just don't force people to have to use I-WILL-SNOOP-ISP!!! Who said anything about being required to use your ISP's mail server? I don't think I have, ever. You need to use one with a static IP and reasonable rDNS, which could be anywhere. Also, if the snoops are interested enough in you to drop an NSL on your ISP, you have worse problems than running your own mail server will solve. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
In message <20140325233557.6311.qm...@joyce.lan>, "John Levine" writes: > In article <3d7d0845-cb25-4c05-8fab-f5728c860...@heliacal.net> you write: > >The OP doesn't have control over the reverse DNS on the AT&T 6rd. > > Ah, OK, you're saying that their IPv6 isn't ready for prime time. > > >One would hope that with IPv6 this would change, but the attitude of looking > down on end subscribers has been around > >forever. > > It has nothing to do with looking down on "subscribers" and everything > to do with practicality. When 99,9% of mail sent directly from > consumer IP ranges is botnet spam, and I think that's a reasonable > estimate, we have better things to do than to spend a lot of our money > expensively filtering that spam for the benefit of the GWL who is too > cool to relay through a mail server with a real name. Or he could just not like NSL and the fact the ISP's are required to abide by them. If people want their email going through where it can be snooped apon that is their perogative. Just don't force people to have to use I-WILL-SNOOP-ISP!!! > > R's, > John > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: why IPv6 isn't ready for prime time, SMTP edition
In article <3d7d0845-cb25-4c05-8fab-f5728c860...@heliacal.net> you write: >The OP doesn't have control over the reverse DNS on the AT&T 6rd. Ah, OK, you're saying that their IPv6 isn't ready for prime time. >One would hope that with IPv6 this would change, but the attitude of looking >down on end subscribers has been around >forever. It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, we have better things to do than to spend a lot of our money expensively filtering that spam for the benefit of the GWL who is too cool to relay through a mail server with a real name. R's, John