Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Mon, Mar 31, 2014 at 12:17:19AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 30, 2014, at 16:40 , Måns Nilsson mansa...@besserwisser.org wrote: Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. I will not argue whether you were humiliated as that is something only you can decide. The puny attempt at master suppression technique[0] was identified as such and countermeasures were launched. No damage done. I was serious. Your reaction .. well, I shouldn't say anything more lest you call me puny again. (What were you saying about humiliation techniques? Glad to see you would never be hypocritical.) My apologies. I was not refering to your statement -- if that was not clear I should most certainly have written more clearly. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say. You misunderstand. Or perhaps I did? I read John's statement to be in reference to your stance, i.e. running without spam filters. Not that your server is small. I read you handle no big amount of e-mail and I know people who do and therefore you should STFU and not bother us with your silly ideas about following standards in Johns message, and while that might seen like one of many interpretations of what was written, it is an interpretation I hope to be not so far out on the insulted fringe so as to be silly. John can clarify if he likes. But either way, running without spam filters is beyond unusual these days. Indeed. My personal server is run with very few filters, all of which REJECT or accept and send to a box I read. I have no spam folder. So while I am not as far down the tail as you are, I am definitely out of the mainstream. The only reason I mention that is so you don't go researching for another reason to identify my comments as anything except exactly what they say. Oh, I'm not hoping to pick a fight. Bad move to pick fights with people that function as mediators. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. I like your use of MUST. However, I think you'll find your definition of undue and most of the rest of the Internet's is vastly different. I'm fully aware of that. The clear separation between network and application that is at the core of IP is easily compromised by the best intentions. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I selected E5 ... but I didn't hear Sam the Sham and the Pharoahs! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 29, 2014, at 1:31 PM, Barry Shein b...@world.std.com wrote: On March 29, 2014 at 08:28 o...@delong.com (Owen DeLong) wrote: So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising. I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on? I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea. I was envisioning a system more where you white-listed your known contacts up front, then only needed to say “refund this one and add to white-list” or “refund this one” when confronted with one that wasn’t already white-listed that you didn’t feel was spam. We're getting lost in the metaphors methinks. I don’t think so, I think we’re having differing visions of how it would work in detail. Well, that's always the problem at some point. Lacking a specific, detailed proposal one tries to work out how it might work, look for inherent flaws in the idea, show stoppers. This is basically brainstorming. Yep… Wasn’t a criticism, merely an effort to home in on a more accurate problem description for the communications failures so we weren’t trying to solve the incorrect cause. So offering to not charge you because you wanted that mail makes no sense, right? But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry. Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process. What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here. Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price? Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM. My whole point is I don't WANT to have a definition of spam, except as a bad memory. I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem. I get what you want, but I don’t see it as a solution due to the negative consequences described elsewhere in the thread. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning. Again, we're talking about spam and the harm it does, the costs it incurs. And phishing etc. That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police? I often find myself wondering exactly that… Usually after trying to get some service or other that the police are supposed to be providing. Nonetheless, I get your point. OTOH, the city council, as a body, doesn’t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the “tax exempt organization”? The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send. The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important. But every one of them has postage attached. Yes, but you aren’t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly
Re: why IPv6 isn't ready for prime time, SMTP edition
Sent from my BlackBerry 10 smartphone on the Rogers network. Original Message From: John Levine Sent: Saturday, March 29, 2014 11:35 PM To: nanog@nanog.org Subject: Re: why IPv6 isn't ready for prime time, SMTP edition IF the overriding problem is due to an inability to identify and authenticate the identification of the sender, then let us work on establishing a protocol for identifying the sender and authenticating the identification of the sender and permitting the receiver to accept or deny acceptance of traffic by reference to that identification. We've got DKIM, SPF, S/MIME, and PGP. What more do you want? R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 30, 2014 at 04:47 jo...@iecc.com (John Levine) wrote: When people talked of virtual currency over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? None, but it shouldn't be hard to look at the way bitcoin works and realize why it'd be phenomenally ill suited for e-postage, just for technical reasons. I told Satoshi so in 2009. I wasn't suggesting bitcoin was a model for e-postage, only that a lot of papers were written saying systems like bitcoin were more or less impossible (usually based on the double-spending problem.) But bitcoin seems to have gained quite a bit of traction nonetheless though it may well still be a bad idea. The problem is the world is a very sloppy place and tends to function in spite of proofs that bumblebees can't fly etc. when there's a need. R's, John PS: Sometimes a WKBI really is a WKBI. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 23:26 o...@delong.com (Owen DeLong) wrote: On Mar 29, 2014, at 1:31 PM, Barry Shein b...@world.std.com wrote: On March 29, 2014 at 08:28 o...@delong.com (Owen DeLong) wrote: So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. Sure, but how would they trick you into saying ?I wanted this advertising? once you?ve actually seen that it is advertising. I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on? I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea. I was envisioning a system more where you white-listed your known contacts up front, then only needed to say ?refund this one and add to white-list? or ?refund this one? when confronted with one that wasn?t already white-listed that you didn?t feel was spam. Introducing a refunding system adds a lot of complexity for not much advantage. Think through the mechanics of this whitelisting system, i.e., the bookkeeping and msgs back and forth. (eliding some stuff we mostly agree on) What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here. Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price? What about the attention costs, when nobody for example looks at an Amazon mail or even a useful msg from their bank because they're too busy deleting everything that isn't absolute top-priority (like from a relative or lover.) They're just swamped. Anyhow, I guess either spam is a big problem or it isn't. Everything I say is based on the premise that spam is a big problem. If it isn't then we are truly wasting our time here. Please present your definition of SPAM. I don?t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM. My whole point is I don't WANT to have a definition of spam, except as a bad memory. I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem. I get what you want, but I don?t see it as a solution due to the negative consequences described elsewhere in the thread. Well, if you don't see spam as much of a problem then surely most anti-spam proposals are going to seem too costly, right? That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police? I often find myself wondering exactly that? Usually after trying to get some service or other that the police are supposed to be providing. Nonetheless, I get your point. OTOH, the city council, as a body, doesn?t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the ?tax exempt organization?? Maybe I haven't had enough coffee yet but I truly don't understand what you're asking here. Recipients wouldn't pay in my scheme. OK, turn it around and you aren?t paying a separate fee for the mailman to drive by your place each day to see if you have any outgoing mail, either. You must live in some low-density population area, here in Boston the letter carriers won't take outgoing mail. I tried one day and the guy just sneered put it in a box, that's all I'd do with it! Obviously there are people emptying those mailboxes but it's...where are we going with this? If you mean that legitimate senders have to pay and somehow recover that cost, well, we all pay for police and other security. Security is often like that. When you pay for a prison you pay to house prisoners, any benefit to you is at best abstract (they're not on the streets etc.) I don?t pay the USPS any separate taxes to support the postal inspectors. That?s rolled up into the postage. Further, if someone sends me something I don?t want, I can mark it ?refused, return to sender? and the post office is obliged to do so and I don?t pay anything for it. This is probably getting off-track, but are you sure about that with the USPS? Yes. For most mail, you can. Third Class and Bulk, not so much, they?ll tell you to throw it away. I don?t pay anything for that, either. Ok, nothing stops you in this scheme from returning an email to the sender. Maybe it could even be made free, probably just like any Mailer-Daemon bounce. What I don't think is a good idea is the sender getting their postage back. That's a lot of
Re: why IPv6 isn't ready for prime time, SMTP edition
On Sat, 29 Mar 2014 18:05:39 -0700, Matthew Petach said: system, which does 100,000,000 transactions/day. Facebook's presentation talks about doing billions *per second*, which if I Fortunately for Facebook, they don't have to worry about double-spending problems, and you don't have to worry that much about authentication and security, because you control both ends of the transaction. It's easy to scale when you don't have to worry about the hard parts. pgpBs7y8e5qBc.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): Composed on a virtual keyboard, please forgive typos. On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. I will not argue whether you were humiliated as that is something only you can decide. The puny attempt at master suppression technique[0] was identified as such and countermeasures were launched. No damage done. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Vote for ME -- I'm well-tapered, half-cocked, ill-conceived and TAX-DEFERRED! [0] http://en.wikipedia.org/wiki/Master_suppression_techniques signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/30/2014 12:11 AM, Barry Shein wrote: I don't know what WKBI means and google turns up nothing. I'll guess Well Known Bad Idea? Since I said that I found the idea described above uninteresting I wonder what is a WKBI from 1997? The idea I rejected? Also, I remember ideas being shot down on the ASRG (Anti-Spam Research Group) list primarily because they would take ten years to gain acceptance. Over ten years ago. Maybe they were bad ideas for other reasons. Some certainly were. But there's this tone of off-the-cuff dismissal, oh that would take TEN YEARS to gain traction, or that's a WKBI, which I don't find convincing. I read your paper, for example, and said it's a nice paper. But I don't find it compelling to the degree you seem to want it to be because it mostly makes a bunch of assumptions about how an e-postage system would work and proceeds to argue that the particular model you describe (and some variants) creates impossible or impractical hurdles. But what if it worked differently? At some point you're just reacting to the term e-postage and whatever it happens to mean to you, right? Imagine living in a world where this system is implemented. Then imagine ways to break it. The first thing I can think of is money laundering through hundreds of source and destination email accounts. The second is stolen identities or credit cards where the money doesn't exist to begin with (Who pays when this happens?) Third is administrative overhead. Banks/paypal/exchanges/someone is going to want a cut for each transaction, and they deserve one since they're going to end up tracking all of them and need to be able to reverse charges when something goes wrong. But then you have a central point of failure and central monitoring point so you want to involve multiple exchanges, banks, etc. Then you've got a dictatorship somewhere who says they want an extra $0.03 tacked on to each transaction, only it's not $0.03 it's insert famously unstable currency here so any mail that goes to that country has to have custom rules that fluctuate multiple times a day. Then there is my mom, who knows just enough about computers to send cat pictures and forward me chain letters. She'll not understand that email costs something now, or how to re-up her email account when it runs out. The administrative burden will either fall to me or her ISP, and each phone call to the ISP probably costs them $$ because they must pay a live human to walk someone through email. You can't really say you've exhaustively worked out every possibility which might be labelled e-postage. Only a particular interpretation, a fairly specific model, or a few. When people talked of virtual currency over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? Bitcoin might well be a lousy solution. But there it is nonetheless, and despite the pile of papers which argued that this sort of thing was impossible or nearly so. Note: Yes, I can also argue that Bitcoin is not truly a virtual currency. Sometimes a problem is like the Gordian Knot of ancient lore which no one could untie. And then Alexander The Great swung his sword and the crowds cried cheat! but he then became King of Asia just as prophesized. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly The answer is that you can't do this to SMTP. Nobody will ever have the answers to all the questions involved with adding cost transactions to the protocol. The only way to do this is to reboot with a new protocol that people start to adopt, and the only way they'll do that is if it's markedly better than the old way. You have to remember some people when given the choice of paying for email or accepting 10 spams/day will opt for accepting a little spam. The good news is, with email consolidated into 5 or so large providers and most people using webmail or exchange, you've got an opportunity to change the backend. Not much software has to be modified, but you do need those large providers to buy-in to the idea.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Sat, Mar 29, 2014 at 7:40 PM, John R. Levine jo...@iecc.com wrote: The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0] ... which is completely irrelevant because they don't have a double spending problem. Sheesh. It's easy to scale up stuff that is trivially parallelizable.* Apparently, in the intervening 10 years since you wrote that, you might have missed some advances in the state of the art in computer science. http://arxiv.org/abs/0802.0832v1 I quote from the abstract: Contrary to the commonly held belief that this is fundamentally impossible, we propose several solutions that do achieve a reasonable level of double spending prevention I suggest you update your 'commonly held belief' that the double spending problem is intractable. ;) Also, I wrote that ten years ago. Add an extra zero or two to the numbers if you want, but it doesn't make any difference. Perhaps the number of zeroes doesn't make a difference; but solving the double spending problem would seem to play a much bigger role in making a difference to your conclusion from ten years ago. Note that one of the concepts around the double spending problem is that of offline spending being able to happen in massively large scale in very short time before the network is rejoined; however, in the case of email, that situation is largely a dead end; if you're not online, you're not going to be making very many mail connections. What may have been seen as impossible ten years ago may now be completely feasible. ^_^; Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly * - a term of art, look it up Thanks! Matt
Re: e-postage still doesn't work, why IPv6 isn't ready for prime time, SMTP edition
Contrary to the commonly held belief that this is fundamentally impossible, we propose several solutions that do achieve a reasonable level of double spending prevention Yes, that's Bitcoin's claim to fame. Perhaps the number of zeroes doesn't make a difference; but solving the double spending problem would seem to play a much bigger role in making a difference to your conclusion from ten years ago. Note that one of the concepts around the double spending problem is that of offline spending being able to happen in massively large scale in very short time before the network is rejoined; however, in the case of email, that situation is largely a dead end; if you're not online, you're not going to be making very many mail connections. If you actually care about this, you might consider what would happen to the Bitcoin blockchain if it were attacked with millions of double spending transactions. This paper claims it can't prevent double spending, only prevent overspending by a factor of 100, which may be of theoretical interest but isn't of much practical use. We already know how to do approximate bulk counting. Oh, and on the last page, they think that hashcash works, to limit transaction rates. Anyway, if you reread my paper from a decade ago, the bank problem is only one of many problems with e-postage, each of which is fatal. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 30, 2014, at 16:40 , Måns Nilsson mansa...@besserwisser.org wrote: Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. I will not argue whether you were humiliated as that is something only you can decide. The puny attempt at master suppression technique[0] was identified as such and countermeasures were launched. No damage done. I was serious. Your reaction .. well, I shouldn't say anything more lest you call me puny again. (What were you saying about humiliation techniques? Glad to see you would never be hypocritical.) However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say. You misunderstand. Or perhaps I did? I read John's statement to be in reference to your stance, i.e. running without spam filters. Not that your server is small. John can clarify if he likes. But either way, running without spam filters is beyond unusual these days. My personal server is run with very few filters, all of which REJECT or accept and send to a box I read. I have no spam folder. So while I am not as far down the tail as you are, I am definitely out of the mainstream. The only reason I mention that is so you don't go researching for another reason to identify my comments as anything except exactly what they say. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. I like your use of MUST. However, I think you'll find your definition of undue and most of the rest of the Internet's is vastly different. -- TTFN, patrick signature.asc Description: Message signed with OpenPGP using GPGMail
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/30/2014 11:17 PM, Patrick W. Gilmore wrote: On Mar 30, 2014, at 16:40 , Måns Nilsson mansa...@besserwisser.org wrote: Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there [snip] However, I think you'll find your definition of undue and most of the rest of the Internet's is vastly different. Seems like I got chased off of NANOG for less, in years gone by... -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Thu, Mar 27, 2014 at 10:32:42AM -0400 Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. PLONK -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I feel like a wet parking meter on Darvon! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Composed on a virtual keyboard, please forgive typos. On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. I will not argue whether you were humiliated as that is something only you can decide. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) -- TTFN, patrick
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 2:15 PM, Barry Shein b...@world.std.com wrote: On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free. I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it. Yes, but you’d have to say “I wanted this” effectively after receiving and opening the mail, knowing what was inside, not before. So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising. We're getting lost in the metaphors methinks. I don’t think so, I think we’re having differing visions of how it would work in detail. So offering to not charge you because you wanted that mail makes no sense, right? But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry. Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process. This is an effort to provide a financial disincentive for spamming. Did I say that or you? I agree! Possibly with myself. Which judging by my just previous comments is not always a given. I said it, but I’m glad we are in agreement. If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar. Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right? I'm trying to create an economics around enforcement. But it's helpful to convince the relatively honest public that what you describe is a serious crime tantamount to counterfeiting. Yes, that would be very helpful. And we don't want to be in a situation like we were in 1996 where we were debating whether Spam is even a crime. Sadly, we seem to be in a situation where we have no good legal definition of the crime and where the criminal definition of SPAM has been so badly watered down by regulators as to neuter any attempts to regulate it out of existence or prosecute it criminally. Worse, even if it is a crime in jurisdiction A, it becomes very difficult to prosecute a spammer in jurisdiction B for sending SPAM to a recipient in jurisdiction A. Enforcement is your usual avoidance, detection, recovery, sort of affair. But there has to be an economics pushing it or it gets mostly ignored (except for people complaining about spam.) Yep. Compare and contrast for example spamming vs RIAA style enforcement of copyright violations. I would not say that RIAA is the shining example to emulate, but, yes for this particular concept, I think you have the right idea. No, it assumes that most of the messages I get from Amazon are NOT SPAM. And I'm arguing we need to change our attitudes on this. This whole idea that because the recipient wants it it isn't spam is wearing thin. Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, Mar 28, 2014 at 4:15 PM, Barry Shein b...@world.std.com wrote: On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: [snip] I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it. So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. *Postage schemes as proposed with end users email clients 'attaching postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng Not in any conceivable future version of IP. *Believe end users being served by mail servers WON'T tolerate postage, or the extra difficulty in configuring their email client, even from a free service.Spam is a serious problem, and different mail users don't agree on exactly what messages are spam, BUT from end users' perspective: they all tend to agree that it is their provider's job to have made all the spam go away, but delivered all goodmail with 100% accuracy. Moreover, mail users expect, this should be 100% transparent, requiring no extra work from the mail user. Confirming that a message was OKAY, or that it was spam is definitely outside the compass of your average mail user. Therefore it would almost definitely be e-mail mailbox providers footing the bill on behalf of their subscribers in any 'charge postage' scheme that ever had a reasonable chance of working. Must be completely transparent to end users. Any treatment for spam ultimately needs to have some conceivable way of being implemented to be less harmful and annoying than the disease. Therefore: Must not have any significant burdens for at least 95% of legitimate users, and the burden of the 5% of legitimate users must be low and worth it. Email hosting providers still just have to use the flat rate monthly service fee to recover their costs, AND costs have to be low enough that free mail providers can still work -- supported by advertising : users will revolt against SP, if there are extra charges. Therefore Postage must be optional. Perhaps, by separating mail into multiple classes, and requiring postage only for certain classes. Such as Unpostaged Email --- Extreme spam filtering, likely deliverability issues (what we have today) Bulk Class Email --- subject to reduced spam filtering, reduced postage, Only available to authorized SMTP senders. First class Email --- Intended for private correspondence, greater postage, reduced spam filtering Priority Email--- Intended for extremely urgent messages, high postage, for time sensitive matters very little or no spam filtering. And the process by which SMTP operators could reach agreement to charge each other for traffic, and on what rate should be standard,is difficult to conceive. Postage would incentivize SMTP operators: to scrutinize users' traffic and limit abuse or excessive mail outflow from any one user. But who could say... that a particularly lucrative spam campaign won't come from the spammer attached with the proper postage? In theory SMTP providers could do this... exchange postage between SMTP operators and completely hide it from end users, but the problem is it requires agreement... and consistent rules, otherwise e-mail perhaps becomes too expensive: or not sufficiently predictably inexpensive. Now if SMTP providers charge each other postage... postage SPENT should be offset by postage RECEIVED. When e-mail conversations are mostly symmetrical --- for example: two users e-mailing each other, then the ratio of messages OUT to messages INshould be pretty close to 1.0, or at least not 1000 to 1; Which means the two SMTP servers could charge each other postage, but the postage spent is offset by postage received. This would be different for commercial bulk mailers (legitimate or otherwise), AND as a result --- they would pay. Shifting some costs back from sender to receiver of the message. And... perhaps the commercial mailers _should_ bear costs. As commercial mailings create support costs (when false positive'd by spam filters), And... additional storage cost (before the user downloads their message from their POP3 mailbox). Also large-scale bulk mail consumes bandwidth, memory, and processing power. So... how could it work technically... One possibility: a SMTP server proves postage deposited, by each presenting a cryptocurrency wallet address in the HELO banner and the 250 reply; for the smtp transaction to proceed, the sending server needs to be challenged to prove it has the balance to pay --- and challenged then to
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 08:28 o...@delong.com (Owen DeLong) wrote: So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. Sure, but how would they trick you into saying ?I wanted this advertising? once you?ve actually seen that it is advertising. I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on? I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea. As I said earlier what might work is when you sign up for some email (list, advertising, customer account) you can also enter some sort of cookie which the sender can use to charge against your epostage quota. But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including is this really a problem that needs to be solved? We're getting lost in the metaphors methinks. I don?t think so, I think we?re having differing visions of how it would work in detail. Well, that's always the problem at some point. Lacking a specific, detailed proposal one tries to work out how it might work, look for inherent flaws in the idea, show stoppers. This is basically brainstorming. So offering to not charge you because you wanted that mail makes no sense, right? But this isn?t a charge for the post office and by the time you?re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry. Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn?t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process. What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here. (trying to elide a lot...) Please present your definition of SPAM. I don?t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM. My whole point is I don't WANT to have a definition of spam, except as a bad memory. I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. That postage is already being paid for email? You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning. Again, we're talking about spam and the harm it does, the costs it incurs. And phishing etc. That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police? The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn?t mind seeing them forced to pay me for those messages, but I certainly don?t want to see them paying for every message they send. The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important. But every one of them has postage attached. Yes, but you aren?t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly don?t want to start double-paying for spam (or legitimate email for that matter). Recipients wouldn't pay in my scheme. If you mean that legitimate senders have to pay and somehow recover that cost, well, we all pay for police and other security. Security is often like that. When you pay for a prison you pay to house prisoners, any benefit to you is at best abstract (they're not on the streets etc.) Further, if someone sends me something I don?t want, I can mark it ?refused, return to sender? and the post office is obliged to do so and I don?t pay anything for it. This is probably getting off-track, but are you sure about that with the USPS? You can mark it NSA (no such addressee) or NFA (no forwarding address) or NSA/NFA or even put a forwarding address which may or may not do
Re: why IPv6 isn't ready for prime time, SMTP edition
But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including is this really a problem that needs to be solved? Don't forget Vanquish was a complete failure, so why would this be any different? and do I want Phil Raymond to sue me for violating the patent on this exact scheme? R's, John PS: You must have met him at one of the spam conferences. I met him a few times.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/29/2014 12:59 PM, Jimmy Hess wrote: *Postage schemes as proposed with end users email clients 'attaching postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng Not in any conceivable future version of IP. And I insist that we are all wasting our time trying to make SMTP and its supporting protocols (and their kin under IPX/SPC, Sperrylink, UUCP, et alia) are not at the transport layer and nothing at the transport layer is responsible for nor rich with solutions for their problems. IF the overriding problem is due to an inability to identify and authenticate the identification of the sender, then let us work on establishing a protocol for identifying the sender and authenticating the identification of the sender and permitting the receiver to accept or deny acceptance of traffic by reference to that identification. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 22:37 jo...@iecc.com (John Levine) wrote: But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including is this really a problem that needs to be solved? Don't forget Vanquish was a complete failure, so why would this be any different? and do I want Phil Raymond to sue me for violating the patent on this exact scheme? That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not. As I said I think it's overly complex in implementation and not of much benefit. I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course. HOWEVER: a) If you really were referring to the context of that remark, refunding postage to desired senders, not much problem since I don't see that as useful anyhow. b) If there's some broader context, well, patents can get licensed and otherwise negotiated so I don't know why anyone would be suing anyone. This reminds me of when I was working on a Rock Roll 50th Anniversary site and we'd put up materials licensed for use by the site. And I'd get this non-stop stream of YOU WILL GET SUED! emails from people who merely visited the site, many DEMANDING we immediately produce proof to them that the material was properly licensed or take it down IMMEDIATELY! And they would be CHECKING! etc. Some would even phone the office and scream at me. None were owners or had any interest in the materials which, as I said, were all properly licensed. There was never any actual problem, not a hint. Gratuitous anecdote: The only (very tiny, funny) problem we ever had was when Elvis Presley Enterprises (which is, yes, that Elvis Presley) printed up T-shirts using some of our slogans which we clearly marked as TM. I sent them a letter offering a $0 license to print as many T-shirts as they like if they just mentioned us in their ads in some friendly way once in a while...LET'S TALK! I mean, hey, this is Elvis Presley Enterprises! Respect to The King. I got back this amazing letter from what must have been a strip mall lawyer, the stationery was truly cheesy (it had logs on it, some sort of good ol' boy western theme I guess), asserting that we had no rights in those slogans because we were NOT in the T-shirt/Apparel business (i.e., USPTO category.) I dropped the matter because it was just too silly to even respond to and figured if it ever seemed to make a difference I'd worry about it. They didn't seem to be selling too many of those T-shirts anyhow, and now they'd been informed and had acknowledged notice which is half the game. Nothing came of it. Not much came of the site either, unfortunately tho I did get to meet a lot of interesting people. Bo Diddley called me once to tell me how great he thought it all was and could he help! R's, John PS: You must have met him at one of the spam conferences. I met him a few times. Maybe, I'm looking at his picture and his face doesn't ring a bell but he seems to be here in the Boston area so if there were a mutual interest I suppose a meeting would be easy enough. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, Mar 26, 2014 at 9:59 AM, John Levine jo...@iecc.com wrote: That way? Make e-mail cost; have e-postage. Gee, I wondered how long it would take for this famous bad idea to reappear. I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf R's, John PS: Yes, I've heard of Bitcoins. Good lord. I love your page about how a micropayment handling system would have to be so immense it couldn't possibly be built, because otherwise someone would have built one by now. The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0] You're postulating needing something 100x the size of the credit card processing system, which does 100,000,000 transactions/day. Facebook's presentation talks about doing billions *per second*, which if I do the math right, puts it conservatively at almost 900,000x the scale of the credit card processing system; certainly well beyond the threshold of what you considered necessary to handle email micropayment transactions. I suspect your notion of Creating a transaction system large enough for e-postage would be prohibitively expensive. is no longer true. Matt [0] https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/nishtala
Re: why IPv6 isn't ready for prime time, SMTP edition
Don't forget Vanquish was a complete failure, so why would this be any different? and do I want Phil Raymond to sue me for violating the patent on this exact scheme? That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not. As I said I think it's overly complex in implementation and not of much benefit. I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course. Really, this is a WKBI from 1997. Look at the patent if you don't believe me. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0] ... which is completely irrelevant because they don't have a double spending problem. Sheesh. It's easy to scale up stuff that is trivially parallelizable.* Also, I wrote that ten years ago. Add an extra zero or two to the numbers if you want, but it doesn't make any difference. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly * - a term of art, look it up
Re: why IPv6 isn't ready for prime time, SMTP edition
Although that's useful for some situations it's a not at the heart of the spam problem, or is just one small facet at best. People you don't know, like perhaps me right now, will send you email which isn't spam, and which presumably you're ok with receiving. So, it's not the overriding problem with spam. On March 29, 2014 at 18:58 larryshel...@cox.net (Larry Sheldon) wrote: On 3/29/2014 12:59 PM, Jimmy Hess wrote: *Postage schemes as proposed with end users email clients 'attaching postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng Not in any conceivable future version of IP. And I insist that we are all wasting our time trying to make SMTP and its supporting protocols (and their kin under IPX/SPC, Sperrylink, UUCP, et alia) are not at the transport layer and nothing at the transport layer is responsible for nor rich with solutions for their problems. IF the overriding problem is due to an inability to identify and authenticate the identification of the sender, then let us work on establishing a protocol for identifying the sender and authenticating the identification of the sender and permitting the receiver to accept or deny acceptance of traffic by reference to that identification. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker) -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
IF the overriding problem is due to an inability to identify and authenticate the identification of the sender, then let us work on establishing a protocol for identifying the sender and authenticating the identification of the sender and permitting the receiver to accept or deny acceptance of traffic by reference to that identification. We've got DKIM, SPF, S/MIME, and PGP. What more do you want? R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 29, 2014 at 22:34 jo...@iecc.com (John R. Levine) wrote: Don't forget Vanquish was a complete failure, so why would this be any different? and do I want Phil Raymond to sue me for violating the patent on this exact scheme? That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not. As I said I think it's overly complex in implementation and not of much benefit. I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course. Really, this is a WKBI from 1997. Look at the patent if you don't believe me. I don't know what WKBI means and google turns up nothing. I'll guess Well Known Bad Idea? Since I said that I found the idea described above uninteresting I wonder what is a WKBI from 1997? The idea I rejected? Also, I remember ideas being shot down on the ASRG (Anti-Spam Research Group) list primarily because they would take ten years to gain acceptance. Over ten years ago. Maybe they were bad ideas for other reasons. Some certainly were. But there's this tone of off-the-cuff dismissal, oh that would take TEN YEARS to gain traction, or that's a WKBI, which I don't find convincing. I read your paper, for example, and said it's a nice paper. But I don't find it compelling to the degree you seem to want it to be because it mostly makes a bunch of assumptions about how an e-postage system would work and proceeds to argue that the particular model you describe (and some variants) creates impossible or impractical hurdles. But what if it worked differently? At some point you're just reacting to the term e-postage and whatever it happens to mean to you, right? You can't really say you've exhaustively worked out every possibility which might be labelled e-postage. Only a particular interpretation, a fairly specific model, or a few. When people talked of virtual currency over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? Bitcoin might well be a lousy solution. But there it is nonetheless, and despite the pile of papers which argued that this sort of thing was impossible or nearly so. Note: Yes, I can also argue that Bitcoin is not truly a virtual currency. Sometimes a problem is like the Gordian Knot of ancient lore which no one could untie. And then Alexander The Great swung his sword and the crowds cried cheat! but he then became King of Asia just as prophesized. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
When people talked of virtual currency over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? None, but it shouldn't be hard to look at the way bitcoin works and realize why it'd be phenomenally ill suited for e-postage, just for technical reasons. I told Satoshi so in 2009. R's, John PS: Sometimes a WKBI really is a WKBI.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 1:38 PM, Brandon Ross br...@pobox.com wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. You say this like having a tax on running a botted computer on the internet would be a bad thing. I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 10:31 PM, Barry Shein b...@world.std.com wrote: On March 27, 2014 at 12:14 o...@delong.com (Owen DeLong) wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? It's a fine idea but too complicated. Look, the (paper) post office doesn't say oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender! Why? Because if they did that people would game the system, THEY'D SPAM! How would they benefit from that? From what, being able to send free paper mail? I think that would be considered a benefit by most junk mail advertisers. But see next... SPAM — Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05. And it would take way too much bookkeeping and fraud identification etc. Please explain in detail where the fraud potential comes in. By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way. Well, it's advertising, so they do. Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free. So offering to not charge you because you wanted that mail makes no sense, right? But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. This is an effort to provide a financial disincentive for spamming. Let's take a deep breath and re-examine the assumptions: Full scale spammers send on the order of one billion msgs per day. Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer. Not sure how you enforce these user account requirements or how you avoid duplicative accounts. If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar. Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right? Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems. That assumes that spam is free for them, and you. Including free as in stealing your time”. No, it assumes that most of the messages I get from Amazon are NOT SPAM. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send. We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. I disagree. I see it as a form of theft of service that only immoral thieves would take if available. How can it be a theft of service if we're not charging anything? I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so. Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean? Botnets, my mail server, my disk storage, my network, etc. where my mail is processed… All of the above. But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other apparent fraud or
Re: Why IPv6 isn't ready for prime time :-)
On Mar 27, 2014 8:01 PM, Tim Durack tdur...@gmail.com wrote: NANOG arguments on IPv6 SMTP spam filtering. Deutsche Telecom discusses IPv4-IPv6 migration: https://ripe67.ripe.net/presentations/131-ripe2-2.pdf Facebook goes public with their IPv4-IPv6 migration: http://www.internetsociety.org/deploy360/blog/2014/03/facebooks-extremely-impressive-internal-use-of-ipv6/ If you haven't started, you've got some work to do. Indeed. Having been deeply involved leading the technical side of our transition at my organiati
Re: Why IPv6 isn't ready for prime time :-)
Hmmm. Phone accidentally sent email before it was finished. Indeed. Having been deeply involved leading the technical side of our transition at my organization for the past three years, I think those who wait until the IPv6/IPv4 divide is roughly 50/50 or later are going to be in for a world of hurt.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 5:27 AM, Brandon Ross br...@pobox.com wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 1:38 PM, Brandon Ross br...@pobox.com wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. You say this like having a tax on running a botted computer on the internet would be a bad thing. Heh, perhaps not... I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. I don't think so. The motivations to continue to game the system are much stronger under this scheme because the profits are immediate and direct. A spammer no longer has to just hope that the advertising, phishing or whatever they are up to is acted upon by the user, instead they get a somewhat immediate cash payout that's not dependent on the user. This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014, Owen DeLong wrote: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014 06:22:32 -0700, Owen DeLong said: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/ phishing/etc. are acted on. Only because we haven't given them a way to monetize it immediately. pgpIKbGXYKjph.pgp Description: PGP signature
Re: Why IPv6 isn't ready for prime time : -)
Indeed. Having been deeply involved leading the technical side of our transition at my organiati Yeah, IPv6 can be like that. Helpfully, John
Re: anti-spam WKBIs, was why IPv6 isn't ready for prime time, SMTP edition
You say this like having a tax on running a botted computer on the internet would be a bad thing. I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. What would actually happen is that the users would refuse to pay their ISPs for their bot mail, the ISPs would refuse to pay the recipients, and the whole thing would collapse. Like I said in my decade old white paper, the problems when real money are involved will be worse than the ones they purport to solve. On the other hand, if you plan to go ahead with this WKBI, I'll let Phil Raymond know. He'd love to do something with that patent. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 6:30 AM, Brandon Ross br...@pobox.com wrote: On Fri, 28 Mar 2014, Owen DeLong wrote: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. Perhaps… But I’m not convinced. Today we have more than sufficient motivation to continue to game the system and virtually no incentive to make the system less open to gaming. While I agree this would increase economic incentives to game the system slightly, it would also add some rather strong incentives to improve security and make the process of gaming much harder. Perhaps this isn’t a good solution, but it certainly cannot be argued that what we are doing so far is working. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. But it?s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn?t want it isn?t free. I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it. So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. We're getting lost in the metaphors methinks. So offering to not charge you because you wanted that mail makes no sense, right? But this isn?t a charge for the post office and by the time you?re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry. This is an effort to provide a financial disincentive for spamming. Did I say that or you? I agree! Possibly with myself. Which judging by my just previous comments is not always a given. If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar. Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right? I'm trying to create an economics around enforcement. But it's helpful to convince the relatively honest public that what you describe is a serious crime tantamount to counterfeiting. And we don't want to be in a situation like we were in 1996 where we were debating whether Spam is even a crime. Enforcement is your usual avoidance, detection, recovery, sort of affair. But there has to be an economics pushing it or it gets mostly ignored (except for people complaining about spam.) Compare and contrast for example spamming vs RIAA style enforcement of copyright violations. Spamming? The occasional shutdown of a botnet tho those may be more motivated by DDoS and phishing. Copyright? Megaupload, wham, Bit torrents, wham, site takedowns, RIAA lawsuits, wham wham wham. Lawyers, guns, and money. What's the difference? Clear monied interests in the latter. Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! I, for one, don?t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems. That assumes that spam is free for them, and you. Including free as in stealing your time?. No, it assumes that most of the messages I get from Amazon are NOT SPAM. And I'm arguing we need to change our attitudes on this. This whole idea that because the recipient wants it it isn't spam is wearing thin. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. It's a fundamentally broken idea and spam is its bastard offspring. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn?t mind seeing them forced to pay me for those messages, but I certainly don?t want to see them paying for every message they send. The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important. But every one of them has postage attached. But maybe there could be some way to reverse charges like you can with fedex and similar. When you sign up with Amazon et al you also enter your (free) e-postage cert (whatever, some cookie) giving them permission to charge against it for some list of mutually agreeable emailings like order confirms and maybe even marketing materials. There are some implementation details involved but it doesn't strike me as a crazy idea. We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
Re: why IPv6 isn't ready for prime time
Apropos nothing, I tried to bring up IPv6 with another service provider today (this being the fourth I've attempted with only one success) but all I'm getting is: %BGP-3-NOTIFICATION: sent to neighbor ::1000:A000::6 2/7 (unsupported/disjoint capability) 0 bytes :( -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: why IPv6 isn't ready for prime time, SMTP edition
LoL Spellcheck… Helping you correctly spell the incorrect word every time. Owen On Mar 26, 2014, at 1:03 PM, Lamar Owen lo...@pari.edu wrote: On 03/26/2014 03:56 PM, Lamar Owen wrote: Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector. Blasted spellcheck Now that everybody has had a good laugh; I've not 'sent' *any* phishing e-mails, but I have *seen* plenty. Argh.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wednesday, March 26, 2014 08:26:14 PM Lamar Owen wrote: You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail. nit Not all of 41/8 is served by South Africa :-). /nit Mark. signature.asc Description: This is a digitally signed message part.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thu, Mar 27, 2014 at 3:38 AM, Mark Tinka mark.ti...@seacom.mu wrote: nit Not all of 41/8 is served by South Africa :-). /nit nit But a significant portion of it routes through London :-) /nit *cough *cough co.tz to co.za, etc., etc. -Jim P.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thursday, March 27, 2014 09:48:09 AM Jim Popovitch wrote: nit But a significant portion of it routes through London :-) /nit *cough *cough co.tz to co.za, etc., etc. Perhaps, but that does not mean it's all served by South African ISP's. The London trombone is a separate issue. Mark. signature.asc Description: This is a digitally signed message part.
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Wed, Mar 26, 2014 at 03:35:48PM -0400 Quoting John R. Levine (jo...@iecc.com): It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are unreal? A real provider is one that provides mail for real users, as opposed to someone who plays RFC language lawyer games. I only have a few dozen users, but I can assure you I use a whole lot of different filtering approaches including DNSBLs to keep my users' mailboxes usable. Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- the necessity to stick to protocol is not under debate) I must say it's pretty amusing that someone who works for the organization that published the original DNSBL seems to be ranting against them. The ability to change ones mind when circumstances change is usually seen as advantageous. Why not here? -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 This is a NO-FRILLS flight -- hold th' CANADIAN BACON!! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
This is totally ignoring a few facts. A: That the overwhelming majority of users don't have the slightest idea what an MTA is, why they would want one, or how to install/configure one. ISP/ESP hosted email is prevalent only partially to do with technical reasons and a lot to do with technical apathy on the part of the user base at large. Web hosting is the same way. A dedicated mailbox appliance would be another cost to the user that they would not understand why they need, and thus would not want. In a hypothetical tech-utopia, where everyone was fluent in bash (or powershell, take your pick), and read RFCs over breakfast instead of the newspaper, this would be an excellent solution. Meanwhile, in reality, technology frightens most people, and they are more than happy to pay someone else to deal with it for them. B: The relevant technical reason can be summarized as good luck getting a residential internet connection with a static IP (If your response includes the words dynamic DNS then please see point A) (Also I'm just going to briefly touch the fact that this doesn't address spam as a problem at all, and in fact would make that problem overwhelmingly worse, as MTAs would be expected to accept mail from everywhere, and we obviously can't trust end user devices or ISP CPE to be secure against intrusion) Scott Buettner Front Range Internet Inc NOC Engineer On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote: Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it. -Laszlo On Mar 26, 2014, at 2:07 PM, Lamar Owen lo...@pari.edu wrote: On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an IPv6 SMTP Server operator's club, with a system for enrolling certain IP address source ranges as Active mail servers, active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.)
Re: why IPv6 isn't ready for prime time, SMTP edition
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: WKBIs, was why IPv6 isn't ready for prime time, SMTP edition
Actually, a variant on that that might be acceptable� Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as �desired�, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? You could have bought the patent on this WKBI on eBay last year: http://www.ebay.com/itm/251279133681 When I was running the ASRG, I set up a wiki where we could keep a taxonomy of anti-spam techniques, so we could save time and just point people at it when they reinvent them. It's still there, contributions of anything we've missed are still welcome: http://wiki.asrg.sp.am/wiki/Attention_bonds R's, John PS: Well Known Bad Idea
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: Actually, a variant on that that might be acceptable? Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as ?desired?, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? It's a fine idea but too complicated. Look, the (paper) post office doesn't say oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender! Why? Because if they did that people would game the system, THEY'D SPAM! And it would take way too much bookkeeping and fraud identification etc. Let's take a deep breath and re-examine the assumptions: Full scale spammers send on the order of one billion msgs per day. Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer. Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be. I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that. Why would it work? Because that's how human society works. People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead. And it'd create an economy for hunting down miscreants. There really is none now, outside of the higher profile DDoS or phishing sort of activities. I claim it wouldn't take much of this to shut down spammers. P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be voluntary at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: why IPv6 isn't ready for prime time, SMTP edition
Scott, You are exactly right, in the current environment the things I'm suggesting seem unrealistic. My point is that it doesn't have to work the way it does today, with the webmail providers, the mail originators and the spam warriors all scratching each others' backs. There has been a LOT of work done to make webmail easy and everything else practically impossible, even if you do know how it works. What if Google, Apple, Sony or some other household brand, sold a TV with local mail capabilities, instead of pushing everyone to use their hosted services? If it doesn't work because we are blocking it on purpose, customers would demand that we make it work. Since this isn't a well known option today, casual (non tech) users don't know that they should be demanding it. As far as why someone would want an MTA, it doesn't take long to explain the benefits of having control over your own email instead of having a third party reading it all. The problem is that instead users are told they can't have it. MTAs are built into every user operating system and they would work just fine if the email community wasn't going out of their way to exclude them. The lack of rDNS is just one of the many ways to identify and discriminate against end users who haven't bought their way into the club. Spam is not a big problem for everyone. It's at a different scale for individuals and for large sites with many users. -Laszlo On Mar 26, 2014, at 2:58 PM, Scott Buettner sbuett...@frii.net wrote: This is totally ignoring a few facts. A: That the overwhelming majority of users don't have the slightest idea what an MTA is, why they would want one, or how to install/configure one. ISP/ESP hosted email is prevalent only partially to do with technical reasons and a lot to do with technical apathy on the part of the user base at large. Web hosting is the same way. A dedicated mailbox appliance would be another cost to the user that they would not understand why they need, and thus would not want. In a hypothetical tech-utopia, where everyone was fluent in bash (or powershell, take your pick), and read RFCs over breakfast instead of the newspaper, this would be an excellent solution. Meanwhile, in reality, technology frightens most people, and they are more than happy to pay someone else to deal with it for them. B: The relevant technical reason can be summarized as good luck getting a residential internet connection with a static IP (If your response includes the words dynamic DNS then please see point A) (Also I'm just going to briefly touch the fact that this doesn't address spam as a problem at all, and in fact would make that problem overwhelmingly worse, as MTAs would be expected to accept mail from everywhere, and we obviously can't trust end user devices or ISP CPE to be secure against intrusion) Scott Buettner Front Range Internet Inc NOC Engineer On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote: Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it. -Laszlo On Mar 26, 2014, at 2:07 PM, Lamar Owen lo...@pari.edu wrote: On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an IPv6 SMTP Server operator's club, with a system for enrolling certain IP address source ranges as Active mail servers, active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost;
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? It's a fine idea but too complicated. Look, the (paper) post office doesn't say oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender! Why? Because if they did that people would game the system, THEY'D SPAM! How would they benefit from that? SPAM — Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05. And it would take way too much bookkeeping and fraud identification etc. Please explain in detail where the fraud potential comes in. By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way. Let's take a deep breath and re-examine the assumptions: Full scale spammers send on the order of one billion msgs per day. Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer. Not sure how you enforce these user account requirements or how you avoid duplicative accounts. Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems. We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. I disagree. I see it as a form of theft of service that only immoral thieves would take if available. Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be. I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that. Why would it work? Because that's how human society works. People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead. But who charges these fees and how do they enforce those charges against miscreants that are sending from stolen hosts, bots, fraudulent IP addresses, etc.? And it'd create an economy for hunting down miscreants. So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well). My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object. P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be voluntary at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself. Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Why IPv6 isn't ready for prime time :-)
NANOG arguments on IPv6 SMTP spam filtering. Deutsche Telecom discusses IPv4-IPv6 migration: https://ripe67.ripe.net/presentations/131-ripe2-2.pdf Facebook goes public with their IPv4-IPv6 migration: http://www.internetsociety.org/deploy360/blog/2014/03/facebooks-extremely-impressive-internal-use-of-ipv6/ If you haven't started, you've got some work to do. Y2K/IPv6 consulting gigs? Nice little earner! -- Tim:
Re: why IPv6 isn't ready for prime time, SMTP edition
What if Google, Apple, Sony or some other household brand, sold a TV with local mail capabilities, instead of pushing everyone to use their hosted services? It would suck, because real users check their mail from their desktops, their laptops, and their phones. Your TV would not have the sophisticated mail sorting, archiving, and searching of the large mail systems. And, of course, when its cheap SSD flaked, you'd lose all your saved mail. I swear, this whole conversation feels like I've fallen through a wormhole into 1998.
RE: why IPv6 isn't ready for prime time, SMTP edition
Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. And your opinion is just another one. Someone else has a different one. Resulting in the mess email is now. You won't believe the crap I read in bounces (it also gives a funny insight into the email chain/setup of a company). Email security (against spam) should be fixed. Properly. Fine grained complaining should be possible (to the sender and all intermittent parties, as well as external parties). Make some RFCs that work please. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -Oorspronkelijk bericht- Van: Brielle Bruns [mailto:br...@2mbit.com] Verzonden: Tuesday, March 25, 2014 9:57 PM Aan: nanog@nanog.org Onderwerp: Re: why IPv6 isn't ready for prime time, SMTP edition On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
RE: why IPv6 isn't ready for prime time, SMTP edition
You only need Hotmail, Gmail, Yahoo on board and everyone will follow... They might even be able to dictate new SMTP RFCs. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -Oorspronkelijk bericht- Van: Jimmy Hess [mailto:mysi...@gmail.com] Verzonden: Wednesday, March 26, 2014 4:17 AM Aan: John R. Levine CC: NANOG list Onderwerp: Re: why IPv6 isn't ready for prime time, SMTP edition On Tue, Mar 25, 2014 at 9:55 PM, John R. Levine jo...@iecc.com wrote: I would suggest the formation of an IPv6 SMTP Server operator's club, with a system for enrolling certain IP address source ranges as Active Surely you don't think this is a new idea. Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many legacy mail servers exist that will never bother to implement new protocols and practice improvements even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers). R's, John -- -JH
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, Mar 26, 2014 at 4:16 AM, Jimmy Hess mysi...@gmail.com wrote: Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? voting out - in today's world we need to assume that spammers and other criminals have vastly more resources than what may be considered (sort of) good guys. For the same mechanism a CPU-bound cryptocurrency is not likely to succeed. -- Matthias
Re: why IPv6 isn't ready for prime time, SMTP edition
Laszlo Hanyecz las...@heliacal.net wrote: The usefulness of reverse DNS in IPv6 is dubious. For most systems yes, but you might as well have it if you are manually allocating server addresses. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes: Variable 4, becoming southeast 5 or 6. Moderate or rough. Fair. Good.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 11:35:57PM -, John Levine wrote: It has nothing to do with looking down on subscribers and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, [...] Data point: it's an extremely reasonable estimate. If anything, though, it's an underestimate: the actual rate has several more 9's in it. And if the sending host (a) has generic rDNS and/or (b) fingerprints as Windows, then it approaches 100% so closely as to not be worth arguing about. There is no point in performing any checks other than these on SMTP connections from such hosts. There is no reason to permit the conversation to continue to the DATA stage and to scrutinize the message contents. These actions are both wasteful and superfluous. The only correct action to take at this point is to issue an SMTP reject and end the conversation. It's a pity that this is true. But a decade-plus after the botnet problem became well-known, I can't name an ISP which has developed and deployed an effective mitigation strategy against them. So far it's been band-aids (blocking port 25) and PR (press conferences and initiatives and task forces etc.). (botnet takedowns are meaningless fluff and merely fodder for self-congratulatory press conferences. All those systems in the botnet are still compromised. All those systems are still vulnerable to the same attack vectors that resulted in their initial compromise. And quite likely before the ink is dry on the accompanying press release, other botnet operations will harvest them for use in their own operations. Meet the new boss, same as the old boss.) ---rsk
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 10:16:37PM -0500, Jimmy Hess wrote: Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' [...] This is attempt to splash a few drops of water on the people who own the oceans. It won't work, for the same reasons that the last 1,723 very similar proposals won't work. ---rsk
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an IPv6 SMTP Server operator's club, with a system for enrolling certain IP address source ranges as Active mail servers, active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.)
Re: why IPv6 isn't ready for prime time, SMTP edition
Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it. -Laszlo On Mar 26, 2014, at 2:07 PM, Lamar Owen lo...@pari.edu wrote: On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an IPv6 SMTP Server operator's club, with a system for enrolling certain IP address source ranges as Active mail servers, active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.)
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, Mar 26, 2014 at 10:07:22AM -0400, Lamar Owen wrote: That way? Make e-mail cost; have e-postage. This is a FUSSP. It has been quite thoroughly debunked and may be dismissed instantly, with prejudice. ---rsk
Re: why IPv6 isn't ready for prime time, SMTP edition
That way? Make e-mail cost; have e-postage. Gee, I wondered how long it would take for this famous bad idea to reappear. I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf R's, John PS: Yes, I've heard of Bitcoins.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 12:59 PM, John Levine wrote: That way? Make e-mail cost; have e-postage. Gee, I wondered how long it would take for this famous bad idea to reappear. I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf And I remember reading this ten years ago. And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? I agree (and agreed ten years ago) with your assessment that the technical hurdles are large, but I disagree that they're completely insurmountable. At some point somebody is going to have to make an outgoing connection on port 25, and that would be the point of billing for the originating host. I don't like it, and I don't think it's a good idea, but the fact of the matter is that as long as spam is profitable there is going to be spam. Every technical anti-spam technique yet developed has a corresponding anti-anti-spam technique (bayesian filters? easy-peasy, just load Hamlet or the Z80 programmer's manual or somesuch as invisible text inside your e-mail, something I've seen in the past week (yes, I got a copy of the text for Zilog's Z80 manual inside spam this past week!). DNS BL's got you stopped? easy peasy, do a bit of address hopping.) The only way to finally and fully stop spam is financial motivation, there is no 'final' technical solution to spam; I and all my users wish there were.
Re: why IPv6 isn't ready for prime time, SMTP edition
In article 911cec5c-2011-4c8d-9cc1-89df2b4cb...@heliacal.net you write: Maybe you should focus on delivering email instead of refusing it Since there is at least an order of magnitude more spam than real mail, I'll just channel Randy Bush and encourage my competitors to take your advice. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
Lamar Owen lo...@pari.edu wrote: the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy, Fastnet, Irish Sea: Northwest veering east 4 or 5, occasionally 6 later in Irish Sea. Moderate or rough. Showers. Good, occasionally moderate.
Re: why IPv6 isn't ready for prime time, SMTP edition
And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? Where do you expect them to send the bill? R's, John PS: The alternative is to deal directly with spam issues, rather than replacing them with even worse e-postage issues. One of the things I pointed out in that white paper is that as soon as you have real money involved, you're going to have a whole new set of frauds and scams that are likely to be worse than the ones you thought you were solving.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 01:38 PM, Tony Finch wrote: Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail. Postage, at least for physical mail, is paid by the sender at the point of ingress to the postal network. Yes, there are ways of gaming physical mail, but they are rarely actually used; the challenge of an e-mail version of such a system would be making it dirt simple and relatively resistant to gaming; or at least making gaming the system more expensive than using the system. And let me reiterate: I don't like the idea, and I don't even think it is a good idea. But how else do we make spamming unprofitable? I'd love to see a real solution, but it just isn't here yet.
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Tue, Mar 25, 2014 at 10:45:00PM -0400 Quoting John R. Levine (jo...@iecc.com): None of this is REQUIRED. It is forced on people by a cartel of email providers. It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are unreal? There are scalability issues that single out the mega-class providers as something special. But those are no reason to go around debating the realness of other email handling organisations. Also, the accept/reject policies of email recipients are subject to individual evaluation and implementation at each MX host. Attempts at describing the state of email as other than that are false and should be discarded[0]. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Content: 80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds TARTAR SAUCE like an 8 by 10 GLOSSY ... [0] I'm sorry for the wording here, I just had to recall a paraphrased instruction from when Sweden had a psyops defence organisation. Varje meddelande om att motståndet skall uppges är falskt. signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 01:42 PM, John Levine wrote: And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? Where do you expect them to send the bill? The entity with whom they already have a business relationship. Basically, if I'm an ISP I would bill each of my customers, with whom I already have a business relationship, for e-mail traffic. Do this as close to the edge as possible. And yes, I know, it will happen just about as soon as all edge networks start applying BCP38. I'm well aware of the limitations and challenges, but I'm also well aware of how ungainly and broken current anti-spam measures are. One of the things I pointed out in that white paper is that as soon as you have real money involved, you're going to have a whole new set of frauds and scams that are likely to be worse than the ones you thought you were solving. Yes, and this is the most challenging aspect. Again, I'm not saying e-postage is a good idea (because I don't think it is), but the fact of the matter is, like any other crime, as long as e-mail unsolicited commercial e-mail is profitable it will be done. So, what other ways are there to make unsolicited commercial e-mail unprofitable?
Re: why IPv6 isn't ready for prime time, SMTP edition
Lamar Owen lo...@pari.edu wrote: The entity with whom they already have a business relationship. Basically, if I'm an ISP I would bill each of my customers, with whom I already have a business relationship, for e-mail traffic. Do this as close to the edge as possible. Ooh, excellent, so I can deliver loads of spam to them and charge them for it! Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay: Northwest 4 or 5, becoming variable 4. Moderate or rough. Rain or showers. Good, occasionally moderate.
Re: why IPv6 isn't ready for prime time, SMTP edition
Lamar Owen lo...@pari.edu wrote: On 03/26/2014 01:38 PM, Tony Finch wrote: Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail. You mean Nigeria. So how do I get compensated for dealing with the junk they send me? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: North 4 or 5, becoming variable 3 or 4, then east 4 or 5 later. Slight or moderate, but rough in southwest Plymouth. Rain or showers. Good, occasionally moderate.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Wed, 26 Mar 2014 10:07:22 -0400, Lamar Owen said: it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. You *do* realize that the OS vendor can't really do much about users who click on stuff they shouldn't, or reply to phishing emails, or most of the other ways people *actually* get pwned these days? Hint: Microsoft *tried* to fix this with UAC. The users rioted. pgprmHf6kydFb.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/26/2014 11:45 AM, Lamar Owen wrote: So, what other ways are there to make unsolicited commercial e-mail unprofitable? Well, perhaps not by punishing legitimate SMTP senders who have done nothing wrong. Don't get me wrong -- I already *pay* to send mail. I migrated all of my personal e-mail off of free webmail platforms some time ago to a paid service (e.g. If you are not paying for a service, you are the product.). - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMzJ50ACgkQKJasdVTchbItSQD8DKy1yGJ68b4yNgl0ttoGMjHs RtLTqY6vunNnzgvcXlUBAMLeosoLBKQTcjYkZAYnLqObjXJU4EZQN60vjI0C+FUY =exPx -END PGP SIGNATURE-
Re: why IPv6 isn't ready for prime time, SMTP edition
It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are unreal? A real provider is one that provides mail for real users, as opposed to someone who plays RFC language lawyer games. I only have a few dozen users, but I can assure you I use a whole lot of different filtering approaches including DNSBLs to keep my users' mailboxes usable. I must say it's pretty amusing that someone who works for the organization that published the original DNSBL seems to be ranting against them. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/26/2014 2:16 PM, Paul Ferguson wrote: to a paid service (e.g. If you are not paying for a service, you are the product.). That needs to be engraved in the glass screens of every device, like the G.O.A.L at the bottom of the rear-view mirror of some semi-truck tractors. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 02:59 PM, valdis.kletni...@vt.edu wrote: You *do* realize that the OS vendor can't really do much about users who click on stuff they shouldn't, or reply to phishing emails, or most of the other ways people *actually* get pwned these days? Hint: Microsoft *tried* to fix this with UAC. The users rioted. Yep, I do realize that and I do remember the UAC 'riots.' But the OS vendor can make links that are clicked run in a sandbox and make said sandbox robust. A user clicking on an e-mail link should not be able to pwn the system. Period. Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 03/26/2014 03:56 PM, Lamar Owen wrote: Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector. Blasted spellcheck Now that everybody has had a good laugh; I've not 'sent' *any* phishing e-mails, but I have *seen* plenty. Argh.
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 26, 2014 at 16:59 jo...@iecc.com (John Levine) wrote: I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf It's a fine white paper, I just read it again. But it does tend to make the best the enemy of the good. I remember during the metered bandwidth arguments many years ago people asserting similarly that it was (practically) impossible to implement, would just anger people, was full of holes (hey I can't completely control my bandwidth usage, some outsider could run it up!), etc. Yet, here we are in a world of (mobile) bandwidth caps etc. Big money has a way of focusing efforts. I actually think we're just not quite there yet as horrid as spam is. This is what I alluded to in my previous message. The next leg will be when the line between spam as in questionable content and commercial ham grows fuzzier and fuzzier. There are for examplee about 1,000 Fortune 1,000 companies, many of which can name any of us legitimate business contacts. And many of them have dozens if not hundreds of sub-divisions (e.g., insurance brokers) who also would qualify as not spam under commonly accepted definitons (and CAN-SPAM.) And they will be motivated by the same things which motivated spammers: (nearly) Free access to our eyeballs, push technology. My guess is the next generation solution won't be motivated by end-users being overwhelmed though that will be cited. It will be motivated by the opportunity to outcapitalize access to our eyeballs as they realize no one is reading the thousands of pieces of ham per day, let alone the spam. This is independent of reputation and similar identity services as a filter: They're all legitimate! Every one of the 5,000 messages you got that day were perfectly legitimate, anyone you ever gave your credit card to for example. Anyhow, obviously I can go on and on, it's a complex subject. But I think the solutions will be driven by the creation of economics around the problem, just as they often are in real life. And a lot of the leakage can be mitigated merely by big men with big sticks once money is a factor, rather than magic algorithms (though they will help of course.) -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
RE: why IPv6 isn't ready for prime time, SMTP edition
Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many legacy mail servers exist that will never bother to implement new protocols and practice improvements even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers). How about something much simpler? We already are aware of bandwidth caps at service providers, there could just as well be email caps. How hard would it be to ask your customer how many emails we should expect them to send in a day? We don't need to be precise about it, just within an order of magnitude. For example, I could say that a residential user should not be over 750 a day and for a commercial user you could find out their projection and add to it to allow a reasonable headroom. Now, the service provider is protecting us from pwned systems within their network. If I get a residential customer asking for 100,000 emails per day I just might have some questions for them. It also seems that it would be easy for the service provider to send an alert to the customer telling them that they have hit their cap and make it easy for them to lift the cap if the traffic is actually legitimate. If they are lifting their cap too often you could investigate or run their outbound email through some type of filtering solution to see how it scores. Now, the providers that implement that system could be allowed to send me email and the ones that don't can't send me email. If this was adopted widely, it would put a lot of pressure on the service provider to get on-board. In that case your filters do not need to be that granular. This is not a spam proof solution but would cut down on the very high volume abusers. It also helps deal with the service providers that condone that sort of stuff and will punish them because you are going to lose customers fast if email from that provider is generally not accepted. Maybe if we start scoring against the originating service provider, instead of address blocks and stop accepting email from them, they might do something about the high volume offenders. Steven Naslund Chicago IL
Re: why IPv6 isn't ready for prime time, SMTP edition
How about something much simpler? We already are aware of bandwidth caps at service providers, there could just as well be email caps. How hard would it be to ask your customer how many emails we should expect them to send in a day? Once again, I encourage my competitors to follow your advice. R's, John PS: There are plenty of giant botnets that only send a trickle of mail from each infected host, but the aggregate amount is enormous.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 26, 2014, at 7:07 AM, Lamar Owen lo...@pari.edu wrote: On 03/25/2014 10:51 PM, Jimmy Hess wrote: [snip] I would suggest the formation of an IPv6 SMTP Server operator's club, with a system for enrolling certain IP address source ranges as Active mail servers, active IP addresses and SMTP domain names under the authority of a member. ... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.) Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
If you want to do address-based reputations for v6 similar to v4, my guess is that it will start to aggregate to at least the /64 boundary ... It says a lot about the state of the art that people are still making uninformed guesses like this, non ironically. On the one hand /64 is too coarse, because there are hosting providers that put multiple customers in a single /64. If you filter at that granularity, you'll get a lot of false positives and collateral damage. (When asked why they did something that dumb, they've tended to blame equipment vendors.) On the other hand, /64 is much too fine. Roadrunner assigns my cable connection a /50*, so even if you're aggregating at /64, there are now 16K different incarnations of me to block, instead of the one in IPv4. Businesses typically get a /48 so they have 64K incarnations. It would be nice if there were an efficient and reliable way to ask networks what their customer suballocation size is, but there isn't, so you have to hope rwhois will work and be fast enough, or guess, often guessing wrong. There also isn't any agreed way to publish DNSBLs with variable size ranges other than rsync'ing the whole file. IANA has handed out /12s to the RIRs, so each of those is 2^52 /64s, a number that's way out in the absurd-o-sphere. Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out. For anyone who points out that v6 mail works now, you're right, it does, but that's only because botnets don't use it yet other than occasionally by accident on dual stacked hosts so the amount of spam is much lower than on ipv4 and there isn't much address hopping. With any luck they never will, since bot mail still works OK for them on v4, but if they do, and they start doing address hopping, it'll be really ugly. R's, John * - yes, it's a /50, their rwhois says so. And I know because whenever my modem reboots, it assigns me a /64 more or less at random from that /50 even though they tell me it's supposed to keep giving me the same one. See prior comments about mostly working.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 11:23 AM, John Levine wrote: Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out. So, what's everyone's feelings about a rather large provider who blocks IPv6 e-mail that has no RDNS, even though the sending domain has SPF records allowing the block, and proper DKIM set up? *looks directly at Google* Nothing like poorly thought out policy to break a rather successful IPv6 roll-out for multiple customers. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, 25 Mar 2014, John Levine wrote: It says a lot about the state of the art that people are still making uninformed guesses like this, non ironically. Yep, SMTP and the whole spam fighting part of the Internet, isn't ready for IPv6. This is not IPv6 fault. I have repeatedly tried to get people interested in methods of making it possible for ISPs to publish their per-customer allocation size, so far without any success. Most of the time I seem to get we did it a certain way for IPv4, it works, we don't want to change it from people. IPv6 changes things. Lots of things. There will be a lot of work to catch up. It's too bad that the part of the ecosystem that fights spam have woken up so late. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 1:43 PM, Brielle Bruns br...@2mbit.com wrote: On 3/25/14, 11:23 AM, John Levine wrote: Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out. So, what's everyone's feelings about a rather large provider who blocks IPv6 e-mail that has no RDNS, even though the sending domain has SPF records allowing the block, and proper DKIM set up? *looks directly at Google* Nothing like poorly thought out policy to break a rather successful IPv6 roll-out for multiple customers. Just an anecdotal observation what G appears to be doing is flagging emails, received over IPv6, that are below a certain size threshold. I have zero problems sending bulk emails (discussions lists), over IPv6, to G end users, but I do see consistent problems sending small mgmt alerts (i.e. monit/munin) over IPv6 to G. -Jim P.
Re: why IPv6 isn't ready for prime time, SMTP edition
In article 5331c054.8040...@2mbit.com you write: On 3/25/14, 11:23 AM, John Levine wrote: Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out. So, what's everyone's feelings about a rather large provider who blocks IPv6 e-mail that has no RDNS, even though the sending domain has SPF records allowing the block, and proper DKIM set up? *looks directly at Google* I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On 2014-03-25, Mikael Abrahamsson swm...@swm.pp.se sent: I have repeatedly tried to get people interested in methods of making it possible for ISPs to publish their per-customer allocation size, so far without any success. Most of the time I seem to get we did it a certain way for IPv4, it works, we don't want to change it from people. So it's yet another chicken-and-egg problem to add to the pile for IPv6. Mail ops don't care because IPv6 isn't here, net ops delay IPv6 because mail isn't ready for it? This seems like to sort of problem that Mailops or MAAWG should be hammering out. There's a great opportunity to get some good BCP documents out there on Here's how to do email in IPv6 before deployment goes past the point of no return. Spamhaus has had a fair amount of success with getting ISPs to participate in things like the PBL. Why not establish something similar for allocation sizes in IPv6? -- Chip Marshall c...@2bithacker.net http://2bithacker.net/ pgplU52TRFvXb.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Isn't this just a local policy issue with handling DMARC? I know for sure at least one other (very large) organization that (also) rejects messages which do not have an rDNS entry, and it is a local DMARC policy. - - ferg On 3/25/2014 1:57 PM, Brielle Bruns wrote: On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMx8VQACgkQKJasdVTchbJkBgD+PeCiFIefgXhmcsyIiqHAdiNX slrBbBk3/edq9yiAsPAA/0zwEwPqfFTyjYvChdgMyC09aSDOFeGT8vf6HZzMCPDt =OHTl -END PGP SIGNATURE-
Re: why IPv6 isn't ready for prime time, SMTP edition
The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too. -Laszlo On Mar 25, 2014, at 8:57 PM, Brielle Bruns br...@2mbit.com wrote: On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
DMARC says nothing about rDNS, and given how late in the game DMARC comes, it seems like an odd place to enforce rDNS. Local policy, sure; local DMARC policy, wait what? Elizabeth On 3/25/14, 2:12 PM, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Isn't this just a local policy issue with handling DMARC? I know for sure at least one other (very large) organization that (also) rejects messages which do not have an rDNS entry, and it is a local DMARC policy. - - ferg On 3/25/2014 1:57 PM, Brielle Bruns wrote: On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMx8VQACgkQKJasdVTchbJkBgD+PeCiFIefgXhmcsyIiqHAdiNX slrBbBk3/edq9yiAsPAA/0zwEwPqfFTyjYvChdgMyC09aSDOFeGT8vf6HZzMCPDt =OHTl -END PGP SIGNATURE-
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 5:33 PM, Laszlo Hanyecz las...@heliacal.net wrote: The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too. Heh, I say the same things about DMARC where a lot of the major proponents offer alternative messaging capabilities. -Jim P.
Re: why IPv6 isn't ready for prime time, SMTP edition
On 3/25/14, 3:33 PM, Laszlo Hanyecz wrote: The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too. Well, like I said, there is nothing wrong with using rdns as part of a score in how legit a message is. Knock off a point or two in Spamassassin, add a few points back because there is SPF records, and another one or two for DKIM... Google is obviously doing some intelligent filtering on their end to handle incoming spam - why take such a drastic move against rdns when you already do heuristics that can factor it in without risking losing legit mail? I just finished moving two customers from Google hosted mail to Office 365 hosted Exchange. Even with all the odd quirks and issues that 365 has from time to time, I'm still getting better feedback from my customers. So... no, I'd sooner shut down my mail services then go with Google mail hosting for my primary e-mail address. But, that's just my opinion. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: why IPv6 isn't ready for prime time, SMTP edition
This seems like to sort of problem that Mailops or MAAWG should be hammering out. Of course MAAWG is working on it. But don't hold your breath. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
In article 5331edab.8000...@2mbit.com you write: On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. It would be inconvenient for me to make this change, therefore everyone else should change instead. Don't hold your breath. R's, John
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, Mar 25, 2014 at 02:57:15PM -0600, Brielle Bruns wrote: Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. Lack of rDNS means either (a) there is something temporarily wrong with rDNS/DNS or (b) it's a spam source or (c) someone doesn't know how to set up rDNS/DNS for a mail server. Over the past decade, (b) has been the answer to about five or six 9's (depending on how I crunch the numbers), so deferring on that alone is not only sensible, but quite clearly a best practice. If it turns out that it looks like (b) but is actually (a), then as long as the DNS issue clears up before SMTP retries stop, mail is merely delayed, not rejected. And although *sometimes* it's (c), why would I want to accept mail from a server run by people who don't grasp basic email server operation best practices? (Doubly so since long experience strongly suggests people that botch this will very likely botch other things as well, some of which can result in negative outcomes *for me* if I accomodate them.) Of all the things that we need to do in order to make our mail servers play nice with the rest of the world, DNS/rDNS (and HELO) are among the simplest and easiest. ---rsk p.s. I also reject on mismatched and generic rDNS. Real mail servers have real names, so if [generic] you insist on making yours look like a bot, I'll believe you and treat it like one.
Re: why IPv6 isn't ready for prime time, SMTP edition
The OP doesn't have control over the reverse DNS on the ATT 6rd. Spam crusades aside, it can be seen as just another case of 'putting people in their place', reinforcing that your end user connection is lesser and doesn't entitle to you to participate in the internet with the big boys. How does one dare run a 'server' without being a member of a RIR? One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever. As seen in the other thread being discussed here, people are already looking for ways to block end users from participating. -Laszlo On Mar 25, 2014, at 10:38 PM, Rich Kulawiec r...@gsp.org wrote: On Tue, Mar 25, 2014 at 02:57:15PM -0600, Brielle Bruns wrote: Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. Lack of rDNS means either (a) there is something temporarily wrong with rDNS/DNS or (b) it's a spam source or (c) someone doesn't know how to set up rDNS/DNS for a mail server. Over the past decade, (b) has been the answer to about five or six 9's (depending on how I crunch the numbers), so deferring on that alone is not only sensible, but quite clearly a best practice. If it turns out that it looks like (b) but is actually (a), then as long as the DNS issue clears up before SMTP retries stop, mail is merely delayed, not rejected. And although *sometimes* it's (c), why would I want to accept mail from a server run by people who don't grasp basic email server operation best practices? (Doubly so since long experience strongly suggests people that botch this will very likely botch other things as well, some of which can result in negative outcomes *for me* if I accomodate them.) Of all the things that we need to do in order to make our mail servers play nice with the rest of the world, DNS/rDNS (and HELO) are among the simplest and easiest. ---rsk p.s. I also reject on mismatched and generic rDNS. Real mail servers have real names, so if [generic] you insist on making yours look like a bot, I'll believe you and treat it like one.
Re: why IPv6 isn't ready for prime time, SMTP edition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/25/2014 2:38 PM, Elizabeth Zwicky wrote: Local policy, sure; local DMARC policy, wait what? My goof. Apparently just local policy sans DMARC. - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMyDgoACgkQKJasdVTchbL+RAD+K6ERAs2vZQjhgaa+1qsOKtdS aTJsVwQZxfgKsC32c7kA/iGuDoLnN4bZAXkls/Jx+jhTFtoBKD3yZsM6zBzKmw6v =HwGn -END PGP SIGNATURE-
Re: why IPv6 isn't ready for prime time, SMTP edition
On Tue, 25 Mar 2014 19:07:16 -0400, Laszlo Hanyecz las...@heliacal.net wrote: One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever. And for damn good reasons (read: foolish and easy to trick into becoming a spam source.) Granted, enterprise players are only slightly less foolish and easy to hack. My inbox being proof hosting providers cannot police their idiot users. ISPs will need to continue the evil practice of blocking outbound port 25. --Ricky