Re: An overview of cryptographic protocols to prevent spam
One more comment note on spam... "Perry E. Metzger" <[EMAIL PROTECTED]> writes: > I'm afraid that I use blacklists. My servers get about 30,000 spams > and virii directed at me (that is me, Perry Metzger, personally) every > night that are blocked by blacklists. I would be unable to write you > this email if I didn't use blacklists, because I'd have no working > email at all. (To be fair, the onslaught has diminished recently -- > I'm now down to perhaps 20k a night. There is no functional > difference.) My mother in law recently got rid of the email address she had been using for many years. Why? She was getting so much spam that the address was effectively useless. To find the one real message she had to wade through a metric ton of porn, medical fraud, bank fraud and ads for fake rolexes. Her anti-spam facilities in her mail reader were pretty good but kept putting real messages into the spam folder, so after a while it became obvious that they weren't helping since she had to parse all the spam by hand anyway. In short, she was forced to surrender. She abandoned the account. She's not the only person I know who's done things like this. Spam is not a "harmless annoyance" any more than insect bites are once you start getting enough. It threatens the ability to actually use email for communication. In a normal society, by now people would have email directories online where you could look up the email addresses of friends and loved ones. Why don't we have those? Spammers. People actually go through a whole lot of trouble NOT to have their email online. They do things like turning their email addresses into images on their web sites so automated harvesters can't read them. They post from "throwaway accounts" assuring that no one who wants to reply will ever be able to do so. They bend over backwards trying to avoid the spammers. ISPs have to spend vast amounts of money one extra bandwidth to carry this garbage -- it costs real money. Companies have large staffs of people who work full time to ameliorate (not eliminate) their spam problems. It costs them real money. People like my mother in law abandon email addresses (and make it impossible for old friends to find them) because they're scared that if too many people know their email address it will become flooded with garbage. By the way, the criminals now do stuff like using spyware to steal people's addresses so it is literally the case that you have to worry that too many people know your address. This is not a normal situation any longer. Spam has distorted people's behavior beyond all recognition. You can pretend that hasn't happened and that really all that is needed is heavier use of the "d" key or perhaps slightly better Bayesian filters, but in fact that's not the situation any more. We're beyond that. You can argue that we're wrecking the internet to save it, but what is, realistically, the alternative? If you say "just ignore the spam" then I'll have to politely ignore *you* -- I cannot try to find the 50 real messages inside of the 30,000 garbage ones addressed to me without the evil blacklists, and you wouldn't be able to either. We either make the internet somewhat less of what it was so that we can continue using it at all, or we keep it "pure" and cease to use it altogether. Given the choice, I'll compromise on purity. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
John Gilmore <[EMAIL PROTECTED]> writes: > It was hard to get from paragraph to paragraph without finding > approving mentions of blacklists. I am a victim of many such > blacklists. May Amir never appear on one, or his unthinking > acceptance of blacklisting might change. I'm afraid that I use blacklists. My servers get about 30,000 spams and virii directed at me (that is me, Perry Metzger, personally) every night that are blocked by blacklists. I would be unable to write you this email if I didn't use blacklists, because I'd have no working email at all. (To be fair, the onslaught has diminished recently -- I'm now down to perhaps 20k a night. There is no functional difference.) I've also been blacklisted myself, and I've had to deal with it. I understand your position, but you should understand that for many of us spam, virus spew, etc. is not merely an annoyance but has the ability to literally make it impossible to use email. Using a combination of blacklists and other mechanisms, I get the spam levels down to the point where they are merely an annoyance, but without them I'd be incapable of receiving email any longer. An analogy I like to use here is that while your neighbor using a flashlight in the night might be an "annoyance", and turning on floodlights in the night might be a "substantial annoyance", bathing your house in hundreds of megawatts of light day and night goes beyond mere "annoyance" and eliminates your ability to enjoy the use of your property. A few unwanted emails are a mere annoyance, but at the levels I've reached, they go beyond annoyance. As much as I dislike blacklists etc., I couldn't operate without them so I use them. I wish I lived in a world where you couldn't just go out and lease the use of 8000 zombie machines on the internet pre-broken into by Ukrainian gangsters for your spamming pleasure, where people couldn't send me phishing emails without being caught and punished for fraud, etc. -- in short where folks who do things that even libertarians dislike were punished. However, we don't live in an ideal world -- we live in a world where a government monopoly runs law enforcement and that law enforcement is nigh well worthless. I can't just buy the other government's law enforcement since there is none, so I do what I can on my own to make my machines livable. In a better world maybe we won't need firewalls, policies where cable modem users have port 25 blocked unless they ask for it to be unblocked, spam blacklists, vast amounts of personnel time and money spent at large organizations worrying about spam, security, etc., but that better world isn't coming any time soon. > His analysis made me think of clinical reviews of experiments done > on human subjects in prison camps -- careful to focus on the facts > while ignoring the obvious moral problems. > > Interspersed were discussions of various kinds of port blocking. The > Internet is too good for people who'd censor other peoples' > communications, whether by port number (application) or by IP address > (person). It saddens me to see many of my friends among that lot. John, I admire you for living a life without compromises. However, I cannot afford such a life. As it stands, I wouldn't blame the people who block ports. Most of them, like me, are just trying to keep using the internet as best as they can. I would blame the criminals. I don't mean the people who merely send out unsolicited email from machines they themselves own that doesn't pretend to come from other people. I mean the people who systematically break in to thousands of computers (surely you don't believe breaking in to someone's computer to gain its use against the will of the owner is okay) so they can send out their notes to a few million people claiming to be their bank and directing them to yet another machine they've broken in to where they collect the passwords of the victims. I would also blame the law enforcement agencies who essentially do nothing to these people. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
On Mon, Sep 26, 2005 at 09:28:19AM +0200, Amir Herzberg wrote: | John Gilmore wrote: | >>I wrote an overview of Cryptographic Protocols to Prevent Spam, | > | >I stopped reading on page V -- it was too painfully obvious that Amir | >has bought into the whole censorship-list based "anti-spam" mentality. | John, I'm disappointed; I expected you to be more tolerant. You got mad | at me at page V which is still just reviewing the basic e-mail | architecture related to spam. In this part, I explained what open-relays | are and why people may try to disconnect from them, and described | port-25 blocking which is common practice and necessary to protect | domains from being blacklisted. "necessary to protect domains from being blacklisted."? How about the more factual: "Is used as a decision factor by many of the programmers who create blacklist-creation tools?" Blacklists are not like blackholes, a natural result of laws of nature. They are the product of human action, and the people who made decisions around them ought to own up to the fact that they are making decisions. Adam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
John Gilmore wrote: I wrote an overview of Cryptographic Protocols to Prevent Spam, I stopped reading on page V -- it was too painfully obvious that Amir has bought into the whole censorship-list based "anti-spam" mentality. John, I'm disappointed; I expected you to be more tolerant. You got mad at me at page V which is still just reviewing the basic e-mail architecture related to spam. In this part, I explained what open-relays are and why people may try to disconnect from them, and described port-25 blocking which is common practice and necessary to protect domains from being blacklisted. I discuss blacklisting techniques and their problems much later, in section 5.5 (page XXV). I discuss there, albeit briefly, false positives, abuse, and collateral damage. I agree about the importance of clarifying these concerns, and will try to improve this. Frankly, however, I think you were a bit trigger-happy to conclude that I `bought-into` the censorship, black list approach. May I recommend that you ask first, shoot later? We had some discussions on this and while we may have differences, I thought you know I care a lot about freedom of speech. And btw, yes, as users of some (legitimate!) mail services, both me and several family memebers (e.g. children) were blocked by domain blacklists... When this happened to my 7 year old child, I had to forward his answers to a magazine for him. I once almost lost a consulting engagement to blocked email. And Ross Anderson once had to resort to asking Adi to call me on the phone to deliver a message, since a crazy mail filter here (Bar Ilan Univ.) blocked his messages for weeks... And more incidents. So believe me I'm well aware of this problem. -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
> I wrote an overview of Cryptographic Protocols to Prevent Spam, I stopped reading on page V -- it was too painfully obvious that Amir has bought into the whole censorship-list based "anti-spam" mentality. It was hard to get from paragraph to paragraph without finding approving mentions of blacklists. I am a victim of many such blacklists. May Amir never appear on one, or his unthinking acceptance of blacklisting might change. His analysis made me think of clinical reviews of experiments done on human subjects in prison camps -- careful to focus on the facts while ignoring the obvious moral problems. Interspersed were discussions of various kinds of port blocking. The Internet is too good for people who'd censor other peoples' communications, whether by port number (application) or by IP address (person). It saddens me to see many of my friends among that lot. John Gilmore - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
An overview of cryptographic protocols to prevent spam
I wrote an overview of Cryptographic Protocols to Prevent Spam, available at http://eprint.iacr.org/2005/329. This includes a brief discussion of some non crypto mechanisms as well. I have tried to maintain reasonable balance between accuracy and conciseness, and to be fair while not hiding disagreements, criticism and controversial issues. However, I am sure there is a lot that can be improved, and will appreciate comments and suggestions for improvements, and try to incorporate in the final version of this document. I apologize for cross posting this message, please excuse this - I hope you won't consider me a spammer... -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]