Re[2]: spam
On Thu, 29 May 2003 10:32:35 + John Loughney [EMAIL PROTECTED] wrote: What is a 'radical anti-spammer'? it's a rhetorical device used when one wants to paint with an overly broad brush. cheers, richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
Re: fighting spam, the protocol route
On woensdag, mei 28, 2003, at 19:56 Europe/Amsterdam, Christian Huitema wrote: It surprises me that so many people are so eager to declare defeat before even trying the protocol route. (With current protocols defeat is pretty much inevitable.) There is an obvious issue with the protocol route: from a protocol point of view, it is quite hard to distinguish unsolicited commercial e-mail, which we would label spam, and unsolicited acceptable e-mail, which could be more than welcome. Detecting spam is hard, as spamminess is in the eye/mailbox of the beholder. However, I see no reason why we can't detect unsollicited bulk email for reasonable definitions of sollicited and bulk. To see whether a messsage would be welcome (sollicited) we can simply see if we know the source. This can be done end-to-end cryptographically or by trusting that a known MTA has checked the previous MTA and so on until we reach the MTA that verified the source. In order to detect bulk email we simply count the number of messages received from each MTA we're in contact with. Then it's simply a question of rate limiting the number of messages accepted from unknown MTAs and/or redirecting unknown MTAs to a trusted MTA or an MTA that's in the position to do better anti-spam filtering. So if I'm an AOL user with my own dial-up MTA and I want to send you a message, the Microsoft MTA doesn't know me so it either takes a chance and accepts messages at a low rate, it tells me why don't you deliver this message to your ISP's MTA and have them forward it, deliver this message to mx13.spamwashers.com or we can't accept your message, submit your remarks using our web form or submit a public key signed by at least two organizations listed on trustedmailers.microsoft.com. So will this be enough? It won't get rid of all unsollicited email, commercial or otherwise. But the improved accountability should make life much harder for every type of spammer.
Re: spam
From: Anthony Atkielski [EMAIL PROTECTED] In the world of postal mail, the same problem of spam exists, and there is no solution to it. .. the one and only way to separate the truly useless mail from legitimate mail is to hire human beings to sort through it. There isn't any other way. Unfortunately, this option isn't available to us. We can't *all* hire N other humans to sort our email. It may be that spam is an insoluble problem. It *better* be solvable, otherwise when email becomes 99% spam, everyone will stop reading email. No billing scheme can slow the flow of spam without equally affecting the flow of legitimate e-mail, because there isn't really any fundamental difference between the two, except in the eye of the recipient. I'm willing to spend $.25 to communicate with someone I've never sent email to before. I doubt very much the spammers who boast of sending millions of messages a day are willing to spend $.25 each message for the privilege. Noel
Re: The utilitiy of IP is at stake here
At 6:30 AM +0200 5/29/03, Anthony Atkielski wrote: Tony writes: Not if it simultaneously wants protection from liability for any content that the customer might be sending. Now that I can fully agree with, although it's not an engineering issue. ISPs that simultaneously want common-carrier protection from liability AND the ability to finely dictate what types of traffic they will accept need to choose one or the other. Either you screen and restrict the traffic on your network, but you take full responsibility for whatever is passing over it, or you just provide raw bandwidth and you are shielded from any claims of impropriety in the use thereof. You can't have it both ways, as companies like Prodigy have discovered. FWIW, and not to drag us too far into a legal discussion, but the above is not correct for the United States. In the US, ISPs are not, and never have been viewed, as common carriers. And, as one can see in the on-going arguments made about the possibility that cable ISPs might interfere with content, ISPs in general have strongly resisted being treated as common carriers. They do not want to take on the obligations that common carrier status would bring. Having said that, ISPs in the US do have common carrier-like protection from liability for content of their customers and others -- but this protection from liability is by statute, not as a result of any common carrier status. Section 230(c)(1) of chapter 47 of the U.S. Code states: (1) Treatment of publisher or speaker No provider or user of an interactive computer service [read, an ISP] shall be treated as the publisher or speaker of any information provided by another information content provider. This protection from liability is in no way dependent on what restrictions an ISP places on its traffic. Thus, for purposes of this thread, if an ISP wants to finely dictate what types of traffic they will accept they can do so without loss of liability protection. John
Re: spam
On woensdag, mei 28, 2003, at 21:39 Europe/Amsterdam, Dean Anderson wrote: It surprises me that so many people are so eager to declare defeat before even trying the protocol route. We tried protocols 5 years ago. They haven't worked. I've explained why specifically, and why in theory they can't work. I'm not interested in a discussion about semantics so we can define the problem as solvable or unsolvable. I found the following to be an interesting read: http://www.cdt.org/spam/ It shows that even five years ago or so most ligitimate businesses advertising legitimate services through spam employed header forgery. If we can't stop spammers from spamming we should at least be able to stop them from doing so in ways that add insult to injury by derailing the entire email service. So let's have that BOF.
Re: spam
From: Iljitsch van Beijnum [EMAIL PROTECTED] ... I found the following to be an interesting read: http://www.cdt.org/spam/ It shows that even five years ago or so most ligitimate businesses advertising legitimate services through spam employed header forgery. ... It is an article of faith for many people that most spam involves header forgery, but no one seems to have better support than intuition for that faith. Where in the report at http://www.cdt.org/spam/ does it say that most ligitimate businesses advertising legitimate services through spam employed header forgery? I found forged addresses and domain names as the source of innumerable problems and similar statements, but they differ signficiantly from the familiar claims that most spam involves header forgery. Moreover, since that report there have been the Flowers.com case and many state laws against header forgery that I think have discouraged a lot of header forgery. A lot of spam does involve header forgery, but a lot clearly does not. The problem with concluding that most spam uses header forgery is that it encourages looking for solutions to header forgery instead of stopping unsolicited bulk mail. That leads to a major problem in dealing with spam. Most people who say they want to stop spam in fact have other goals that they value more. Those other goals include: - stopping header forgery, - making all mail authenticated, for various notions of that word, - stopping commercial email, and never mind that an order confirmation is commercial, - stopping unsolicited commercial email (Never mind that many of us depend on unsolicited non-bulk commercial email for our daily bread), - selling anti-spam services or software, - counting coup on spammers by LARTing them, signing them up for junk postal mail, etc, - becoming famous for having stopped spam, or at least getting into the RFC index. Vernon Schryver[EMAIL PROTECTED]
Re: spam
On donderdag, mei 29, 2003, at 17:44 Europe/Amsterdam, Vernon Schryver wrote: I found the following to be an interesting read: http://www.cdt.org/spam/ It shows that even five years ago or so most ligitimate businesses advertising legitimate services through spam employed header forgery. ... It is an article of faith for many people that most spam involves header forgery, but no one seems to have better support than intuition for that faith. Where in the report at http://www.cdt.org/spam/ does it say that most ligitimate businesses advertising legitimate services through spam employed header forgery? Ok, I can't find it right now, and the thing is too big to completely reread. A lot of spam does involve header forgery, but a lot clearly does not. The problem with concluding that most spam uses header forgery is that it encourages looking for solutions to header forgery instead of stopping unsolicited bulk mail. Stopping header forgery would be useful in and of itself, but regardless of that it will also help against unsollicitated bulk email. I downloaded the list with known spam address blocks from spews.org. It lists around 1600 spammers and 14000 addresses or address blocks. Obviously spammers are trying hard to cover their tracks. Filtering out 1600 spammers is easier than filtering out many more thousands of individual addresses. I'm assuming we can come up with some identifier that's harder to change than an IP address. A quick look at a week's worth of email for an account I've used to post to Usenet for nearly 10 years (370, 98% spam or mailinglists I can't unsubscribe) tells me around 75% of the spam I received either has obvious header problems or employs some kind of anti-anti-spam measure. Also around 75% is of a pharmaceutical, sexual or financial nature (often at least two of those at the same time). There is no obvious correlation. That leads to a major problem in dealing with spam. Most people who say they want to stop spam in fact have other goals that they value more. Yes, it seems like many of them are more interested in perpetuating the status quo.
Re: spam
From: Iljitsch van Beijnum [EMAIL PROTECTED] ... Stopping header forgery would be useful in and of itself, Many people who say that have strange notions of header forgery. They consider using your home mail address as a sender or return email address when sending mail while away from home to be forgery but they don't have any problems using their home postal addresses on postcards while on vacation. but regardless of that it will also help against unsollicitated bulk email. That is not logical, unless you assume that spammers have no alternative to using header forgery. I downloaded the list with known spam address blocks from spews.org. It lists around 1600 spammers and 14000 addresses or address blocks. Obviously spammers are trying hard to cover their tracks. Filtering out 1600 spammers is easier than filtering out many more thousands of individual addresses. I'm assuming we can come up with some identifier that's harder to change than an IP address. That is a tall assumption. Unless you involve national governments, I've never yeard of an identifier that is harder to change than an IP address, except when you get your IP addresses from ISPs that look away from the spam of their customers and the customers of their resellers. Such ISPs would be as happy to sell new identifiers of whatever sort you like to spammers as they have been happy to rent IP addresses. A quick look at a week's worth of email for an account I've used to post to Usenet for nearly 10 years (370, 98% spam or mailinglists I can't unsubscribe) tells me around 75% of the spam I received either has obvious header problems or employs some kind of anti-anti-spam measure. Also around 75% is of a pharmaceutical, sexual or financial nature (often at least two of those at the same time). There is no obvious correlation. I notice that you wrote header problems instead of forgery. That leads to a major problem in dealing with spam. Most people who say they want to stop spam in fact have other goals that they value more. Yes, it seems like many of them are more interested in perpetuating the status quo. I do not agree with that. Some people do have usually unconcious interests in the status quo, but most people are doing illogical things like attacking header forgery as if spammers could not create zillions of valid user names at free or cheap providers or domain names and avoid header forgery. Vernon Schryver[EMAIL PROTECTED]
spam
Personally I think the best idea I've seen yet is the idea of a prefix, such as ADV in the subject line. The real problem I agree is with sorting through unsolicited mail for what you really want. It maybe possible to put something like ADV in a protocol header. Or maybe that is too extreme. Bill
Re: spam
On Thu, 29 May 2003, Iljitsch van Beijnum wrote: It shows that even five years ago or so most ligitimate businesses advertising legitimate services through spam employed header forgery. If we can't stop spammers from spamming we should at least be able to stop them from doing so in ways that add insult to injury by derailing the entire email service. So let's have that BOF. Agreed. But I think the current legislation will make header forgery illegal, and already is in some states. I expect that Type 1 spammers will comply. Some already are. --Dean
Re: Re: spam
Radical anti-spammers, like other kinds of radicals, make unreasonable demands, employ illegal methods such as extortion and terrorism (or techno-terrorism, in this case), feel there is no other point of view other than their own, and that other points of views can be supressed. They feel that because the law won't give them what they want, that they can employ whatever methods they feel like to achieve their goals. Frequently, they do more harm to their goals as a result. For example, Palestinian radicals blow themselves up. Radical Jewish settlers create illegal settlements, and terrorize the local population. When the leadership of a group doesn't repudiate and root out the radicals, significant harm is done to their goals. For example, the Israeli government repudiates and cracks down on illegal settlements. While the Palestinian government doesn't repudiate the Palestinian radicals. The result is a loss of credibility for the Palestinians. By contract, the actions of the radical settlers inflaming the Palestinians is clearly harmful to Israel, but has little effect on the credibility of the Israeli government. Some might think it is inappropriate to compare violent terrorism to techno-terrorism. The difference is primarilly that techno-terrorism doesn't result in loss of life. Just crashed computers. But the mentality is essentially the same. Radical Anti-spammers are willing to give their jobs and livelihood for their beliefs. And like the Palestinians, the lies, abuse, and misdeeds of the radical anti-spammers discredit the entire group, because the leadership refuses to root them out. The leadership is itself radical. --Dean On Thu, 29 May 2003, [UTF-8] John Loughney wrote: Hi, What is a 'radical anti-spammer'? -- This is the _false_ assertion of radical anti-spammers, who seem to me to be the abusers. Chris Neill (antispammer open relay abuser eventually fired from Verio--he was ironically, an abuse admin) was shocked to learn he was't anonymous, like he thought. The claims made by antispammers about open relays are false. Type 1 spammers seem to get that, judging by their behavior. But radical antispammers don't. --Dean On Wed, 28 May 2003, John Stracke wrote: Dean Anderson wrote: We are lucky that spammers don't get a discount Open relays give them a five-finger discount. -- /===\ |John Stracke |[EMAIL PROTECTED]| |Principal Engineer|http://www.centive.com | |Centive |My opinions are my own. | |===| |Power corrupts; Powerpoint corrupts absolutely. -- Vint Cerf | \===/
Re: spam
I can only echo Bill's comment on that regards, and I don't find that too extreme. Cheers, Fritz. - Original Message - From: Bill Cunningham [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 29, 2003 11:18 AM Subject: spam Personally I think the best idea I've seen yet is the idea of a prefix, such as ADV in the subject line. The real problem I agree is with sorting through unsolicited mail for what you really want. It maybe possible to put something like ADV in a protocol header. Or maybe that is too extreme. Bill
Re: The utilitiy of IP is at stake here
I tend to agree with Dave Crocker, getting 100+ millions users to upgrade to SMTPng is not going to be any easier than getting them to move to IPv6... It will also suffer from the second design syndrome. I will not fool myself and believe it can happen overnight ... although, due to the volume of spam, there is little choice but doing it. For this effort to be effective, I think it will have to be done in a way that is at odds with the traditional IETF thinking: 1) Compatibility with SMTP is not desirable == if not, spam will be forward compatible! 2) Some form of privacy is not desirable == You cannot define Spam but you know this is spam when you see one. As you cannot put any reliable filters in place, your only solution is the legal route. For this to work, you want to be able to trace exactly who was sending the mail. 3) To much scalability is not desirable == There is (almost) no direct cost per mail, but a lot of indirect costs. This may actually very well be the root cause of the problem. There is relatively little spam in regular snail mail or telephone, not only because of legislative regulations, but also because it cost money per message. This regulate the flow. One cannot sent millions of mail/phone calls for just $20... Another way of saying this is that SMTP is a victim of the IETF credo, the protocol scales too well. - Alain. Dave Crocker wrote: Tony and Steve, et al, TH In context, it is clearly the right of a mail server operator to refuse TH mail. My concern is more about the precedent where a large ISP decides TH that address ranges have particular application semantics. ... TH The IETF needs to recognize that the ISPs don't really have a good TH alternative, and work on providing one. and SMB Yes. Normally, I'd worry a lot about backwards compatibility. In this SMB case, I think the problems for ISPs -- and users -- are so severe that SMB people will switch *rapidly* to a new protocol if it solved most of the SMB spam problem. Most of this thread is really about legal and customer service issues. I do not see how it is an IETF topic, no matter how much each of us might (and do) feel strongly about it. However I'll join the ranks of those heartily supporting your conclusion about the absence of good alternatives... However there is a catch: With respect to spam, and many other content-related activities, what does it mean to provide a good alternative? To answer this means we need to understand the problem very well and understand the technical underpinnings of the problem very well. It is easy to note features that are lacking from email, but dangerous to assume that adding those features will result in their being adopted or that their adoption will magically fix the problem at hand. Worse is that, by and large, spam is a topic for which reasoned discussion -- and especially careful analysis -- is so far proving impossible in an open forum. Between the formal fuzziness of the topic, the strong emotion it engenders, and the compulsive self-interest of many constituencies, the reality is fragmented, heated exchanges, rather than anything really productive. Here are some realities that I think we must juggle: 1. We do not understand the full range of email (ie, electronic mediated human exchanges) very well at all; 2. An installed base of 100 million users should be expected to adopt changes very, very slowly 3. Each change will have large, unintended consequences, most of which will be undesirable. (This statement is an absolute cliché in serious discussions about organizational and social change.) Note that the definition of spam largely depends upon the person making the definition; unless and until we can develop of reasonably simple definition that has a) broad acceptance, and b) a largely technical basis, then it is pure folly for the IETF to think it can do anything major in this arena. It might be useful for us to standardize some relatively straight tools, like a client/filter-server exchange protocol, but we are not going to achieve really strategic improvements. I should also note that the last two years have seen at least two efforts to consider a replacement email service -- or at least an alternative one -- but that neither seems to have achieved a critical mass of interest. And before anyone claims that spam will be the flag around which Email(ng) troops will rally, I'll ask what changes anyone thinks are required. As soon as anyone tries to answer that, everyone else should watch the style of responses they get... (if you want to save time, just look at the discussion of spam on the ietf over the last few days. has it been analytic? has it been systemic? has it been productive? -- except for the thread that Tony just started, of course.) d/ -- Dave Crocker mailto:[EMAIL PROTECTED] Brandenburg
Re: The utilitiy of IP is at stake here
Folks, JM FWIW, and not to drag us too far into a legal discussion, but the JM above is not correct for the United States. In the US, ISPs are JM not, and never have been viewed, as common carriers. And, as one can I can see that my point was entirely missed: Yes, this is an important topic. But no, it does not belong in the IETF. We have no *** IETF *** work to do. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] Brandenburg InternetWorking http://www.brandenburg.com Sunnyvale, CA USA tel:+1.408.246.8253, fax:+1.866.358.5301
Re: spam
on 5/29/2003 12:18 PM Bill Cunningham wrote: Personally I think the best idea I've seen yet is the idea of a prefix, such as ADV in the subject line. Using the current transfer and message-format models, that requires post-transfer processing. At a minimum, you would be legitimizing artificially increased bandwdith and processing demands (assuming that everybody complied with the law). It maybe possible to put something like ADV in a protocol header. Or maybe that is too extreme. A special header would be feasible if the transfer headers and message headers were separate, since you could reject the message before the transfer. The same results would also be possible with ESMTP using something like an ;ADV extension to the MAIL FROM command. Both of those require wholesale upgrades to have any impact, so in the meantime you'd still have to rely on post-transfer processing. There is another significant problem with using an ADV tag with all commercial mail, which is that it doesn't adequately distinguish between spam and legitimate commercial mail. Would upgrade notification messages for stuff like software need to be marked? Would domain renewal notices from your registrar need to be marked? Would you need to explicitly opt-in to get those messages without them being marked? Seems to me we should be defining laws that put the onus on the spammers rather than on the recipients and legitimate business communications. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: The utilitiy of IP is at stake here
Alain Durand wrote: I tend to agree with Dave Crocker, getting 100+ millions users to upgrade to SMTPng is not going to be any easier than getting them to move to IPv6... It will also suffer from the second design syndrome. I will not fool myself and believe it can happen overnight In this case, I disagree. Yes SMTP will have to exist for some time to come, but it wouldn't take much to convince people that moving to a new mail system would either reduce spam, or had adequate mechanisms for financial recourse. If the courts routinely granted judgments to individuals of 100 $/euro for every received unsolicited message, people would jump at the chance to run the new mail tool, and spam as we know it would loose its economic viability. Making that work means absolute traceability of the message origin. For this effort to be effective, I think it will have to be done in a way that is at odds with the traditional IETF thinking: 1) Compatibility with SMTP is not desirable 2) Some form of privacy is not desirable 3) To much scalability is not desirable I agree, with the condition that scalability should be a factor everywhere except the originator. Tony
RE: The utilitiy of IP is at stake here
John Morris wrote: FWIW, and not to drag us too far into a legal discussion, but the above is not correct for the United States. In the US, ISPs are not, and never have been viewed, as common carriers. I agree on the legal point, but note that as we move further down the path of VOIP that is likely to change. My point was more about the inconsistency of wanting absolute control, but zero responsibility. For starters, they don't have absolute control, and even if they try to establish it, the endpoints will simply push them down a layer and tunnel over whatever is allowed. More importantly they want to maintain their zero responsibility position, and that will take precedence over control as soon as they are taken to court because they didn't prevent an action which they had the means to control through ever deeper packet inspection. The fundamental legal issue we need to deal with is the ability to absolutely identify the originator of the mail. Is that precluded by any existing privacy laws? If not, identity would provide the means to pursue financial recourse for wasted time and resources. If so, we have a non-technical issue that may prevent any solution. Tony
Re: spam
Noel writes: It *better* be solvable, otherwise when email becomes 99% spam, everyone will stop reading email. I wouldn't worry about that. When everyone stops reading e-mail, spam will disappear again. Remember, spammers only send out spam because people reply to it. If nobody replies, they'll stop. Actually nearly 99% of my e-mail _already is_ spam, but I still read the non-spam messages. As for the problem being solvable, I'm not at all confident about that. It's interesting to note that almost all spam references a handful of products or services. Clearly, there are quite a few people out there who want larger penises, or are in tremendous debt, or are being crushed by large mortgages, or are in search of pictures of teenage girls, otherwise these advertisements would not dominate spam. And somebody is still trying to cut deals with mysterious executives of Nigerian Oil Development Central Bank, judging by the number of letters I receive on that. Maybe the real problem is that there are too many dolts on the Net who actually reply to this spam. Eliminate them, and the spam will go away. Maybe an IQ test for each new Internet subscriber; anyone with a single-digit score isn't allowed to sign up without adult supervision. I'm willing to spend $.25 to communicate with someone I've never sent email to before. I'm not. The e-mail only costs $0.7 to send, so why should I give anyone $0.25 for it? I doubt very much the spammers who boast of sending millions of messages a day are willing to spend $.25 each message for the privilege. I don't blame them, nor do I think they should be required to pay that. I won't even spend that on one message. If I want to throw money out the window, there are already lots of other scams that will deprive me of my wealth just as quickly.
Re: spam
Dean writes: I expect that Type 1 spammers will comply. Some already are. Of course they will. The whole idea of Type 1 spammers is to provide a way for you to contact them, anyway, so they have little incentive to hide.
Re: The utilitiy of IP is at stake here
John writes: In the US, ISPs are not, and never have been viewed, as common carriers. I recall a case involving CompuServe in which it was treated at least partially as a common carrier, not responsible for the content of its network. (1) Treatment of publisher or speaker No provider or user of an interactive computer service [read, an ISP] shall be treated as the publisher or speaker of any information provided by another information content provider. How is this reconciled with the DMCA?
Re: spam
On Mon, May 26, 2003 at 04:58:41PM -0400, [EMAIL PROTECTED] said: [snip] Most of the examples of harmful spam are of the Type 2 and Type 3 variety, which is why Congress and the states have moved to address Type 2. Type 3 is already illegal. there's a non-harmful kind of spam? Do tell ... -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
Re: The utilitiy of IP is at stake here
g'day, Tony Hain wrote: Alain Durand wrote: I tend to agree with Dave Crocker, getting 100+ millions users to upgrade to SMTPng is not going to be any easier than getting them to move to IPv6... It will also suffer from the second design syndrome. I will not fool myself and believe it can happen overnight In this case, I disagree. Yes SMTP will have to exist for some time to come, but it wouldn't take much to convince people that moving to a new mail system would either reduce spam, or had adequate mechanisms for financial recourse. If the courts routinely granted judgments to individuals of 100 $/euro for every received unsolicited message, people would jump at the chance to run the new mail tool, and spam as we know it would loose its economic viability. Making that work means absolute traceability of the message origin. For this effort to be effective, I think it will have to be done in a way that is at odds with the traditional IETF thinking: 1) Compatibility with SMTP is not desirable 2) Some form of privacy is not desirable 3) To much scalability is not desirable Sorry, guys, I don't see this one taking wing. I'd agree that many of us would jump at the chance to receive the occasional $100 gratuity, but far fewer would want to sign up for the corollary, a system in which you willingly and consciously abandon all hopes for privacy and anonymity. I think the issue of preserving privacy will be a major one for us all in the coming years, so starting the design of a new system with the axiom that privacy is not desirable seems, well, I find it hard to describe without being either flip or rude. I personally want a next generation system that would *increase* my privacy, not attempt to make a virtue out of *removing* the few shreds of annonymity I have left. I would specifically refuse to use such a system. And yes, I also want it to make unsolicited, bulk email harder to send to me, but not at the cost of my privacy. As I've already pointed out, I think we need to have another look at the problem definition before we get too far down the design path. For example, virtually every posting on this topic over the past few days seems to be labouring under the assumption that the spammer wants to trigger a commercial exchange of some sort with the recipient (with the corollaries that the commercial entities can be traced, they will allow you to impose costs upon them as a cost of doing business, etc). From looking at a lot of the crap I'm getting, I'd say that a certain percentage of it has no reasonable expectation that I'll react to it at all (e.g. the Portugese language spam, the spam containing viruses, the spam containing random strings of junk which I assume might help it get past spam filters, but which guarantee that I wont take the sender seriously as a someone I'd be willing to share my credit card with, etc). Here's a radical thought, what if some percentage of this problem is simply economic terrorism and random script kiddies doing the equivalent of scribbling on the walls and tagging the billboards? No amount of legislated Subject lines, protocol design and/or education will solve that problem. In case you missed it, graffitti is already illegal, but it hasn't been eliminated by legislation. Maybe somebody should get some foundation to fund study to trace a pile of this stuff to its roots and do some statistically valid analysis on its origins, goals, etc. Otherwise, we seem to be in grave danger of designing a system (spam control) without ever talking to its users (the spam generators). Sounds like a recipe for disaster to me... - peterd -- - Peter Deutsch [EMAIL PROTECTED] Gydig Software Bungle... That's an 'i', you idiot... Oh, right. 'Bingle... - Red versus Blue... -
Re: spam
On Mon, May 26, 2003 at 06:17:23PM -0400, [EMAIL PROTECTED] said: [snip] Spam on my measured-rate cellular-data PDA is real cost. Spam on my measured-rate ISDN line (California) is real cost. Extra staffing to counteract spam at my [isp|university|business] is real cost (setting aside other costs that you seem willing to ignore). There are plenty of examples to pick from. Don't get email on measured rate services, then. Or don't publish the email to measured rate services. Put your measured rate services on the do-not-send list. There are many options besides banning commercial email. Want to lay odds on how many of the hardcore spammers (spamsites hosted on Chinanet, etc.) will respect a do-not-send list? They already ignore various state legislations against spam (I'm a California resident, for instance, and get any number of spams to various accounts daily that ignore existing legislation on this topic); why would they pay any attention to a do-not-send list? (I'm also fairly sure such a list will not allow wildcards, and for those of us running a domain where one address receives [EMAIL PROTECTED], listing every unique address we've created over the years would be tiresome, to say the least. I'm sure if this is not the case, someone will correct me.) These are abnormal expenses which go directly into maintaining the usefulness of my property and which do not increase its value. The right to commercial speech would not warrant these costs for any other venue, and there is nothing sufficiently different and unique about this venue to warrant it here. These are not abnormal expenses. You have deal with abuse no matter what so, because I have an abuse person to deal with legitimate abuse problems (both ingress and egress), I should consider it part of the cost of doing business to put up with whatever the spammers want to do to me? I wonder if AOL considers the cost of dealing with 2 billion spams _daily_ an abnormal expense. Especially when comparing their costs for dealing with spam from 2 years ago. Or 6 months ago. the form. You have to have an abuse person. Persons intent on performing abuse will abuse whatever is handy. Only too true, but it doesn't mean we have to 1) make it easy for them, or 2) ignore it when they do. There are no costs to warrant. Spam cannot cost you more than $1 or $2 per month per user. It doesn't matter how many abuse administrators you have, or how big and expensive your servers are. Email (including spam) is too cheap to meter. It is practically free, per person. Sites that have 10 million users are going to have larger expenses than sites that have 10 users. That isn't a surprise, nor a compelling reason to ban spam. Tell that to AOL. Or Hotmail. Or any other large provider for whom the vast majority of their network traffic is unsolicited commecial email. Your assertions simply do not hold water. I bet they consider the costs of dealing with that illegitimate traffic a fairly compelling reason to ban spam. Anyway, I think commercial speech including spam _could_ be regulated, but there so far is no justification for doing so. I don't think there is any If you can make that statement after considering the cost (personnel, bandwidth, and intangibles like degradation of the quality of Internet experience the average consumer has) of spam traffic now, compared with the cost just 18 months ago, I guess there is no chance you will ever see the flaws in your reasoning. chance whatsoever that spam will ever be banned completely, and if it were, it would suffer the same fate as the Junk Fax law, which had much more signficant costs (consumption of paper at 10 cents per page) and 10 cents per page, but there was also no single organization handling 2 billion incoming junk faxes a day. Apples and oranges, Dean. -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
Re: spam
Anthony Atkielski writes: Noel writes: It *better* be solvable, otherwise when email becomes 99% spam, everyone will stop reading email. I wouldn't worry about that. When everyone stops reading e-mail, spam will disappear again. Remember, spammers only send out spam because people reply to it. If nobody replies, they'll stop. You mean I might yet achieve salvation without my procmail rosary beads? Will it be preceded by the RFC 822 apocalypse? Mike
Re: spam
I simply mean that when the returns are low enough, spammers will stop. If spam produces so much noise that people stop using e-mail, that will stop the spammers. However, I think that for the vast majority of Internet users, spam is only a minor nuisance, and they will probably continue to use e-mail with or without spam. - Original Message - From: Michael Thomas [EMAIL PROTECTED] To: Anthony Atkielski [EMAIL PROTECTED] Cc: IETF Discussion [EMAIL PROTECTED] Sent: Thursday, May 29, 2003 22:56 Subject: Re: spam Anthony Atkielski writes: Noel writes: It *better* be solvable, otherwise when email becomes 99% spam, everyone will stop reading email. I wouldn't worry about that. When everyone stops reading e-mail, spam will disappear again. Remember, spammers only send out spam because people reply to it. If nobody replies, they'll stop. You mean I might yet achieve salvation without my procmail rosary beads? Will it be preceded by the RFC 822 apocalypse? Mike
Re: spam
On Thursday 29 May 2003 01:13, [EMAIL PROTECTED] wrote: Va On Thu, 29 May 2003 06:20:47 +0200, Anthony Atkielski Va [EMAIL PROTECTED] said: ... Va Hash it and sign it with the public key of the recipient. Va That would work, because spammers would not have the Va public key, whereas legitimate senders would. Va Va Only if it's an *UNPUBLISHED* public key - at which point Va it just degenerates into your secret number protocol, Va with the same bootstrapping issues. Correct, but still methinks Anthony is onto something. Yes, a spammer could get hold of your public key. However, this tailoring means that he's going to have to send the spam to each recipient individually, instead of using a huge Bcc list. This won't get rid of spam entirely, but it could put somewhat of a damper on the flow. The big question is, how many recipients are there (To + Cc + Bcc), for the average piece of outbound spam? That is roughly the ratio by which such a scheme will make it costlier to spam. (I'm purposesly ignoring the extra cost of the hashing and encryption. These will probably make a small contribution, by comparison.) Anybody got a large corpus of spam, COMPLETE WITH BCC LISTS, to analyze? Then comes the followup question of whether that ratio is enough to be worth the trouble of further investigation along this path. Keep in mind, they could always simply apply the usual Microsoft solution: throw more and faster hardware at it. Note also that a lot of spam is already sent to single recipients per piece. In those cases, the extra costs of hashing and encryption MIGHT make a SMALL dent, but I doubt it would be enough to be worth the hassle. -- David J. Aronson, Unemployed Software Engineer near Washington DC See http://destined.to/program/ for online resume, and other info
Re: spam
Vernon Schryver wrote: - becoming famous for having stopped spam, or at least getting into the RFC index. And on that subject, would Doug be willing to write up his subaddresses proposal as a draft? Or would that be counterproductive to its eventual acceptance? At least three of us have proposed variants on this theme, and while it will not put an end to spam overnight, it will be a useful beginning. I realise there may be patent issues... ^^ Andrew. -- Andrew Shore.
Re: The utilitiy of IP is at stake here
Dave, Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. History is replete with examples. From the Internet Worm to Code Red, consumers do install software when they perceive either a threat or a benefit. Getting rid of spam is a HUGE benefit. Heck. What I've found so amusing is that people seem to upgrade their Microsoft systems just 'cause, with no perceived benefit, but merely protecting from Bit Rot. Eliot
Re: The utilitiy of IP is at stake here
At 10:19 PM +0200 5/29/03, Anthony Atkielski wrote: John writes: In the US, ISPs are not, and never have been viewed, as common carriers. I recall a case involving CompuServe in which it was treated at least partially as a common carrier, not responsible for the content of its network. The Compuserve case went the general way you suggest, and the Prodigy case went the other way. Both cases predate the passage of 47 U.S.C. Section 230, which was a part of the Communicaitons Decency Act, which in turn was a part of the Telecommuncations Act of 1996. Section 230 was enacted specifically to reverse the holding of the Stratton Oakmont v. Prodigy decision, which did impose liability on Prodigy. (1) Treatment of publisher or speaker No provider or user of an interactive computer service [read, an ISP] shall be treated as the publisher or speaker of any information provided by another information content provider. How is this reconciled with the DMCA? The DMCA does not in general make ISPs liable for copyright infringement by their customers, but instead puts certain takedown obligations on ISPs. So there is no conflict. John
Re: The utilitiy of IP is at stake here
On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony Hain wrote: The fundamental legal issue we need to deal with is the ability to absolutely identify the originator of the mail. Is that precluded by any existing privacy laws? If not, identity would provide the means to pursue financial recourse for wasted time and resources. If so, we have a non-technical issue that may prevent any solution. Too bad the bad ideas get much more air time than the good ones. Yesterday some really good points were brought up, today we're mostly rehashing the bad stuff. About the law: current laws are unable to keep spam in check. Is this a problem with the law? I don't think so. A good percentage of all spam (but certainly not all of it) breaks existing laws. It seems unlikely that additional laws will make people who already operate outside the law change their behavior. Another preposterous idea: charging money for sending email. Economics dictates that this will increase the overall cost of emailing by many orders of magnitude and there is no reasonable upgrade path from the current situation to the new one. Both points are moot anyway as they fall outside the scope of the IETF's activities. The real question is whether the current protocols exhibit flaws that make the spam problem worse than it would be without those flaws; and whether improved protocols can be implemented and deployed at reasonable levels of effectiveness and efficiency. It seems the answer to this was no five or six years ago. In the mean time, many things have changed. We now have more advanced techniques and more processing power at our disposal. Also, spamming in general has become much worse and many more children are online now, who are subjected to spam that isn't always child friendly to say the least. Maybe the answer is still no but the time is right to at least revisit the question.
Re: The utilitiy of IP is at stake here
on 5/29/2003 3:39 PM Peter Deutsch wrote: I personally want a next generation system that would *increase* my privacy, not attempt to make a virtue out of *removing* the few shreds of annonymity I have left. I would specifically refuse to use such a system. And yes, I also want it to make unsolicited, bulk email harder to send to me, but not at the cost of my privacy. Everybody wants to see caller-ID but nobody wants to send it. Actually, the use of an identification system doesn't necessarily have to go directly against privacy or anonymity. It leaves the door open for some kinds of abuses in that area, but those aren't a whole lot worse. A ~certificate would validate the identity you are using for that piece of email. That identity doesn't have to be your name or anything else that identifies you personally. Hell, use 20 certificates, call yourself Batman in one group and Wonder Woman in the other, nobody will care. As long as they all verify -- and as long as I can track you down with a court order that exposes what I need to know when I have a demonstrable reason to know it -- nobody should care about the identitiers you choose to use. The real risk here is that the delegator will know who you really are and might tell somebody. I don't see much difference between that and the risk we already have from upstreams being able to sniff and delegate, though. Besides, if everybody feels that strongly about it, a mail system like the one I laid out doesn't *require* user identification, only host and domain identification. If folks want the user part to be optional, that's fine with me. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: spam
Last time I refuted you, I got hit by 2400 sites trying to abuse our relays for 10 days. Sorry. Not this time. You're too late for this discussion anyway. Your points were already made by others. There is no point to rehashing them with you. --Dean On Thu, 29 May 2003, Scott Francis wrote: On Mon, May 26, 2003 at 06:17:23PM -0400, [EMAIL PROTECTED] said: [snip] Spam on my measured-rate cellular-data PDA is real cost. Spam on my measured-rate ISDN line (California) is real cost. Extra staffing to counteract spam at my [isp|university|business] is real cost (setting aside other costs that you seem willing to ignore). There are plenty of examples to pick from. Don't get email on measured rate services, then. Or don't publish the email to measured rate services. Put your measured rate services on the do-not-send list. There are many options besides banning commercial email. Want to lay odds on how many of the hardcore spammers (spamsites hosted on Chinanet, etc.) will respect a do-not-send list? They already ignore various state legislations against spam (I'm a California resident, for instance, and get any number of spams to various accounts daily that ignore existing legislation on this topic); why would they pay any attention to a do-not-send list? (I'm also fairly sure such a list will not allow wildcards, and for those of us running a domain where one address receives [EMAIL PROTECTED], listing every unique address we've created over the years would be tiresome, to say the least. I'm sure if this is not the case, someone will correct me.) These are abnormal expenses which go directly into maintaining the usefulness of my property and which do not increase its value. The right to commercial speech would not warrant these costs for any other venue, and there is nothing sufficiently different and unique about this venue to warrant it here. These are not abnormal expenses. You have deal with abuse no matter what so, because I have an abuse person to deal with legitimate abuse problems (both ingress and egress), I should consider it part of the cost of doing business to put up with whatever the spammers want to do to me? I wonder if AOL considers the cost of dealing with 2 billion spams _daily_ an abnormal expense. Especially when comparing their costs for dealing with spam from 2 years ago. Or 6 months ago. the form. You have to have an abuse person. Persons intent on performing abuse will abuse whatever is handy. Only too true, but it doesn't mean we have to 1) make it easy for them, or 2) ignore it when they do. There are no costs to warrant. Spam cannot cost you more than $1 or $2 per month per user. It doesn't matter how many abuse administrators you have, or how big and expensive your servers are. Email (including spam) is too cheap to meter. It is practically free, per person. Sites that have 10 million users are going to have larger expenses than sites that have 10 users. That isn't a surprise, nor a compelling reason to ban spam. Tell that to AOL. Or Hotmail. Or any other large provider for whom the vast majority of their network traffic is unsolicited commecial email. Your assertions simply do not hold water. I bet they consider the costs of dealing with that illegitimate traffic a fairly compelling reason to ban spam. Anyway, I think commercial speech including spam _could_ be regulated, but there so far is no justification for doing so. I don't think there is any If you can make that statement after considering the cost (personnel, bandwidth, and intangibles like degradation of the quality of Internet experience the average consumer has) of spam traffic now, compared with the cost just 18 months ago, I guess there is no chance you will ever see the flaws in your reasoning. chance whatsoever that spam will ever be banned completely, and if it were, it would suffer the same fate as the Junk Fax law, which had much more signficant costs (consumption of paper at 10 cents per page) and 10 cents per page, but there was also no single organization handling 2 billion incoming junk faxes a day. Apples and oranges, Dean. -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui
Re: spam
On donderdag, mei 29, 2003, at 23:06 Europe/Amsterdam, Dave Aronson wrote: [Having to do crypto for each outgoing spam] Keep in mind, they could always simply apply the usual Microsoft solution: throw more and faster hardware at it. Note also that a lot of spam is already sent to single recipients per piece. In those cases, the extra costs of hashing and encryption MIGHT make a SMALL dent, but I doubt it would be enough to be worth the hassle. I think the people selling crypto accelerators will be very happy about this... However, creating new publick/private key pairs is an incredibly expensive operation, and one that a legitimate email wouldn't have to do very often, but a spammer would if we just keep blacklisting their keys.
RE: The utilitiy of IP is at stake here
Dave Crocker wrote: Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. WWW browser deployment shows that given appropriate motivation, users will aggressively take advantage of a new app. Yes I consider this to be a new app, even though it is replacing an existing capability. Rather than force people to move or upgrade, give them a new tool and explain the value. They will move as soon as they believe it is less painful than staying where they are. Given the growing level of complaint, and the fact that it will be at least 2 years before anything is ready to deploy, just about anything will be an easy sell. TH If the courts routinely granted judgments to TH individuals of 100 $/euro for every received unsolicited message, TH people a transition plan for 100 million users that relies on an if concerning entirely new behaviors for a large number of independent judicial systems around the world is a rather fragile dependency, to say the least. (and, yes, I realize that that was just an example. so, please, go ahead and provide a scenario that is not equally fragile. i can't.) I would argue this is not entirely new behavior, just that one widely publicized instance needs to establish precedent that receiving unsolicited email constitutes an abuse of personal resources and establish the value of that abuse. Since I think we are talking small-claims here ($100/day per spam source), it would be most efficient for the courts to have a procedure where the claimant provided the abusing email with tracability to the origin, then an automatic judgment could be issued (yes that is new, but the newness is about efficiency, not basic process). Defining an alternative mechanism is the IETF's job. As long as we explicitly refuse to allow interoperability, we don't need to worry about a transition. The mail service providers have the means to inform their customers about the opportunity to use a new app. The larger providers (AOL, MSN, Yahoo, ...) can drive media attention and might even help with any legal efforts to make the case that the new app will have anti-spam characteristics. In any case, transition is not a problem when we simply let the spam laden legacy die off as people start refusing to use the old apps. TH would jump at the chance to run the new mail tool, and spam as we TH know it would loose its economic viability. Making that work means TH absolute traceability of the message origin. For this effort to be effective, I think it will have to be done in a way that is at odds with the traditional IETF thinking: 1) Compatibility with SMTP is not desirable why? See above about this being a new app. Requiring integration and compatibility will only create unnecessary complexity, and won't show any quantitative value to the end user. Also, as Alain pointed out in the mail I was responding to, interoperability simply creates a forward path for the SMTP based spam. Just make them parallel systems and move on. 2) Some form of privacy is not desirable 3) To much scalability is not desirable scalability is not desirable? wow. please explain. You cut off my comment that scalability is desirable everywhere except at the originator. The point is to raise the cost at the origin to bias the economics against random spamming. Something like requiring recipient based public key cryptography substantially raises the originator cost for mass mailings. Mail list servers would be a problem if we only use public key, so another part of the new system could be establishing a symmetric key as part of subscribing to a mail list. Clearly we have a number of technologies available, we just need to define the characteristics of the desired system and start applying technologies to build a new app. Tony
RE: The utilitiy of IP is at stake here
Iljitsch van Beijnum wrote: On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony Hain wrote: The fundamental legal issue we need to deal with is the ability to absolutely identify the originator of the mail. Is that precluded by any existing privacy laws? If not, identity would provide the means to pursue financial recourse for wasted time and resources. If so, we have a non-technical issue that may prevent any solution. Too bad the bad ideas get much more air time than the good ones. Yesterday some really good points were brought up, today we're mostly rehashing the bad stuff. About the law: current laws are unable to keep spam in check. I was not asking about spam law. I was trying to be specific about any privacy laws that would prevent identification of the originator of a message. As long as there is a legal way to undeniably trace the message origin, there is a chance we can build a technical approach to bulk message handling system that will end random spam. ... The real question is whether the current protocols exhibit flaws that make the spam problem worse than it would be without those flaws; and whether improved protocols can be implemented and deployed at reasonable levels of effectiveness and efficiency. I would argue yes, in that it is impossible to nail down the originator with the current system. It seems the answer to this was no five or six years ago. In the mean time, many things have changed. We now have more advanced techniques and more processing power at our disposal. Also, spamming in general has become much worse and many more children are online now, who are subjected to spam that isn't always child friendly to say the least. Maybe the answer is still no but the time is right to at least revisit the question. I agree. Tony
Re: spam
I've been lurking all this time, and was about to give up completely on this thread, but then I got sucked into the reality distortion field, drank the kool-aid, and, well One problem with attaching the secret string to an email address is how that is done at the sender's side. I can see email clients automating the process, which is fine, until a virus comes along and starts popping off random emails. Plus, how would CC: and vast To: lists hide the secret string? Clint (JOATMON) Chaplin Anthony Atkielski [EMAIL PROTECTED] 5/28/03 21:20:47 Tony writes: Which is precisely the goal. It is not so extreme as to make routine mail unusable, but extreme enough to make random bulk mail not worth the cost. Point taken, although I think conventional encryption would probably a better choice for this purpose. I think, though, that a more effective method would be to find something that one can require on each message and that is not trivially easy for a computer to do automatically. For example, the various admininstrations passing through the White House have long had a policy of establishing a secret number or similar text that must be placed on any incoming letter that is to be forwarded directly to the President or his family with minimal screening. The President and family then give this number to a select few people. Any correspondence without the number goes through all the usual screening. This works because the number is an out-of-band datum that the average sender is not likely to have. It is communicated from human being to human being, and isn't to be found anywhere in public. So it cannot be automatically added by a machine, nor can unauthorized people add it. A simple e-mail implementation of this would be to place a random string in the subject line of a message intended for a specific recipient that serves the same purpose as this secret number. The string would be different for each recipient, and the only way to obtain it would be through some out-of-band process (such as contacting the recipient by phone, or something). Since there would be no record of this anywhere that spammers could harvest, it would be impossible for spammers to include these numbers on outgoing mail. Very simple, and very effective. It would, however, be nice to have e-mail clients that automated this, by allow for a secret number field in address books that would make it possible to insert them automatically on outgoing mail (most clients already provide a way to filter for such numbers on incoming mail). Digital signatures and similar authentication would work but are overkill. All you need is some bit of information that spammers cannot harvest, and the above random string fits that purpose. Spammers might pick up your address on a newsgroup or Web site, but they'd have no way of discovering your secret number. That simply provides message integrity ... Hash it and sign it with the public key of the recipient. That would work, because spammers would not have the public key, whereas legitimate senders would. However, I think the secret-number concept described above would be much similar and would be just as effective. This email has been scanned for computer viruses.
Re: The utilitiy of IP is at stake here
From: Eliot Lear [EMAIL PROTECTED] Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. History is replete with examples. From the Internet Worm What? The Morris Worm resulted in a significant marketshare decline for sendmail? That's strange, since my recollections are that sendmail became more instead of less popular, in part because SMTP swamped other protocols. to Code Red, consumers do install software when they perceive either a threat or a benefit. Do you really intend to say what those words mean in context, that Microsoft products were replaced wholesale by other software. Getting rid of spam is a HUGE benefit. Heck. What I've found so amusing is that people seem to upgrade their Microsoft systems just 'cause, with no perceived benefit, but merely protecting from Bit Rot. Installing patches or updates that do not significantly change the form, fit or function of a system is entirely different from pitching SMTP and switching to something else with major differences not only in form, fit, and function but fundamental assumptions. Spam is an implicit problem in any mail protocol that lets you receive mail from strangers. If a message is from a stranger, how do you know the stranger isn't sending copies to 30,000,000 of your intimate friends? Any protocol that keeps a stranger and so possible spamemr from sending you a message will be a radical change far larger than the change from IPv4 to IPv6, not to mention turning off the debug switch in sendmail or pasting yet another a security bandaid on IIS. For example, Cisco will stop receiving spam as well as inquiries from prospective customers, at least not as freely and with semi-anomity as today. This mailing list will stop receiving new subscriptions by the old mechanism of sending a subscribe mail message. Vernon Schryver[EMAIL PROTECTED]
Re: The utilitiy of IP is at stake here
Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. Times have changed. End users aren't the problem anymore. We have easy, if not automatic, updating for every major user environment. The critical point is the SMTP servers. I believe the great majority of them understand the spam pain, so they would be motivated to change. You throttle SMTP relative to the enhanced protocol to motivate the remaining good guys to convert, and as time goes on and only the bad guys are left, you throttle it even more. .swb
Re: The utilitiy of IP is at stake here
Tony Hain wrote: it wouldn't take much to convince people that moving to a new mail system would either reduce spam, or had adequate mechanisms for financial recourse. I think you mean that, if people believed the new system would reduce spam, it wouldn't take much to convince them. It *would* take a lot to convince them that it would reduce spam; people with a normal, healthy cynicism gland (and without the expertise to analyze the new protocols) would assume that it was just a marketing ploy. -- /=\ |John Stracke |[EMAIL PROTECTED] | |Principal Engineer|http://www.centive.com| |Centive |My opinions are my own. | |=| |*BOOM* Thank you, Beaker. Now we know that is definitely too| |much gunpowder. -- Dr. Bunsen Honeydew | \=/
Re: The utilitiy of IP is at stake here
At 2:22 PM -0700 5/29/03, Eliot Lear wrote: Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. History is replete with examples. From the Internet Worm to Code Red, consumers do install software when they perceive either a threat or a benefit. Tony's proposal is not for new software: it is for software that *replaces* what they have now. Further, it is not a one-to-one replacement. It requires new administrative actions by the sysadmin and by the user to validate who they want to get mail from. Getting rid of spam is a HUGE benefit. And all the proposals so far have some amount of cost. The trick is to come up with a solution whose benefit to at least half of the 100 million mail users overwhelms the cost. That is, the bother of using the new system has to be less than the bother of getting spam. Heck. What I've found so amusing is that people seem to upgrade their Microsoft systems just 'cause, with no perceived benefit, but merely protecting from Bit Rot. This is because (despite history) people believe that the replacement will be no harder to user than the previous version. --Paul Hoffman, Director --Internet Mail Consortium
RE: The utilitiy of IP is at stake here
On Thu, 29 May 2003, Tony Hain wrote: Dave Crocker wrote: Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. their customers about the opportunity to use a new app. The larger providers (AOL, MSN, Yahoo, ...) can drive media attention and might The providers you have listed all have what I'd call closed applications. Yahoo is (largely) browser based working from a MUA coded in their server. AOL is client-server, again the MUA is in their server and, I believe but have never observed, MSN is similar to AOL. Other examples as well. Once a new/updated mail protocol is available, then each of the above must implement updates to their servers. Then deploy the changes. The new revised system will just happen to the average user of those services. The slower process will be the millions of smaller mail infrastructures, As long as the new protocols provide a migration plan and support, upgrade over a year or two is a reasonable expectation. A key requirement on the providers of the server and client software is to NOT include dependancies on related system software versions which would force the prospective upgradee to encounter the upgrade domino chain which ends up in substantial costs for unrelated software or hardware. Dave Morris
Re: spam
On Thu, 29 May 2003, Iljitsch van Beijnum wrote: However, creating new publick/private key pairs is an incredibly expensive operation, and one that a legitimate email wouldn't have to do very often, but a spammer would if we just keep blacklisting their keys. Of course, this results in another Type 3 attack, where you get messages with lots of bogus keys, and you have to verify the keys. --Dean
RE: spam
However, creating new publick/private key pairs is an incredibly expensive operation, and one that a legitimate email wouldn't have to do very often, but a spammer would if we just keep blacklisting their keys. Uh? Creating a Diffie-Hellman public/private key pair is actually quite simple. Even an RSA pair is not all that hard, considering that a set of N prime numbers can generate N.(N-1)/2 key pairs. The logical consequence of authenticated e-mail is bound to be authenticated spam... -- Christian Huitema
RE: The utilitiy of IP is at stake here
John Stracke wrote: I think you mean that, if people believed the new system would reduce spam, it wouldn't take much to convince them. Yes. It *would* take a lot to convince them that it would reduce spam; people with a normal, healthy cynicism gland (and without the expertise to analyze the new protocols) would assume that it was just a marketing ploy. But a coordinated marketing ploy by the major service providers would not be taken with the same level of cynicism as the normal hype. Tony
RE: The utilitiy of IP is at stake here
The ECPA permits ISPs and telecos to reveal the identification of the participants in a communication. Though, the Privacy Protection Act may impose some additional requirements. Usuaully, ISPs have no interest in providing this information without a warrant or subpoena. Privacy is part of the service customers purchase. In the current system, it is not hard to nail down the originator, given there is Law Enforcement interest in finding our the identity. An IP address works just as good as a phone number. Even an open proxy has logs, or can be logged. In some cases, it has been hard to find out the identity via a civil action, as in the RIAA V Verizon. That case is not yet decided. AOL had a somewhat similar case, where it resisted a subpoena for identification. That case has some quirks, though. The plaintiffs also didn't want to be identified, and I think it was considered to be frivolous or malicious suit. I don't remember all the details. However, sans Law Enforcement requests, or civil subpoenas, it is difficult. It is unlikely that would change, though. And privacy groups would want to keep it that way, at least so that a court would decide whether the identity is wanted for frivolous or malicious reasons. I support the EFF in this view. Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell you how to contact them in the message. It is only hard with Type 3 abuse, which is generally involved in crimes that Law Enforcement could pursue, but won't, for lack of interest. --Dean On Thu, 29 May 2003, Tony Hain wrote: Iljitsch van Beijnum wrote: On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony Hain wrote: The fundamental legal issue we need to deal with is the ability to absolutely identify the originator of the mail. Is that precluded by any existing privacy laws? If not, identity would provide the means to pursue financial recourse for wasted time and resources. If so, we have a non-technical issue that may prevent any solution. Too bad the bad ideas get much more air time than the good ones. Yesterday some really good points were brought up, today we're mostly rehashing the bad stuff. About the law: current laws are unable to keep spam in check. I was not asking about spam law. I was trying to be specific about any privacy laws that would prevent identification of the originator of a message. As long as there is a legal way to undeniably trace the message origin, there is a chance we can build a technical approach to bulk message handling system that will end random spam. ... The real question is whether the current protocols exhibit flaws that make the spam problem worse than it would be without those flaws; and whether improved protocols can be implemented and deployed at reasonable levels of effectiveness and efficiency. I would argue yes, in that it is impossible to nail down the originator with the current system. It seems the answer to this was no five or six years ago. In the mean time, many things have changed. We now have more advanced techniques and more processing power at our disposal. Also, spamming in general has become much worse and many more children are online now, who are subjected to spam that isn't always child friendly to say the least. Maybe the answer is still no but the time is right to at least revisit the question. I agree. Tony
Re: The utilitiy of IP is at stake here
on 5/29/2003 3:29 PM Dave Crocker wrote: Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. Notwithstanding the overly-specific nature of the request, I can think of two off the top of my head, which are FTP/Gopher-HTTP and POP-IMAP. The features define the benefits, and the benefits are the motivators (I already gave a list of the features I'd like, and which I think would be motivational). Large-scale mail carriers would probably switch quickly if the accountability feature proved useful, even in the absence of laws. The same is probably true for corporates and financial services firms who rely heavily on accountability. That's just one benefit. There are external motivators as well, such as flagdays for the government and all of its contractors. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: The utilitiy of IP is at stake here
David Morris wrote: their customers about the opportunity to use a new app. The larger providers (AOL, MSN, Yahoo, ...) can drive media attention and might The providers you have listed all have what I'd call closed applications. Yahoo is (largely) browser based working from a MUA coded in their server. AOL is client-server, again the MUA is in their server and, I believe but have never observed, MSN is similar to AOL. Other examples as well. In one incarnation, MSN mail is simple SMTP/POP3, in another it is web based. That is less the point than the fact they collectively cover a very substantial number of clients. Cover those, and provide the enterprise mail administrator with an equivalent tool, and the rest of the world will follow, including the spammers. It will take external action to push back and stop the spam. Once a new/updated mail protocol is available, then each of the above must implement updates to their servers. Then deploy the changes. The new revised system will just happen to the average user of those services. The slower process will be the millions of smaller mail infrastructures, They feel the pain of spam as much (or more on a percentage basis) as anyone else. Why wouldn't they be motiveted to deploy a spam reduction tool? As long as the new protocols provide a migration plan and support, upgrade over a year or two is a reasonable expectation. A key requirement on the providers of the server and client software is to NOT include dependancies on related system software versions which would force the prospective upgradee to encounter the upgrade domino chain which ends up in substantial costs for unrelated software or hardware. I agree completely with the point about dependencies, but there should be absolutely no interoperability between the old and new. The migration plan should simply be to let the existing infrastructure and set of apps die for lack of use. Tony
Re: A peer-to-peer trust system model (was: Re: spam)
On Wed, May 28, 2003 at 11:56:53AM -0700, Peter Deutsch wrote: Concepts such as Hashcash or other payment-oriented systems, in which you try to impose a cost on the sender to screen out bulk mailers, are interesting enough, but I think they're addressing the wrong problem. I've personally come to the conclusion that to address this problem (that is, the decision as to whether I want to accept a message from you), I don't actually need to know who you are, or even what you're trying to send me, and I certainly don't need to impose artificial costs on you (since this looks too much like punishing the innocent for the crimes of the guilty). I'm curious why you think Hashcash doesn't work. Personally, I think a scheme where (a) you provide a crypto signature which proves who you are that you are someone that I trust to send me something useful, *OR* (b) you have to send me some token which proves that you have spent 120 seconds worth of CPU time calculating it, would work perfectly. That way, someone can still send me unsolicited mail asking for help with e2fsck, or some other aspect of the Linux kernel, but a spammer simply won't be able to afford the necessary CPU time to send vast numbers of SPAM. And regular correspondents with me wouldn't could simply send a PKI authenticated token to avoid needing to do the necessary CPU-burning calculations. (And this is an optimization anyway; someone who is sending me a human generated message can generally easily afford the 2 minutes worth of CPU time before their mailers can deliver the message to my mail host.) - Ted
Re: The utilitiy of IP is at stake here
on 5/29/2003 5:59 PM David Morris wrote: The slower process will be the millions of smaller mail infrastructures, Yes, small business are the biggest hurdle in the deployment cycle. Fortunately, I think that most of them probably use their ISP's mail services, so its not quite like we have to convince every office in every stripmall to upgrade. As long as the new protocols provide a migration plan and support, upgrade over a year or two is a reasonable expectation. Yes. And its also reasonable that after ~80% switch, sites can start to disable the legacy compatibility mode. Note that many of them will still need it for things like printservers and other devices, but for general Internet communications it should be a little easier since most of the changeover can happen just by getting most of the ISPs to switch. The really hard question isn't the upgrade, its how to limit pollution from legacy MTAs during the upgrade. If spam is still running high during the transition, then people will wonder why they bothered. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: The utilitiy of IP is at stake here
Paul Hoffman wrote: Tony's proposal is not for new software: it is for software that *replaces* what they have now. Further, it is not a one-to-one replacement. It requires new administrative actions by the sysadmin and by the user to validate who they want to get mail from. The sysadmin effort would be setting up an automated way to hand out keys, and the user would have a one-time (or very infrequently) effort to establish a key pair. All the processing would then be automatic. If the message couldn't be decrypted, or the signature verification returned the wrong result, the message would simply be dropped. This keeps everyone except the originator and receiver out of the content inspection business, yet provides the receiver with an undeniable link back to the originator for anything that gets delivered. When the receiver decides that the content wastes resources, they get to decide the appropriate action to take against the identified origin. This approach does not prevent spam, because the spammer could set up their own public key service. It does keep the IETF out of defining spam and how to identify filter it, the service provider out of the business of content inspection, and has a fairly straight forward set of technical bounds to build products against. It increases the cost to the spammer by seriously reducing the number of messages per minute they can send, and it creates a traceable record to the spammer (well at least to the key service). Existing legal infrastructure should be sufficient from there, but I can imagine that politicians would want to claim they were doing something about the problem and might dream up new laws, or mandates to deploy such a technology (I am not arguing they should, just predicting their actions). Tony
RE: spam
Christian Huitema writes: However, creating new publick/private key pairs is an incredibly expensive operation, and one that a legitimate email wouldn't have to do very often, but a spammer would if we just keep blacklisting their keys. Uh? Creating a Diffie-Hellman public/private key pair is actually quite simple. Even an RSA pair is not all that hard, considering that a set of N prime numbers can generate N.(N-1)/2 key pairs. The logical consequence of authenticated e-mail is bound to be authenticated spam... You don't see that as a step in the right direction? Mike
RE: spam
Guys, Dean Anderson obviously supports and defends SPAM. No further conversation with him could lead to anything constructive. Stop feeding the Troll, now. E.T. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Anderson Sent: mercredi 28 mai 2003 3:04 To: Eric A. Hall Cc: John Stracke; [EMAIL PROTECTED] Subject: Re: spam (...) So what? That is no reason to ban spam. (...) This isn't an issue. No one said your life would be free from trash. Furthermore, there are do-not-send lists. If anti-spammers abuse those lists, that isn't a justification to ban spam. (...) No, I'm saying that spam has insignificantly small cost, and that trying to inflate the cost somehow isn't a valid reason for banning spam. (...) 3) Thats just stupid and unreasonable behavior. Stupidity and willfull recklessness aren't either common or justifications for banning spam. (...) No, it isn't, despite your continued assertions. You have failed to present a case that spam costs any money, or interferes with any reaonable person's email.
RE: spam
However, creating new publick/private key pairs is an incredibly expensive operation, and one that a legitimate email wouldn't have to do very often, but a spammer would if we just keep blacklisting their keys. Uh? Creating a Diffie-Hellman public/private key pair is actually quite simple. Even an RSA pair is not all that hard, considering that a set of N prime numbers can generate N.(N-1)/2 key pairs. The logical consequence of authenticated e-mail is bound to be authenticated spam... You don't see that as a step in the right direction? It depends whether you use something like PGP or something like PKI. If PGP or PGP-like, then the spammers can very easily create throw away identities, and we have not gained much. In fact, spammers seldom fake the email addresses of one of your friends, so a PGP solution would not be a dramatic improvement over simply maintaining a white list of friendly email addresses. If PKI or PKI-like, then the spammers would need to obtain an actual certificate for each of their throwaway identities. But so would everyone else, which implicitly limits the cost of obtaining a certificate to whatever the public can bear, and the amount of identity checks to whatever the public is willing to accept, which today is an e-mail reachability test. So, the spammers will be slowed down, but not much. -- Christian Huitema
RE: The utilitiy of IP is at stake here
At 4:58 PM -0700 5/29/03, Tony Hain wrote: The sysadmin effort would be setting up an automated way to hand out keys, and the user would have a one-time (or very infrequently) effort to establish a key pair. And you are saying that is trivial? How would a typical user know which third parties to trust? How would the typical user know what to do when they started getting spam through this filter? How would the typical user know what to do when someone wants to send him/her mail but can't because the sender isn't in the right trust group? If you have already worked this out and I missed it, my apologies. A pointer to that document would be very helpful. --Paul Hoffman, Director --Internet Mail Consortium
Re: The utilitiy of IP is at stake here
on 5/29/2003 6:27 PM Dean Anderson wrote: Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell you how to contact them in the message. There is still a reason to have verifiable identities for commercial spam, which is protection against joe-jobs. You want to have proof that the beneficiary is really the spammer and not just a victim, or that the spammer is really the spammer regardless of who he is spamming for. While there are ways of doing this after the fact as you said, having a verifiable sender identity makes it a lot simpler. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: The utilitiy of IP is at stake here
John, Since I don't think Dean Troll Anderson will do it, I would like to apologize, in the name of every honest and decent contributor to this list, for the insults made against someone that was so deeply involved in the development of SMTP and MIME, and whose contribution, reputation, and experience earned him the Internet Architecture Board's chair. I feel so sorry to see how dishonest and undecent one can be with those who contributed to design and build the Internet and all related technologies and protocols. E.T. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Anderson Sent: mercredi 28 mai 2003 4:40 To: John C Klensin Cc: shogunx; Tony Hain; 'IETF' Subject: Re: The utilitiy of IP is at stake here On Tue, 27 May 2003, John C Klensin wrote: (...) The opinion of others may differ, of course but, as far as I am concerned, you are succeeding in losing all credibility. I think the same about you. It seems this will go nowhere. I'm just trying to be polite. You've offered absolutely nothing of substance in this -long- message. (...) This is just nonsense. Obviously, you have no operational experience. (...)
RE: The utilitiy of IP is at stake here/spam
Would a solution to manage spam by as simple as to have a central email address registry database were consumers can opt out from receiving any spam email? Very similar proposition to the current direct marketing do-not-call lists. Such an approach coupled with enforcement may be an option. Basically this approach put the onerous on the spamer to comply and check if an email address belongs to a list. Regards, Eleas Talk Straight, Follow Through Trust, Character, Commitment, Passion -Original Message- From: Dean Anderson [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 6:28 PM To: Tony Hain Cc: 'IETF Discussion' Subject:RE: The utilitiy of IP is at stake here The ECPA permits ISPs and telecos to reveal the identification of the participants in a communication. Though, the Privacy Protection Act may impose some additional requirements. Usuaully, ISPs have no interest in providing this information without a warrant or subpoena. Privacy is part of the service customers purchase. In the current system, it is not hard to nail down the originator, given there is Law Enforcement interest in finding our the identity. An IP address works just as good as a phone number. Even an open proxy has logs, or can be logged. In some cases, it has been hard to find out the identity via a civil action, as in the RIAA V Verizon. That case is not yet decided. AOL had a somewhat similar case, where it resisted a subpoena for identification. That case has some quirks, though. The plaintiffs also didn't want to be identified, and I think it was considered to be frivolous or malicious suit. I don't remember all the details. However, sans Law Enforcement requests, or civil subpoenas, it is difficult. It is unlikely that would change, though. And privacy groups would want to keep it that way, at least so that a court would decide whether the identity is wanted for frivolous or malicious reasons. I support the EFF in this view. Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell you how to contact them in the message. It is only hard with Type 3 abuse, which is generally involved in crimes that Law Enforcement could pursue, but won't, for lack of interest. --Dean On Thu, 29 May 2003, Tony Hain wrote: Iljitsch van Beijnum wrote: On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony Hain wrote: The fundamental legal issue we need to deal with is the ability to absolutely identify the originator of the mail. Is that precluded by any existing privacy laws? If not, identity would provide the means to pursue financial recourse for wasted time and resources. If so, we have a non-technical issue that may prevent any solution. Too bad the bad ideas get much more air time than the good ones. Yesterday some really good points were brought up, today we're mostly rehashing the bad stuff. About the law: current laws are unable to keep spam in check. I was not asking about spam law. I was trying to be specific about any privacy laws that would prevent identification of the originator of a message. As long as there is a legal way to undeniably trace the message origin, there is a chance we can build a technical approach to bulk message handling system that will end random spam. ... The real question is whether the current protocols exhibit flaws that make the spam problem worse than it would be without those flaws; and whether improved protocols can be implemented and deployed at reasonable levels of effectiveness and efficiency. I would argue yes, in that it is impossible to nail down the originator with the current system. It seems the answer to this was no five or six years ago. In the mean time, many things have changed. We now have more advanced techniques and more processing power at our disposal. Also, spamming in general has become much worse and many more children are online now, who are subjected to spam that isn't always child friendly to say the least. Maybe the answer is still no but the time is right to at least revisit the question. I agree. Tony
RE: spam
Christian Huitema writes: If PKI or PKI-like, then the spammers would need to obtain an actual certificate for each of their throwaway identities. But so would everyone else, which implicitly limits the cost of obtaining a certificate to whatever the public can bear, and the amount of identity checks to whatever the public is willing to accept, which today is an e-mail reachability test. So, the spammers will be slowed down, but not much. What if it cost some nominal amount, but with that payment came another form of authentication (eg credit card number) which you could then use to _meter_ the rate of issuing new certs, and/or cross referencing issued certs associated with spammers with the credit card number used to obtain the cert? Assumedly spammers would eventually run out of credit cards well before they ran out of money. As a note, the identity bound to the key can be completely opaque and insignificant (and thus certs could be issued trivially and cheaply). Mike
RE: spam - The IETF list is spam!
So? Don't stop selling guns, force people to buy bullet-proof jackets? Don't forbid selling cigarettes, build larger hospitals? Pardon me if I do not agree with you... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Atkielski Sent: mercredi 28 mai 2003 10:34 To: IETF Discussion Subject: Re: spam - The IETF list is spam! Tim writes: Can the discussion now retire to the IRTF anti-spam list? Does your computer have a Delete key?
Re: A peer-to-peer trust system model
Theodore Ts'o wrote: someone who is sending me a human generated message can generally easily afford the 2 minutes worth of CPU time before their mailers can deliver the message to my mail host.) But what CPU? The machines with which I routinely send mail range from a 200MHz handheld to a 2GHz*2 desktop. I would be unhappy with a protocol that required me to run my handheld's CPU at full speed for 2 minutes (the battery life isn't so hot); but that level of hashcash would require only 6 seconds from my desktop, which is probably too little to be a deterrent. And, if it were targetted at making my *desktop* take 2 minutes, then the handheld would take about 40, which is totally unacceptable. The whole hashcash idea has two major flaws. The most obvious is Moore's Law (you'll have to keep doubling the bar every 18 months, which means email will get more and more expensive for people who don't upgrade their CPUs). The other is that all it proves is that *somebody* spent those CPU cycles. Spammers already steal resources to send their messages; what's to stop them from sending out stealth worms that use the victim's machine to do hashcash calculations? -- /===\ |John Stracke |[EMAIL PROTECTED]| |Principal Engineer|http://www.centive.com | |Centive |My opinions are my own. | |===| |There are footprints on the moon. No feet, just footprints.| \===/
RE: The utilitiy of IP is at stake here
Paul Hoffman / IMC writes: At 4:58 PM -0700 5/29/03, Tony Hain wrote: The sysadmin effort would be setting up an automated way to hand out keys, and the user would have a one-time (or very infrequently) effort to establish a key pair. And you are saying that is trivial? How would a typical user know which third parties to trust? How would the typical user know what to do when they started getting spam through this filter? How would the typical user know what to do when someone wants to send him/her mail but can't because the sender isn't in the right trust group? If you have already worked this out and I missed it, my apologies. A pointer to that document would be very helpful. In reality, is this any more onerous than trying to decide which spam or virus filters I should trust? I trust spamassassin pretty explicitly not to be a bad guy. If they distributed me a public key I should trust too, would that really change anything? Also: why need this be especially different than the trust roots pre-loaded in Mozilla, say? This problem space seems to much more web-like than, oh say, peer to peer authentication for computerized financial transactions... Mike
Re: The utilitiy of IP is at stake here
On Thu, 29 May 2003, Eric A. Hall wrote: on 5/29/2003 6:27 PM Dean Anderson wrote: Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell you how to contact them in the message. There is still a reason to have verifiable identities for commercial spam, which is protection against joe-jobs. You want to have proof that the beneficiary is really the spammer and not just a victim, or that the spammer is really the spammer regardless of who he is spamming for. While there are ways of doing this after the fact as you said, having a verifiable sender identity makes it a lot simpler. Yes, and for those folks who have asserted that I don't understand the infrastructure cost for my stamp based proposal, may I suggest they are ignoring the very high cost of obtaining a warrant for each piece of the electronic trail SPAM follows. Having built in source identification will at least allow for aggregation of data requests in warrants for access to one ISP for many documented infractions. It also won't be necessary to force folks to retain logs for some period of time or force open relays to have logs or deal with the issues where the open relay is offshore. Dave Morris
Re: The utilitiy of IP is at stake here
I think this makes sense, but one issue I see is deciding non-repudiation after something like a virus infection steals your private key. And a pgp signed message can be resent. So if the joe-job uses a real Type 1 spam there is ambiguity: The type 1 spammer can't tell if the private key was stolen, or if the message was just resent. Should he revoke his certificate and buy a new one, or not? No one else knows either. They could perhaps keep a copy of all messages sent, and assume any signed message in this list previously sent does not mean the key is stolen. So far, most of the Joe Jobs on real type 1 spammers have made the message obviously forged with incorrect information, apparently because the Joe Jobber doesn't really want to inadvertantly help the Type 1 spammer. (eg, forged McAfee spams, etc). This and the fact that the particular Type 1 spammer doesn't use open proxies in Russia to send spam, gives it away as a joe job. But they could just as easily start sending out real McAfee spams, say to recipients on a do-not-send list. SO, you are still back to header analysis. And to some extent, reputation and trust. Things that depend on making a connection between the IP address and the purported sender of the message. --Dean On Thu, 29 May 2003, Eric A. Hall wrote: on 5/29/2003 6:27 PM Dean Anderson wrote: Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell you how to contact them in the message. There is still a reason to have verifiable identities for commercial spam, which is protection against joe-jobs. You want to have proof that the beneficiary is really the spammer and not just a victim, or that the spammer is really the spammer regardless of who he is spamming for. While there are ways of doing this after the fact as you said, having a verifiable sender identity makes it a lot simpler. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Home agent discovery
Greetings, I'm looking for ways to manage (via SNMP if possible) home agents. My goal is to be able to : -1- Dynamically discover home agents -2- Query the home agent for registered nodes with specific home agents. Any pointers, RFCs, ideas are appreciated. All the best, Fritz.
RE: The utilitiy of IP is at stake here
Well, Einstein made blunders too. He could admit them. Some people seem to think that having invented or significantly contributed to something means that the inventor is immune to criticism. That is called a personality cult. Personality cults usually have few useful contributions, because they distract the personality. Maybe that is what happened to John with SMTP AUTH. I don't know. --Dean On Fri, 30 May 2003, Tomson Eric (Yahoo.fr) wrote: John, Since I don't think Dean Troll Anderson will do it, I would like to apologize, in the name of every honest and decent contributor to this list, for the insults made against someone that was so deeply involved in the development of SMTP and MIME, and whose contribution, reputation, and experience earned him the Internet Architecture Board's chair. I feel so sorry to see how dishonest and undecent one can be with those who contributed to design and build the Internet and all related technologies and protocols. E.T. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Anderson Sent: mercredi 28 mai 2003 4:40 To: John C Klensin Cc: shogunx; Tony Hain; 'IETF' Subject: Re: The utilitiy of IP is at stake here On Tue, 27 May 2003, John C Klensin wrote: (...) The opinion of others may differ, of course but, as far as I am concerned, you are succeeding in losing all credibility. I think the same about you. It seems this will go nowhere. I'm just trying to be polite. You've offered absolutely nothing of substance in this -long- message. (...) This is just nonsense. Obviously, you have no operational experience. (...)
Re: The utilitiy of IP is at stake here
On Thu, 29 May 2003, David Morris wrote: Having built in source identification will at least allow for aggregation of data requests in warrants for access to one ISP for many documented infractions. We already have that in the form of the client numeric IP address in the message headers inserted by open and closed relays. Only open proxies complicate the issue, and require access to logs. It also won't be necessary to force folks to retain logs for some period of time or force open relays to have logs or deal with the issues where the open relay is offshore. Open relays don't need logs. They put the IP address of the sender in the message. This can't be altered by the sender. This is a common misconception, promoted by anti-open-relay zealots, even though they now this to be false. Relays that don't put in the numeric IP addres of the sender are called anonymous relays to distinguish lack of authentication from lack of identification. The noise you've heard about open relays being anonyous (and thus promoting spam) is false, and willfully misleading. --Dean
Re: The utilitiy of IP is at stake here
Folks, Please indicate some historical basis for moving an installed base of users on this kind of scale and for this kind of reason. EAH Notwithstanding the overly-specific nature of the request, I can think of EAH two off the top of my head, which are FTP/Gopher-HTTP and POP-IMAP. HTTP can reasonably be considered a replacement for Anonymous FTP, during an academic discussion. The massive difference in the service experience makes this a less-than-practical comparison, when discussion an email transition. So does the massive difference in scaling issues for the 1989 timeframe, versus now. The POP-IMAP example is excellent, since it really demonstrates my point. IMAP is rather popular in some local area network environments. However it's long history has failed utterly to seriously displace POP on a global scale. EAH Large-scale mail carriers would probably switch quickly if EAH the accountability feature proved useful, and now we are back to hypothesizing about the behaviors of mega-corporations with massive installed bases and a rather poor history of adopting changes from the IETF community. Seriously folks, if discussion about changes is going to be productive, it needs to pay much more realistic attention to history and pragmatics of ISP operations and average-user preferences. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] Brandenburg InternetWorking http://www.brandenburg.com Sunnyvale, CA USA tel:+1.408.246.8253, fax:+1.866.358.5301
Re: The utilitiy of IP is at stake here
on 5/30/2003 1:36 AM Dave Crocker wrote: HTTP can reasonably be considered a replacement for Anonymous FTP, during an academic discussion. The massive difference in the service experience makes this a less-than-practical comparison, when discussion an email transition. So does the massive difference in scaling issues for the 1989 timeframe, versus now. The POP-IMAP example is excellent, since it really demonstrates my point. IMAP is rather popular in some local area network environments. However it's long history has failed utterly to seriously displace POP on a global scale. I would not disagree with your assessments other than to say that the comparisons aren't exactly applicable. Specifically, you don't have to upgrade every client in the world for the transition to work. As a matter of deployment, you only have to upgrade the MTAs. The submission service can still be SMTP or whatever you want; as long as the server which first puts the message into the ng stream is ng-compliant *AND* that server is capable of providing the identity information, then the first-hop(s) don't really have to be ng-compliant for the scheme to work. Asking for examples of upgrades involving hundreds of millions of clients isn't really an applicable exercise. The examples I gave are useful to the extent that they demonstrate a willingness to move critical technology in varying scales. Seriously folks, if discussion about changes is going to be productive, it needs to pay much more realistic attention to history and pragmatics of ISP operations and average-user preferences. Let's not overdo it either. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: The utilitiy of IP is at stake here
Eliot writes: From the Internet Worm to Code Red, consumers do install software when they perceive either a threat or a benefit. What percentage of users, even today, have installed fixes for either of these problems? What I've found so amusing is that people seem to upgrade their Microsoft systems just 'cause, with no perceived benefit, but merely protecting from Bit Rot. I've never noticed that, except in cases of automated updates, such as those of Windows XP.
Re: spam
Clint writes: One problem with attaching the secret string to an email address is how that is done at the sender's side. I can see email clients automating the process, which is fine, until a virus comes along and starts popping off random emails. Viruses are a separate problem from spam. Plus, how would CC: and vast To: lists hide the secret string? They wouldn't, but that wouldn't be necessary, either. The whole idea is to provide some sort of authentication for messages that is easy to obtain for human beings, but hard to obtain in an automated way for spammers. Spammers obtain e-mail addresses from Web sites, USENET, discussion forums, and the like. Secret strings would not be posted to any of these, so no automated harvesting of the strings would be possible. Just leaving the string in an e-mail addresses to a number of recipients would not be a problem, because spammers would not be intercepting such e-mails (or any e-mails, for that matter). As long as the string is not posted in a place where spammers can harvest it, they won't get it. And hiring human beings to locate strings for individual addresses rapidly becomes too expensive to contemplate. As I've said, the White House uses it, and I don't think they get too many letters from unauthorized parties with the secret string/number, even though conceivably anyone in the delivery chain along the way could see the number. The mere fact that it is not publicly posted is security enough.
Re: spam - The IETF list is spam!
Your analogies are flawed. Spam is easy to delete, but bullets are exceedingly hard to dodge (outside the Matrix), and cigarettes are smoked voluntarily by the people in whom they produce cancer. - Original Message - From: Tomson Eric (Yahoo.fr) [EMAIL PROTECTED] To: 'Anthony Atkielski' [EMAIL PROTECTED] Cc: 'IETF Discussion' [EMAIL PROTECTED] Sent: Friday, May 30, 2003 02:40 Subject: RE: spam - The IETF list is spam! So? Don't stop selling guns, force people to buy bullet-proof jackets? Don't forbid selling cigarettes, build larger hospitals? Pardon me if I do not agree with you...
Re: spam
Guys, Girls aren't included? Dean Anderson obviously supports and defends SPAM. No further conversation with him could lead to anything constructive. Stop feeding the Troll, now. I tend to find calls to censorship and lynchings suspicious. If you don't like someone's posts, you don't have to read or reply to them, but attempting to turn others against someone with whom you disagree is ethically questionable.
Re: The utilitiy of IP is at stake here
John, If you are speaking only to John, why do you send your message to an entire list? Since I don't think Dean Troll Anderson will do it, I would like to apologize, in the name of every honest and decent contributor to this list, for the insults made against someone that was so deeply involved in the development of SMTP and MIME, and whose contribution, reputation, and experience earned him the Internet Architecture Board's chair. Your attempt to discredit someone else on the list is transparently obvious. Why not just state your disagreement with him and leave it at that, instead of embarking on a smear campaign? I feel so sorry to see how dishonest and undecent one can be with those who contributed to design and build the Internet and all related technologies and protocols. See above. A rather poor attempt to disguise defamation as nobility. Perhaps you should simply speak for yourself, instead of presuming to speak for others, particularly when the latter is really only a platform for actions of questionable merit?
Re: The utilitiy of IP is at stake here/spam
The problem is that it does nothing to address rogue spammers who refuse to respect the opt-out list. - Original Message - From: TABAKIS, ELEAS (AIT) [EMAIL PROTECTED] To: 'IETF Discussion' [EMAIL PROTECTED] Sent: Friday, May 30, 2003 02:31 Subject: RE: The utilitiy of IP is at stake here/spam Would a solution to manage spam by as simple as to have a central email address registry database were consumers can opt out from receiving any spam email? Very similar proposition to the current direct marketing do-not-call lists. Such an approach coupled with enforcement may be an option. Basically this approach put the onerous on the spamer to comply and check if an email address belongs to a list. Regards, Eleas Talk Straight, Follow Through Trust, Character, Commitment, Passion
Re: spam
I can't say that I'd favor any solution that requires everyone to pay money or obtain the approval of some third party before sending e-mail. Any system that imposes a universal financial burden on all Internet users and/or effectively allows a third party to censor communication between two other parties is extremely questionable in my view. A technical solution must be free, voluntary for people who are not spammers, and must not subject anyone to the control of third parties. - Original Message - From: Michael Thomas [EMAIL PROTECTED] To: Christian Huitema [EMAIL PROTECTED] Cc: Michael Thomas [EMAIL PROTECTED]; Iljitsch van Beijnum [EMAIL PROTECTED]; Dave Aronson [EMAIL PROTECTED]; IETF Discussion [EMAIL PROTECTED] Sent: Friday, May 30, 2003 02:32 Subject: RE: spam Christian Huitema writes: If PKI or PKI-like, then the spammers would need to obtain an actual certificate for each of their throwaway identities. But so would everyone else, which implicitly limits the cost of obtaining a certificate to whatever the public can bear, and the amount of identity checks to whatever the public is willing to accept, which today is an e-mail reachability test. So, the spammers will be slowed down, but not much. What if it cost some nominal amount, but with that payment came another form of authentication (eg credit card number) which you could then use to _meter_ the rate of issuing new certs, and/or cross referencing issued certs associated with spammers with the credit card number used to obtain the cert? Assumedly spammers would eventually run out of credit cards well before they ran out of money. As a note, the identity bound to the key can be completely opaque and insignificant (and thus certs could be issued trivially and cheaply). Mike
Re: spam
At 09:44 29/05/03 -0600, Vernon Schryver wrote: It is an article of faith for many people that most spam involves header forgery, but no one seems to have better support than intuition for that faith. This comment prompted me to do a little experimentation. I keep all my spam (except that large ones that I don't bother to download), mostly unread. It's not scientific, or very statistically significant, but I examined the last 20 spam mails I received, and note that: (a) 3 appear to have been received at my ISP with forged or inconsistent SMTP envelope information. (b) 7 have significant inconsistencies between email headers and received-from trace to make me believe that they are probably forged headers. (c) 5 have email header information that may or may not be forged -- I couldn't see enough evidence to make an assessment either way (d) 5 have email headers that I believe to be genuine. Of these, 3 come from what I presume to be throw-away accounts at AOL or hotmail. My assessments were made initially by comparing the from address with the received trace, and making a judgement (not always scientifically) about the relationship between the addresses offered. In some cases, I also looked to the message content and check to see if the source address is DNS-resolvable and/or reachable. Of the definitely-forged headers, three used domain names that are operated by my own ISP, and I'm pretty sure are not customers of same. The 20 messages I examined appeared to be broadly typical of the style of spam I generally receive. This little experiment suggests to me that header forgery is a significant factor in spam -- I estimate about 50% of the sample I examined. And one other data point: in looking at my spam, I discovered two messages that were not strictly spam, because I had signed up for communications in the past, but which had been swept into my spam-box in the general clear-out. I don't currently use automatic filtering, but simply move unrecognized messages onopened into the spam box. The point of this is that legitimate email marketing is suffering by failing to be sufficiently distinct from the unsolicited spam. I don't claim all this proves anything, but I think I have cause to believe forgery of email headers is involved in a significant portion of the spam I receive. #g --- Graham Klyne [EMAIL PROTECTED] PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E
Re: Spam
The following is part of a message posted to my ISP's announce NG. I
found it interesting, specifically the claim that there are 180 entities
creating nearly all the spam... it would explain the recurrence of
certain seemingly unlikely patterns across the board, but is still hard
to credit even with that in mind.
-
Subject: Unsolicited Commercial / Bulk Email Spam
Newsgroups: demon.announce
From:Malcolm S. Muir [EMAIL PROTECTED]
Reply-To:[EMAIL PROTECTED]
Date:Fri, 30 May 2003 10:41:48 +0100
Message-ID: [EMAIL PROTECTED]
The following is a summary of advice we have available on our web
site for customers having trouble with unsolicited email.
The full text can be found at:
http://www.demon.net/helpdesk/spam
[snip]
Where does UCE come from?
Some 'spam' is sent by companies that are new to the Internet
and do not understand how unwelcome this material is. However
recent reports suggest that 90% of all the material currently
being sent originates from as few as 180 individuals or 'spam
gangs'. These groups make a business out of promoting unsavoury
(and sometimes illegal) material. They hide the true origin of
the material by relaying their email via insecure mail systems
and machines. Although in the past they have targeted incorrectly
configured machines at ISPs and large companies, they now
regularly exploit end-user ('customer') machines.
[snip]
Malcolm Muir
Demon Internet
-
Andrew.
--
Andrew Shore.
