On 23/02/2012 2:18 p.m., Brandon Long wrote:
On Wed, Feb 22, 2012 at 12:22 PM, Adrien de Croy<adrien at qbik.com>
wrote:
On 23/02/2012 8:24 a.m., Brandon Long wrote:
On Sat, Feb 18, 2012 at 2:07 AM, Adrien de Croy<adrien at
qbik.com> wrote:
Having to get another cert will provide an incentive for the admin to
care
about it.
You seem to believe that all servers can always be entirely free from
sending spam. That's pretty funny.
sorry, where do I propose that?
You're proposing revoking a server's certificate for spamming. Based
on what level? What level of fault? Would Gmail get its certificate
revoked because 1% of the email it sends is spam?
there would need to be some level. You'd hope it would be revoked if
say 50% was spam. Or even a lot less.
I'm just proposing a system that allows the identification of
organisations
that inject and relay spam. That then allows enforcement of
accountability.
We can already do this via IP addresses and sender domains and
SPF/DKIM authentication. Yes, its just a proxy and sometimes its
wrong, but it works fairly well.
SPF is only reliable to block spoof attempts from a limited set of
well-known domains that use it. Since spammers register their own SPF
records, you can't use it as a pass check for any domain.
I don't know enough about DKIM. I thought it's optional, so therefore
how can you rely on it?
IP addresses is problematic as well, RBLs that block dynamic blocks for
example is a big problem. Sender domains is a big administrative
maintenance hassle.
How about spam sent from a hijacked account? How many hijacked
accounts a day do you think there are on a service with 1B email
users?
How many other crimes are there committed a day, do you propose we
don't go
after criminals?
Heh. Do you know how many spam messages are sent a day? How large an
enforcement organization do you propose to go after them all? And how
long do you think that would take?
I don't think the number of actual spammers is actually that high. It
takes some serious infrastructure, which is a bit of a barrier to entry.
e.g. http://krebsonsecurity.com/tag/mega-d/
some key players responsible for a vast proportion of all spam. Take
them out and others will jump into their shoes though.
Not to mention that multiple people and governments have different
definitions of spam.
When we see a new spam campaign, we need to be able to shut it down in
less than hours. A recent time that we helped the US government go
after a malware operation, it took them a year before the first
arrests. A year where we had to leave the botnets and operations
alone so they could gather the evidence necessary to make the arrests.
Police action doesn't scale the same way that spammers do.
sure. In the end, with the certificates, basically we are tying the
mail to a person somewhere to enable enforcement of accountability.
Whether that happens quickly or not is another matter.
Currently there's no such reliable tie. If it takes authorities ages to
get someone now, it's because of difficulty of proof. Things might be a
bit different if that problem were resolved. Then add large fines /
jail terms for spamming, and there's your incentive. That's why there
are so many parking and traffic cops here.... it's where the money is.
Or how much money do you think a spammer is willing to spend to buy an
account, even on a free service? Or do you think its actually
possible to force everyone who wants an email account to pay for it at
this point? And if so, how much money? $5/year is cheap in parts of
the world, and really expensive in others, should poor parts of the
world be relegated to the email ghetto because their accounts are so
cheap that spammer abuse them constantly, while they have the least
resources to keep them out?
why do you assume the system would be structured like this? Sounds
like a
system that would fail.
Then who pays for this enforcement? Who pays for the certification?
I imagine it would be a function for government, in the same way as
dealing with any crime is.
If the FBI put as much resource into it as copyright protection, I
wonder what would happen (Kim Dotcom recently bailed in the town I live in).
Which is all pretty irrelevant, for most users today spam is already a
solved problem.
it certainly is not a solved problem for anyone. Ignorance is not the
answer.
Jut because a business doesn't know how many customers they are
losing due
to over-agressive spam filtering doesn't mean it has no cost to them.
Of course it has a cost. I'm saying the cost of your solution is higher.
quite possibly. But I think if spammers were identified, found and
jailed effectively it would be more of a deterrent.
The revokation of certs may not even be the key function of this.
Currently pretty much anyone can send mail anonymously. IMO that's just
plain wrong on a moral level. Incurring costs on other parties anonymously.
The system (and I admit it's ambitious) would need co-operation from
governments.
As if all the governments of the world agree on anything, much less
the definition of spam.
well, you get the main ones to agree, and they can impose sanctions on
those that continue to be a source of spam.
And before you cry new world order, sanctions could be simply blocking
incoming mail from those countries.
there's no need for ma and pa to have a certificate, they can submit to
their ISP. The ISP would need a certificate. There's no reason to
assume
the certs would be managed by the existing CA infrastructure. I'd
propose
that should be a function of Governments, and there are already special
provisions for governments to issue certificates. They could be for
long
periods as well. The purpose is to identify and provide a means to
revoke.
Renewing annually seems like a waste of time for that, unless you
think the
certificate may be breached.
And what if the CA is breached? Ie, like the 2-3 that have happened
in the last year?
what happens when any CA is breached? You need to start over, reissue
all new certs from the CA root down. So best it's not breached.
Organisations wanting to deliver directly could get a certificate as
well.
As to determination about whether someone spams or not. Well most
countries
have systems to establish whether crimes are committed and go after and
punish those responsible. There are already spamming laws all over the
place. I'm proposing setting up a system that allows for
identification of
perpetrators and enforcement, and enables services to be set up to
solve
issues independently (e.g. if a government refuses to prosecute a
spammer).
Weee, now we're talking about extra-governmental authorities making
the rules.
not enforcing them though, receivers would be free to use the service or
not.
Its always great to argue with an RBL maintainer about
whether or not something is spam.
sure, but people exercise their own rights to choose whether to use the
RBL or not.
Or maybe what you're proposing is
more like SOPA/PIPA, we can have an organization like the RIAA
deciding what's good.
hell no. More likely be a community-driven thing.
Even better, the government of Iran can just
prevent their providers from accepting any mail certified by other
governments.
if they want. They can surely already block port 25 incoming if they want.
Or here's an even more fun one: We just emailed all of our users about
the changes to our privacy policy, a move we made at the request of
the US government. And we had RBL organizations complaining that it
was spam. Who wins?
decided in court if it gets that far. At least you can't escape, since
you're identified.
Our answer is simple: the user decides what is spam, not someone else.
Our job is to make our spam filter match each user's expectations.
Revokation of certificates would be a function of government after
due
process. People couldn't just buy new ones (unless they get them from
corrupt government officials), because their previous spamming would be
associated with them as a person. In short, treat spamming like any
other
crime - which it certainly is.
No corrupt government officials in the world, that's for sure.
And they already treat spamming as a crime, have for years. Done a
lot of good at reducing the spam load, eh?
I wouldn't call the CAN-SPAM act criminalisation of spamming. Here in
NZ people go to jail for it unless it's opt-in.
I think if governments were aware of the costs of spamming they may
take a
different view on it. How many hours are wasted deleting spam? How
much
money is spent on anti-spam? How much network capacity (which costs
money)
is wasted transporting spam?
Not as much as you'd think, turns out spam is much smaller than
regular mail at this point, at least for consumers. A large
percentage of mail, but on the order of 40x smaller in size (on
average). And email in general is not generally a large user of
network capacity. How many email messages, even at 100k average, does
it take to equal a single iphone app download? Or a streamed video
from Youtube?
sure, I guess it's actually changed a lot over the last 4 years or so.
So maybe the network cost isn't such an issue. It's definitely more of
an issue over long-haul submarine cables though.
How many opportunities are lost due to false
positives? Personally I believe the real economic costs of spam are
astronomical. Someone needs to do a study, and come up with some
numbers
they can back up.
Regardless of those costs, your proposal would cost more and still not
solve the problem.
hard to come to that conclusion without evaluating costs of both, which
of course would be very difficult.
For those hosting their own mail, even the cost of evaluating and
testing anti-spam products is significant - before you get your wallet
out to purchase software.
I'm not claiming any of this would be easy. But humans have done some
fairly difficult things in the past successfully.
Otherwise we should just all join FB and just use that for
communication and
ditch mail altogether.
We have the stats on what percentage of our users receiving mail mark
messages as spam or not spam. Its tiny.
maybe they gave up and now just delete it. Unless it's no more
difficult to mark and delete than just delete, people will gravitate
towards the lower-effort option, and you'll lose the information.
For most people, they don't
see the spam, and maybe they don't see enough to actually check their
spam label, but its just not an issue.
As to where the kids are going these days, who knows. Email is
certainly not the only game in town.
Brandon
--
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 is released! - http://www.wingate.com/getlatest/
_______________________________________________
imap5 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/imap5
