Re: The utilitiy of IP is at stake here

2003-05-30 Thread John Loughney
Elliot,

>   Getting rid of spam is a HUGE benefit.  Heck.  What I've found 
> so amusing is that people seem to upgrade their Microsoft systems just 
> 'cause, with no perceived benefit, but merely protecting from Bit Rot.


Many folks update their MS software (Linux, too) in the hope they will get more 
stability / more security / more seatures - not becaue of bit rot. Updating mail 
clients does not seem to be a huge deal - manypeople update their OS / browser when 
prompted. Majority of my friends & family use a web browser to access private mail. 
Companies would have interest in upgrading, if it helped also with viruses & security.

John



Re: spam

2003-05-30 Thread Iljitsch van Beijnum
On vrijdag, mei 30, 2003, at 02:18 Europe/Amsterdam, Christian Huitema 
wrote:

However, creating new publick/private key pairs is an incredibly
expensive operation,

Uh? Creating a Diffie-Hellman public/private key pair is actually 
quite
simple. Even an RSA pair is not all that hard, considering that a 
set of
N prime numbers can generate N.(N-1)/2 key pairs.
Ok, so the actual generating of new keys may not help us much.

The logical
consequence of authenticated e-mail is bound to be authenticated 
spam...

You don't see that as a step in the right direction?

It depends whether you use something like PGP or something like PKI. If
PGP or PGP-like, then the spammers can very easily create throw away
identities, and we have not gained much.
Only the ability to recognize a known sender.

In fact, spammers seldom fake
the email addresses of one of your friends, so a PGP solution would not
be a dramatic improvement over simply maintaining a "white list" of
friendly email addresses.
Right.

If PKI or PKI-like, then the spammers would need to obtain an actual
certificate for each of their throwaway identities. But so would
everyone else, which implicitly limits the cost of obtaining a
certificate to whatever the public can bear, and the amount of identity
checks to whatever the public is willing to accept, which today is an
e-mail reachability test. So, the spammers will be slowed down, but not
much.
Disagree. If people want to run their own MTA or a substantial mailing 
list, it's not unreasonable to require much more than a simple email 
reachability check. Usually this includes buying a domain name anyway. 
Having to buy a certificate or having some relations sign a newly 
generated key isn't a huge imposition.

People who don't want/need an MTA of their own and only send hand-typed 
email can use a service provider who can limit the number of messasges 
from such customers to 100 per hour or so. That means that even if a 
spammer spams for an entire weekend until his account is yanked, that's 
less than 10k messages which isn't enough to make spamming worth their 
while.




Re: Spam

2003-05-30 Thread Andrew Shore
The following is part of a message posted to my ISP's announce NG. I 
found it interesting, specifically the claim that there are 180 entities 
creating nearly all the spam... it would explain the recurrence of 
certain seemingly unlikely patterns across the board, but is still hard 
to credit even with that in mind.

-

Subject: Unsolicited Commercial / Bulk Email Spam
Newsgroups:  demon.announce
From:Malcolm S. Muir <[EMAIL PROTECTED]>
Reply-To:[EMAIL PROTECTED]
Date:Fri, 30 May 2003 10:41:48 +0100
Message-ID:  <[EMAIL PROTECTED]>
The following is a summary of advice we have available on our web
site for customers having trouble with unsolicited email.
The full text can be found at:

   http://www.demon.net/helpdesk/spam

[snip]
Where does UCE come from?
   Some 'spam' is sent by companies that are new to the Internet
   and do not understand how unwelcome this material is. However
   recent reports suggest that 90% of all the material currently
   being sent originates from as few as 180 individuals or 'spam
   gangs'. These groups make a business out of promoting unsavoury
   (and sometimes illegal) material. They hide the true origin of
   the material by relaying their email via insecure mail systems
   and machines. Although in the past they have targeted incorrectly
   configured machines at ISPs and large companies, they now
   regularly exploit end-user ('customer') machines.
[snip]
Malcolm Muir
Demon Internet
-

Andrew.
--
Andrew Shore.


Re: spam

2003-05-30 Thread Graham Klyne
At 09:44 29/05/03 -0600, Vernon Schryver wrote:
It is an article of faith for many people that most spam involves
header forgery, but no one seems to have better support than intuition
for that faith.
This comment prompted me to do a little experimentation.  I keep all my 
spam (except that large ones that I don't bother to download), mostly unread.

It's not scientific, or very statistically significant, but I examined the 
last 20 spam mails I received, and note that:

(a)  3 appear to have been received at my ISP with forged or inconsistent 
SMTP envelope information.

(b)  7 have significant inconsistencies between email headers and 
received-from trace to make me believe that they are probably forged headers.

(c)  5 have email header information that may or may not be forged -- I 
couldn't see enough evidence to make an assessment either way

(d)  5 have email headers that I believe to be genuine.  Of these, 3 come 
from what I presume to be throw-away accounts at AOL or hotmail.

My assessments were made initially by comparing the from address with the 
received trace, and making a judgement (not always scientifically) about 
the relationship between the addresses offered.  In some cases, I also 
looked to the message content and check to see if the source address is 
DNS-resolvable and/or reachable.  Of the "definitely-forged" headers, three 
used domain names that are operated by my own ISP, and I'm pretty sure are 
not customers of same.

The 20 messages I examined appeared to be broadly typical of the style of 
spam I generally receive.

This little experiment suggests to me that header forgery is a significant 
factor in spam -- I estimate about 50% of the sample I examined.

And one other data point:  in looking at my spam, I discovered two messages 
that were not strictly spam, because I had signed up for communications in 
the past, but which had been swept into my spam-box in the general 
clear-out.  I don't currently use automatic filtering, but simply move 
unrecognized messages  onopened into the spam box.  The point of this is 
that legitimate email marketing is suffering by failing to be sufficiently 
distinct from the unsolicited spam.

I don't claim all this proves anything, but I think I have cause to believe 
forgery of email headers is involved in a significant portion of the spam I 
receive.

#g

---
Graham Klyne
<[EMAIL PROTECTED]>
PGP: 0FAA 69FF C083 000B A2E9  A131 01B9 1C7A DBCA CB5E



Re: spam

2003-05-30 Thread Anthony Atkielski
I can't say that I'd favor any solution that requires everyone to pay money
or obtain the approval of some third party before sending e-mail.  Any
system that imposes a universal financial burden on all Internet users
and/or effectively allows a third party to censor communication between two
other parties is extremely questionable in my view.

A technical solution must be free, voluntary for people who are not
spammers, and must not subject anyone to the control of third parties.

- Original Message -
From: "Michael Thomas" <[EMAIL PROTECTED]>
To: "Christian Huitema" <[EMAIL PROTECTED]>
Cc: "Michael Thomas" <[EMAIL PROTECTED]>; "Iljitsch van Beijnum"
<[EMAIL PROTECTED]>; "Dave Aronson" <[EMAIL PROTECTED]>; "IETF Discussion"
<[EMAIL PROTECTED]>
Sent: Friday, May 30, 2003 02:32
Subject: RE: spam


> Christian Huitema writes:
>  > If PKI or PKI-like, then the spammers would need to obtain an actual
>  > certificate for each of their throwaway identities. But so would
>  > everyone else, which implicitly limits the cost of obtaining a
>  > certificate to whatever the public can bear, and the amount of identity
>  > checks to whatever the public is willing to accept, which today is an
>  > e-mail reachability test. So, the spammers will be slowed down, but not
>  > much.
>
> What if it cost some nominal amount, but with that
> payment came another form of authentication (eg
> credit card number) which you could then use to
> _meter_ the rate of issuing new certs, and/or
> cross referencing issued certs associated with
> spammers with the credit card number used to
> obtain the cert? Assumedly spammers would
> eventually run out of credit cards well before
> they ran out of money.
>
> As a note, the identity bound to the key can be
> completely opaque and insignificant (and thus
> certs could be issued trivially and cheaply).
>
>   Mike
>
>




Re: The utilitiy of IP is at stake here/spam

2003-05-30 Thread Anthony Atkielski
The problem is that it does nothing to address rogue spammers who refuse to
respect the opt-out list.

- Original Message -
From: "TABAKIS, ELEAS (AIT)" <[EMAIL PROTECTED]>
To: "'IETF Discussion'" <[EMAIL PROTECTED]>
Sent: Friday, May 30, 2003 02:31
Subject: RE: The utilitiy of IP is at stake here/spam


> Would a solution to manage spam by as "simple" as to have a central email
> address registry database were consumers can opt out from receiving any
spam
> email? Very similar proposition to the current direct marketing
> "do-not-call" lists. Such an approach coupled with enforcement may be an
> option. Basically this approach put the onerous on the spamer to comply
and
> check if an email address belongs to a list.
>
> Regards,
>
> Eleas
> "Talk Straight, Follow Through"
> "Trust, Character, Commitment, Passion"




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Anthony Atkielski
> John,

If you are speaking only to John, why do you send your message to an entire
list?

> Since I don't think Dean "Troll" Anderson will do
> it, I would like to apologize, in the name of every
> honest and decent contributor to this list, for the
> insults made against someone that was so deeply
> involved in the development of SMTP and MIME, and
> whose contribution, reputation, and experience earned
> him the Internet Architecture Board's chair.

Your attempt to discredit someone else on the list is transparently obvious.
Why not just state your disagreement with him and leave it at that, instead
of embarking on a smear campaign?

> I feel so sorry to see how dishonest and undecent
> one can be with those who contributed to design and
> build the Internet and all related technologies
> and protocols.

See above.  A rather poor attempt to disguise defamation as nobility.

Perhaps you should simply speak for yourself, instead of presuming to speak
for others, particularly when the latter is really only a platform for
actions of questionable merit?




Re: spam

2003-05-30 Thread Anthony Atkielski
> Guys,

Girls aren't included?

> Dean Anderson obviously supports and defends SPAM.
> No further conversation with him could lead to anything
> constructive. Stop feeding the Troll, now.

I tend to find calls to censorship and lynchings suspicious.  If you don't
like someone's posts, you don't have to read or reply to them, but
attempting to turn others against someone with whom you disagree is
ethically questionable.




Re: spam - The IETF list is spam!

2003-05-30 Thread Anthony Atkielski
Your analogies are flawed.  Spam is easy to delete, but bullets are
exceedingly hard to dodge (outside the Matrix), and cigarettes are smoked
voluntarily by the people in whom they produce cancer.

- Original Message -
From: "Tomson Eric (Yahoo.fr)" <[EMAIL PROTECTED]>
To: "'Anthony Atkielski'" <[EMAIL PROTECTED]>
Cc: "'IETF Discussion'" <[EMAIL PROTECTED]>
Sent: Friday, May 30, 2003 02:40
Subject: RE: spam - The IETF list is spam!


> So?
>
> "Don't stop selling guns, force people to buy bullet-proof jackets"?
>
> "Don't forbid selling cigarettes, build larger hospitals"?
>
> Pardon me if I do not agree with you...




Re: spam

2003-05-30 Thread Anthony Atkielski
Clint writes:

> One problem with attaching the "secret" string
> to an email address is how that is done at the
> sender's side.  I can see email clients automating
> the process, which is fine, until a virus comes
> along and starts popping off random emails.

Viruses are a separate problem from spam.

> Plus, how would CC: and vast To: lists hide
> the secret string?

They wouldn't, but that wouldn't be necessary, either.

The whole idea is to provide some sort of authentication for messages that
is easy to obtain for human beings, but hard to obtain in an automated way
for spammers.  Spammers obtain e-mail addresses from Web sites, USENET,
discussion forums, and the like.  Secret strings would not be posted to any
of these, so no automated harvesting of the strings would be possible.  Just
leaving the string in an e-mail addresses to a number of recipients would
not be a problem, because spammers would not be intercepting such e-mails
(or any e-mails, for that matter).  As long as the string is not posted in a
place where spammers can harvest it, they won't get it.  And hiring human
beings to locate strings for individual addresses rapidly becomes too
expensive to contemplate.

As I've said, the White House uses it, and I don't think they get too many
letters from unauthorized parties with the secret string/number, even though
conceivably anyone in the delivery chain along the way could see the number.
The mere fact that it is not publicly posted is security enough.




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Anthony Atkielski
Eliot writes:

> From the Internet Worm to Code Red, consumers do
> install software when they perceive either a
> threat or a benefit.

What percentage of users, even today, have installed fixes for either of
these problems?

> What I've found so amusing is that people seem
> to upgrade their Microsoft systems just 'cause,
> with no perceived benefit, but merely protecting
> from Bit Rot.

I've never noticed that, except in cases of automated updates, such as those
of Windows XP.




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Eric A. Hall

on 5/30/2003 1:36 AM Dave Crocker wrote:

> HTTP can reasonably be considered a replacement for Anonymous FTP,
> during an academic discussion.  The massive difference in the service
> experience makes this a less-than-practical comparison, when discussion
> an email transition.  So does the massive difference in scaling issues
> for the 1989 timeframe, versus now.
>
> The POP->IMAP example is excellent, since it really demonstrates my
> point. IMAP is rather popular in some local area network environments.
> However it's long history has failed utterly to seriously displace POP
> on a global scale.

I would not disagree with your assessments other than to say that the
comparisons aren't exactly applicable.

Specifically, you don't have to upgrade every client in the world for the
transition to work. As a matter of deployment, you only have to upgrade
the MTAs. The submission service can still be SMTP or whatever you want;
as long as the server which first puts the message into the ng stream is
ng-compliant *AND* that server is capable of providing the identity
information, then the first-hop(s) don't really have to be ng-compliant
for the scheme to work.

Asking for examples of upgrades involving hundreds of millions of clients
isn't really an applicable exercise. The examples I gave are useful to the
extent that they demonstrate a willingness to move critical technology in
varying scales.

> Seriously folks, if discussion about changes is going to be productive,
> it needs to pay much more realistic attention to history and pragmatics
> of ISP operations and average-user preferences.

Let's not overdo it either.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Dave Crocker
Folks,


>> Please indicate some historical basis for moving an installed base of
>> users on this kind of scale and for this kind of reason.

EAH> Notwithstanding the overly-specific nature of the request, I can think of
EAH> two off the top of my head, which are FTP/Gopher->HTTP and POP->IMAP.

HTTP can reasonably be considered a replacement for Anonymous FTP,
during an academic discussion.  The massive difference in the service
experience makes this a less-than-practical comparison, when discussion
an email transition.  So does the massive difference in scaling issues
for the 1989 timeframe, versus now.

The POP->IMAP example is excellent, since it really demonstrates my
point. IMAP is rather popular in some local area network environments.
However it's long history has failed utterly to seriously displace POP
on a global scale.


EAH> Large-scale mail carriers would probably switch quickly if
EAH> the accountability feature proved useful,

and now we are back to hypothesizing about the behaviors of
mega-corporations with massive installed bases and a rather poor history
of adopting changes from the IETF community.

Seriously folks, if discussion about changes is going to be productive,
it needs to pay much more realistic attention to history and pragmatics
of ISP operations and average-user preferences.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA , 




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Dean Anderson
On Thu, 29 May 2003, David Morris wrote:

> Having built in source identification will at least allow for aggregation
> of data requests in warrants for access to one ISP for many documented
> infractions.

We already have that in the form of the client numeric IP address in the
message headers inserted by open and closed relays.

Only open proxies complicate the issue, and require access to logs.

> It also won't be necessary to force folks to retain logs for some period
> of time or force open relays to have logs or deal with the issues where
> the open relay is offshore.

Open relays don't need logs. They put the IP address of the sender in the
message. This can't be altered by the sender.

This is a common misconception, promoted by anti-open-relay zealots, even
though they now this to be false. Relays that don't put in the numeric IP
addres of the sender are called "anonymous relays" to distinguish lack of
authentication from lack of identification.

The noise you've heard about open relays being anonyous (and thus
promoting spam) is false, and willfully misleading.

--Dean




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Dean Anderson
Well, Einstein made blunders too. He could admit them.

Some people seem to think that having invented or significantly
contributed to something means that the inventor is immune to criticism.
That is called a personality cult. Personality cults usually have few
useful contributions, because they distract the personality.  Maybe that
is what happened to John with SMTP AUTH. I don't know.

--Dean

On Fri, 30 May 2003, Tomson Eric (Yahoo.fr) wrote:

> John,
>
> Since I don't think Dean "Troll" Anderson will do it, I would like to
> apologize, in the name of every honest and decent contributor to this list,
> for the insults made against someone that was so deeply involved in the
> development of SMTP and MIME, and whose contribution, reputation, and
> experience earned him the Internet Architecture Board's chair.
>
> I feel so sorry to see how dishonest and undecent one can be with those who
> contributed to design and build the Internet and all related technologies
> and protocols.
>
> E.T.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
> Anderson
> Sent: mercredi 28 mai 2003 4:40
> To: John C Klensin
> Cc: shogunx; Tony Hain; 'IETF'
> Subject: Re: The utilitiy of IP is at stake here
>
> On Tue, 27 May 2003, John C Klensin wrote:
>
> (...)
>
> > The opinion
> > of others may differ, of course but, as far as I am concerned, you are
> > succeeding in losing all credibility.
>
> I think the same about you. It seems this will go nowhere. I'm just trying
> to be polite. You've offered absolutely nothing of substance in this
> -long- message.
>
> (...)
>
> This is just nonsense.  Obviously, you have no operational experience.
>
> (...)
>
>
>
>




Home agent discovery

2003-05-30 Thread Fritz F. Saad
Greetings,



  I'm looking for ways to manage (via SNMP if possible) home agents. My goal
is to be able to :  -1- Dynamically discover home agents -2- Query the home
agent for registered nodes with specific home agents.  Any pointers, RFCs,
ideas are appreciated.



All the best,
Fritz.









Re: The utilitiy of IP is at stake here

2003-05-30 Thread David Morris


On Thu, 29 May 2003, Eric A. Hall wrote:

>
> on 5/29/2003 6:27 PM Dean Anderson wrote:
>
> > Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they
> > tell you how to contact them in the message.
>
> There is still a reason to have verifiable identities for commercial spam,
> which is protection against joe-jobs. You want to have proof that the
> beneficiary is really the spammer and not just a victim, or that the
> spammer is really the spammer regardless of who he is spamming for. While
> there are ways of doing this after the fact as you said, having a
> verifiable sender identity makes it a lot simpler.

Yes, and for those folks who have asserted that I don't understand the
infrastructure cost for my stamp based proposal, may I suggest they are
ignoring the very high cost of obtaining a warrant for each piece of the
electronic trail SPAM follows.

Having built in source identification will at least allow for aggregation
of data requests in warrants for access to one ISP for many documented
infractions. It also won't be necessary to force folks to retain logs for
some period of time or force open relays to have logs or deal with the
issues where the open relay is offshore.

Dave Morris




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Dean Anderson

I think this makes sense, but one issue I see is deciding non-repudiation
after something like a virus infection steals your private key.  And a pgp
signed message can be resent. So if the joe-job uses a real Type 1 spam
there is ambiguity:  The type 1 spammer can't tell if the private key was
stolen, or if the message was just resent. Should he revoke his
certificate and buy a new one, or not?  No one else knows either.

They could perhaps keep a copy of all messages sent, and assume any signed
message in this list previously sent does not mean the key is stolen.

So far, most of the Joe Jobs on real type 1 spammers have made the message
obviously forged with incorrect information, apparently because the Joe
Jobber doesn't really want to inadvertantly help the Type 1 spammer. (eg,
forged McAfee spams, etc). This and the fact that the particular Type 1
spammer doesn't use open proxies in Russia to send spam, gives it away as
a joe job. But they could just as easily start sending out real McAfee
spams, say to recipients on a do-not-send list.

SO, you are still back to header analysis. And to some extent, reputation
and trust.  Things that depend on making a connection between the IP
address and the purported sender of the message.

--Dean

On Thu, 29 May 2003, Eric A. Hall wrote:

>
> on 5/29/2003 6:27 PM Dean Anderson wrote:
>
> > Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they
> > tell you how to contact them in the message.
>
> There is still a reason to have verifiable identities for commercial spam,
> which is protection against joe-jobs. You want to have proof that the
> beneficiary is really the spammer and not just a victim, or that the
> spammer is really the spammer regardless of who he is spamming for. While
> there are ways of doing this after the fact as you said, having a
> verifiable sender identity makes it a lot simpler.
>
> --
> Eric A. Hallhttp://www.ehsco.com/
> Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/
>
>




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Michael Thomas
Paul Hoffman / IMC writes:
 > At 4:58 PM -0700 5/29/03, Tony Hain wrote:
 > >The sysadmin effort would be setting up an automated way to hand out
 > >keys, and the user would have a one-time (or very infrequently) effort
 > >to establish a key pair.
 > 
 > And you are saying that is trivial? How would a typical user know 
 > which third parties to trust? How would the typical user know what to 
 > do when they started getting spam through this filter? How would the 
 > typical user know what to do when someone wants to send him/her mail 
 > but can't because the sender isn't in the right trust group?
 > 
 > If you have already worked this out and I missed it, my apologies. A 
 > pointer to that document would be very helpful.

In reality, is this any more onerous than trying
to decide which spam or virus filters I should
trust? I "trust" spamassassin pretty explicitly
not to be a bad guy. If they distributed me a
public key I should trust too, would that really
change anything? Also: why need this be especially
different than the trust roots pre-loaded in
Mozilla, say? This problem space seems to much
more web-like than, oh say, peer to peer
authentication for computerized financial
transactions...

Mike



Re: A peer-to-peer trust system model

2003-05-30 Thread John Stracke
Theodore Ts'o wrote:

someone who is sending me a human generated
message can generally easily afford the 2 minutes worth of CPU time
before their mailers can deliver the message to my mail host.)
 

But what CPU? The machines with which I routinely send mail range from a 
200MHz handheld to a 2GHz*2 desktop.  I would be unhappy with a protocol 
that required me to run my handheld's CPU at full speed for 2 minutes 
(the battery life isn't so hot); but that level of hashcash would 
require only 6 seconds from my desktop, which is probably too little to 
be a deterrent.  And, if it were targetted at making my *desktop* take 2 
minutes, then the handheld would take about 40, which is totally 
unacceptable.

The whole hashcash idea has two major flaws.  The most obvious is 
Moore's Law (you'll have to keep doubling the bar every 18 months, which 
means email will get more and more expensive for people who don't 
upgrade their CPUs).  The other is that all it proves is that *somebody* 
spent those CPU cycles.  Spammers already steal resources to send their 
messages; what's to stop them from sending out stealth worms that use 
the victim's machine to do hashcash calculations?

--
/===\
|John Stracke  |[EMAIL PROTECTED]|
|Principal Engineer|http://www.centive.com  |
|Centive   |My opinions are my own. |
|===|
|There are footprints on the moon. No feet, just footprints.|
\===/




RE: spam - The IETF list is spam!

2003-05-30 Thread Tomson Eric \(Yahoo.fr\)
So?

"Don't stop selling guns, force people to buy bullet-proof jackets"?

"Don't forbid selling cigarettes, build larger hospitals"?

Pardon me if I do not agree with you...

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony
Atkielski
Sent: mercredi 28 mai 2003 10:34
To: IETF Discussion
Subject: Re: spam - The IETF list is spam!


Tim writes:

> Can the discussion now retire to the IRTF
> anti-spam list?

Does your computer have a Delete key?





RE: spam

2003-05-30 Thread Michael Thomas
Christian Huitema writes:
 > If PKI or PKI-like, then the spammers would need to obtain an actual
 > certificate for each of their throwaway identities. But so would
 > everyone else, which implicitly limits the cost of obtaining a
 > certificate to whatever the public can bear, and the amount of identity
 > checks to whatever the public is willing to accept, which today is an
 > e-mail reachability test. So, the spammers will be slowed down, but not
 > much.

What if it cost some nominal amount, but with that
payment came another form of authentication (eg
credit card number) which you could then use to
_meter_ the rate of issuing new certs, and/or
cross referencing issued certs associated with
spammers with the credit card number used to
obtain the cert? Assumedly spammers would
eventually run out of credit cards well before
they ran out of money.

As a note, the identity bound to the key can be
completely opaque and insignificant (and thus
certs could be issued trivially and cheaply).

  Mike



RE: The utilitiy of IP is at stake here/spam

2003-05-30 Thread TABAKIS, ELEAS (AIT)
Would a solution to manage spam by as "simple" as to have a central email
address registry database were consumers can opt out from receiving any spam
email? Very similar proposition to the current direct marketing
"do-not-call" lists. Such an approach coupled with enforcement may be an
option. Basically this approach put the onerous on the spamer to comply and
check if an email address belongs to a list. 

Regards,

Eleas 
"Talk Straight, Follow Through"
"Trust, Character, Commitment, Passion"

 -Original Message-
From:   Dean Anderson [mailto:[EMAIL PROTECTED] 
Sent:   Thursday, May 29, 2003 6:28 PM
To: Tony Hain
Cc: 'IETF Discussion'
Subject:RE: The utilitiy of IP is at stake here

The ECPA permits ISPs and telecos to reveal the identification of the
participants in a communication.  Though, the Privacy Protection Act may
impose some additional requirements. Usuaully, ISPs have no interest in
providing this information without a warrant or subpoena. Privacy is part
of the service customers purchase.

In the current system, it is not hard to nail down the originator, given
there is Law Enforcement interest in finding our the identity. An IP
address works just as good as a phone number. Even an open proxy has logs,
or can be logged.

In some cases, it has been hard to find out the identity via a civil
action, as in the RIAA V Verizon. That case is not yet decided. AOL had a
somewhat similar case, where it resisted a subpoena for identification.
That case has some quirks, though. The plaintiffs also didn't want to be
identified, and I think it was considered to be frivolous or malicious
suit. I don't remember all the details.

However, sans Law Enforcement requests, or civil subpoenas, it is
difficult. It is unlikely that would change, though.  And privacy groups
would want to keep it that way, at least so that a court would decide
whether the identity is wanted for frivolous or malicious reasons. I
support the EFF in this view.

Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell
you how to contact them in the message. It is only hard with Type 3 abuse,
which is generally involved in crimes that Law Enforcement could pursue,
but won't, for lack of interest.

--Dean

On Thu, 29 May 2003, Tony Hain wrote:

> Iljitsch van Beijnum wrote:
> > On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony
> > Hain wrote:
> >
> > > The fundamental legal issue we need to deal with is the ability to
> > > absolutely identify the originator of the mail. Is that
> > precluded by
> > > any existing privacy laws? If not, identity would provide
> > the means to
> > > pursue financial recourse for wasted time and resources. If
> > so, we have
> > > a non-technical issue that may prevent any solution.
> >
> > Too bad the bad ideas get much more air time than the good ones.
> > Yesterday some really good points were brought up, today we're mostly
> > rehashing the bad stuff.
> >
> > About the law: current laws are unable to keep spam in check.
>
> I was not asking about spam law. I was trying to be specific about any
> privacy laws that would prevent identification of the originator of a
> message. As long as there is a legal way to undeniably trace the message
> origin, there is a chance we can build a technical approach to bulk
> message handling system that will end random spam.
>
> > ...
> > The real question is whether the current protocols
> > exhibit flaws that make the spam problem worse than it would
> > be without
> > those flaws; and whether improved protocols can be implemented and
> > deployed at reasonable levels of effectiveness and efficiency.
>
> I would argue yes, in that it is impossible to nail down the originator
> with the current system.
>
> >
> > It seems the answer to this was "no" five or six years ago.
> > In the mean
> > time, many things have changed. We now have more advanced techniques
> > and more processing power at our disposal. Also, spamming in general
> > has become much worse and many more children are online now, who are
> > subjected to spam that isn't always "child friendly" to say
> > the least.
> > Maybe the answer is still "no" but the time is right to at least
> > revisit the question.
> >
>
> I agree.
>
> Tony
>
>
>
>
>




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tomson Eric \(Yahoo.fr\)
John,

Since I don't think Dean "Troll" Anderson will do it, I would like to
apologize, in the name of every honest and decent contributor to this list,
for the insults made against someone that was so deeply involved in the
development of SMTP and MIME, and whose contribution, reputation, and
experience earned him the Internet Architecture Board's chair.

I feel so sorry to see how dishonest and undecent one can be with those who
contributed to design and build the Internet and all related technologies
and protocols.

E.T.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
Anderson
Sent: mercredi 28 mai 2003 4:40
To: John C Klensin
Cc: shogunx; Tony Hain; 'IETF'
Subject: Re: The utilitiy of IP is at stake here

On Tue, 27 May 2003, John C Klensin wrote:

(...)

> The opinion
> of others may differ, of course but, as far as I am concerned, you are 
> succeeding in losing all credibility.

I think the same about you. It seems this will go nowhere. I'm just trying
to be polite. You've offered absolutely nothing of substance in this
-long- message.

(...)

This is just nonsense.  Obviously, you have no operational experience.

(...)





Re: The utilitiy of IP is at stake here

2003-05-30 Thread Eric A. Hall

on 5/29/2003 6:27 PM Dean Anderson wrote:

> Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they
> tell you how to contact them in the message.

There is still a reason to have verifiable identities for commercial spam,
which is protection against joe-jobs. You want to have proof that the
beneficiary is really the spammer and not just a victim, or that the
spammer is really the spammer regardless of who he is spamming for. While
there are ways of doing this after the fact as you said, having a
verifiable sender identity makes it a lot simpler.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Paul Hoffman / IMC
At 4:58 PM -0700 5/29/03, Tony Hain wrote:
The sysadmin effort would be setting up an automated way to hand out
keys, and the user would have a one-time (or very infrequently) effort
to establish a key pair.
And you are saying that is trivial? How would a typical user know 
which third parties to trust? How would the typical user know what to 
do when they started getting spam through this filter? How would the 
typical user know what to do when someone wants to send him/her mail 
but can't because the sender isn't in the right trust group?

If you have already worked this out and I missed it, my apologies. A 
pointer to that document would be very helpful.

--Paul Hoffman, Director
--Internet Mail Consortium


RE: spam

2003-05-30 Thread Christian Huitema
>  > > However, creating new publick/private key pairs is an incredibly
>  > > expensive operation, and one that a legitimate email wouldn't
have to
>  > > do very often, but a spammer would if we just keep blacklisting
their
>  > > keys.
>  >
>  > Uh? Creating a Diffie-Hellman public/private key pair is actually
quite
>  > simple. Even an RSA pair is not all that hard, considering that a
set
> of
>  > N prime numbers can generate N.(N-1)/2 key pairs. The logical
>  > consequence of authenticated e-mail is bound to be authenticated
> spam...
> 
> You don't see that as a step in the right direction?

It depends whether you use something like PGP or something like PKI. If
PGP or PGP-like, then the spammers can very easily create throw away
identities, and we have not gained much. In fact, spammers seldom fake
the email addresses of one of your friends, so a PGP solution would not
be a dramatic improvement over simply maintaining a "white list" of
friendly email addresses. 

If PKI or PKI-like, then the spammers would need to obtain an actual
certificate for each of their throwaway identities. But so would
everyone else, which implicitly limits the cost of obtaining a
certificate to whatever the public can bear, and the amount of identity
checks to whatever the public is willing to accept, which today is an
e-mail reachability test. So, the spammers will be slowed down, but not
much.

-- Christian Huitema




RE: spam

2003-05-30 Thread Tomson Eric \(Yahoo.fr\)
Guys,

Dean Anderson obviously supports and defends SPAM.
No further conversation with him could lead to anything constructive.
Stop feeding the Troll, now.

E.T.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
Anderson
Sent: mercredi 28 mai 2003 3:04
To: Eric A. Hall
Cc: John Stracke; [EMAIL PROTECTED]
Subject: Re: spam

(...)

So what? That is no reason to ban spam.

(...)

This isn't an issue. No one said your life would be free from trash.
Furthermore, there are do-not-send lists. If anti-spammers abuse those
lists, that isn't a justification to ban spam.

(...)

No, I'm saying that spam has insignificantly small cost, and that trying to
inflate the cost somehow isn't a valid reason for banning spam.

(...)

3) Thats just stupid and unreasonable behavior. Stupidity and willfull
recklessness aren't either common or justifications for banning spam.

(...)

No, it isn't, despite your continued assertions.  You have failed to present
a case that spam costs any money, or interferes with any reaonable person's
email.





RE: spam

2003-05-30 Thread Michael Thomas
Christian Huitema writes:
 > > However, creating new publick/private key pairs is an incredibly
 > > expensive operation, and one that a legitimate email wouldn't have to
 > > do very often, but a spammer would if we just keep blacklisting their
 > > keys.
 > 
 > Uh? Creating a Diffie-Hellman public/private key pair is actually quite
 > simple. Even an RSA pair is not all that hard, considering that a set of
 > N prime numbers can generate N.(N-1)/2 key pairs. The logical
 > consequence of authenticated e-mail is bound to be authenticated spam...

You don't see that as a step in the right direction?

  Mike



RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
Paul Hoffman wrote:
> Tony's proposal is not for new software: it is for software that 
> *replaces* what they have now. Further, it is not a one-to-one 
> replacement. It requires new administrative actions by the sysadmin 
> and by the user to validate who they want to get mail from.

The sysadmin effort would be setting up an automated way to hand out
keys, and the user would have a one-time (or very infrequently) effort
to establish a key pair. All the processing would then be automatic. If
the message couldn't be decrypted, or the signature verification
returned the wrong result, the message would simply be dropped. This
keeps everyone except the originator and receiver out of the content
inspection business, yet provides the receiver with an undeniable link
back to the originator for anything that gets delivered. When the
receiver decides that the content wastes resources, they get to decide
the appropriate action to take against the identified origin. 

This approach does not prevent spam, because the spammer could set up
their own public key service. It does keep the IETF out of defining spam
and how to identify & filter it, the service provider out of the
business of content inspection, and has a fairly straight forward set of
technical bounds to build products against. It increases the cost to the
spammer by seriously reducing the number of messages per minute they can
send, and it creates a traceable record to the spammer (well at least to
the key service). Existing legal infrastructure should be sufficient
from there, but I can imagine that politicians would want to claim they
were doing something about the problem and might dream up new laws, or
mandates to deploy such a technology (I am not arguing they should, just
predicting their actions). 

Tony







Re: The utilitiy of IP is at stake here

2003-05-30 Thread Eric A. Hall

on 5/29/2003 5:59 PM David Morris wrote:

> The slower process will be the millions of smaller mail infrastructures,

Yes, small business are the biggest hurdle in the deployment cycle.

Fortunately, I think that most of them probably use their ISP's mail
services, so its not quite like we have to convince every office in every
stripmall to upgrade.

> As long as the new protocols provide a migration plan and support,
> upgrade over a year or two is a reasonable expectation.

Yes. And its also reasonable that after ~80% switch, sites can start to
disable the legacy compatibility mode. Note that many of them will still
need it for things like printservers and other devices, but for general
Internet communications it should be a little easier since most of the
changeover can happen just by getting most of the ISPs to switch.

The really hard question isn't the upgrade, its how to limit pollution
from legacy MTAs during the upgrade. If spam is still running high during
the transition, then people will wonder why they bothered.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/




Re: A peer-to-peer trust system model (was: Re: spam)

2003-05-30 Thread Theodore Ts'o
On Wed, May 28, 2003 at 11:56:53AM -0700, Peter Deutsch wrote:
> Concepts such as Hashcash or other payment-oriented systems, in which
> you try to impose a cost on the sender to screen out bulk mailers, are
> interesting enough, but I think they're addressing the wrong problem.
> I've personally come to the conclusion that to address this problem
> (that is, the decision as to whether I want to accept a message from
> you), I don't actually need to know who you are, or even what you're
> trying to send me, and I certainly don't need to impose artificial costs
> on you (since this looks too much like punishing the innocent for the
> crimes of the guilty).

I'm curious why you think Hashcash doesn't work.  Personally, I think
a scheme where (a) you provide a crypto signature which proves who you
are that you are someone that I trust to send me something useful,
*OR* (b) you have to send me some token which proves that you have
spent 120 seconds worth of CPU time calculating it, would work
perfectly.  That way, someone can still send me unsolicited mail
asking for help with e2fsck, or some other aspect of the Linux kernel,
but a spammer simply won't be able to afford the necessary CPU time to
send vast numbers of SPAM.  And regular correspondents with me
wouldn't could simply send a PKI authenticated token to avoid needing
to do the necessary CPU-burning calculations.  (And this is an
optimization anyway; someone who is sending me a human generated
message can generally easily afford the 2 minutes worth of CPU time
before their mailers can deliver the message to my mail host.)

- Ted



Re: The utilitiy of IP is at stake here

2003-05-30 Thread Eric A. Hall

on 5/29/2003 3:29 PM Dave Crocker wrote:

> Please indicate some historical basis for moving an installed base of
> users on this kind of scale and for this kind of reason.

Notwithstanding the overly-specific nature of the request, I can think of
two off the top of my head, which are FTP/Gopher->HTTP and POP->IMAP.

The features define the benefits, and the benefits are the motivators (I
already gave a list of the features I'd like, and which I think would be
motivational). Large-scale mail carriers would probably switch quickly if
the accountability feature proved useful, even in the absence of laws. The
same is probably true for corporates and financial services firms who rely
heavily on accountability. That's just one benefit.

There are external motivators as well, such as flagdays for the government
and all of its contractors.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
David Morris wrote:
> > their customers about the opportunity to use a new app. The larger 
> > providers (AOL, MSN, Yahoo, ...) can drive media attention and might
> 
> The providers you have listed all have what I'd call closed 
> applications. Yahoo is (largely) browser based working from a 
> MUA coded in their server. AOL is client-server, again the 
> MUA is in their server and, I believe but have never 
> observed, MSN is similar to AOL. Other examples as well.

In one incarnation, MSN mail is simple SMTP/POP3, in another it is web
based. That is less the point than the fact they collectively cover a
very substantial number of clients. Cover those, and provide the
enterprise mail administrator with an equivalent tool, and the rest of
the world will follow, including the spammers. It will take external
action to push back and stop the spam.

> 
> Once a new/updated mail protocol is available, then each of 
> the above must implement updates to their servers.  Then 
> deploy the changes. The new revised system will just happen 
> to the average user of those services.
> 
> The slower process will be the millions of smaller mail 
> infrastructures,

They feel the pain of spam as much (or more on a percentage basis) as
anyone else. Why wouldn't they be motiveted to deploy a spam reduction
tool?

> 
> As long as the new protocols provide a migration plan and 
> support, upgrade over a year or two is a reasonable 
> expectation. A key requirement on the providers of the server 
> and client software is to NOT include dependancies on related 
> system software versions which would force the prospective 
> upgradee to encounter the upgrade domino chain which ends up 
> in substantial costs for unrelated software or hardware.

I agree completely with the point about dependencies, but there should
be absolutely no interoperability between the old and new. The migration
plan should simply be to let the existing infrastructure and set of apps
die for lack of use.

Tony






RE: The utilitiy of IP is at stake here

2003-05-30 Thread Dean Anderson
The ECPA permits ISPs and telecos to reveal the identification of the
participants in a communication.  Though, the Privacy Protection Act may
impose some additional requirements. Usuaully, ISPs have no interest in
providing this information without a warrant or subpoena. Privacy is part
of the service customers purchase.

In the current system, it is not hard to nail down the originator, given
there is Law Enforcement interest in finding our the identity. An IP
address works just as good as a phone number. Even an open proxy has logs,
or can be logged.

In some cases, it has been hard to find out the identity via a civil
action, as in the RIAA V Verizon. That case is not yet decided. AOL had a
somewhat similar case, where it resisted a subpoena for identification.
That case has some quirks, though. The plaintiffs also didn't want to be
identified, and I think it was considered to be frivolous or malicious
suit. I don't remember all the details.

However, sans Law Enforcement requests, or civil subpoenas, it is
difficult. It is unlikely that would change, though.  And privacy groups
would want to keep it that way, at least so that a court would decide
whether the identity is wanted for frivolous or malicious reasons. I
support the EFF in this view.

Anyway, with Type 1 and Type 2 spam, this is unnecessary, since they tell
you how to contact them in the message. It is only hard with Type 3 abuse,
which is generally involved in crimes that Law Enforcement could pursue,
but won't, for lack of interest.

--Dean

On Thu, 29 May 2003, Tony Hain wrote:

> Iljitsch van Beijnum wrote:
> > On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony
> > Hain wrote:
> >
> > > The fundamental legal issue we need to deal with is the ability to
> > > absolutely identify the originator of the mail. Is that
> > precluded by
> > > any existing privacy laws? If not, identity would provide
> > the means to
> > > pursue financial recourse for wasted time and resources. If
> > so, we have
> > > a non-technical issue that may prevent any solution.
> >
> > Too bad the bad ideas get much more air time than the good ones.
> > Yesterday some really good points were brought up, today we're mostly
> > rehashing the bad stuff.
> >
> > About the law: current laws are unable to keep spam in check.
>
> I was not asking about spam law. I was trying to be specific about any
> privacy laws that would prevent identification of the originator of a
> message. As long as there is a legal way to undeniably trace the message
> origin, there is a chance we can build a technical approach to bulk
> message handling system that will end random spam.
>
> > ...
> > The real question is whether the current protocols
> > exhibit flaws that make the spam problem worse than it would
> > be without
> > those flaws; and whether improved protocols can be implemented and
> > deployed at reasonable levels of effectiveness and efficiency.
>
> I would argue yes, in that it is impossible to nail down the originator
> with the current system.
>
> >
> > It seems the answer to this was "no" five or six years ago.
> > In the mean
> > time, many things have changed. We now have more advanced techniques
> > and more processing power at our disposal. Also, spamming in general
> > has become much worse and many more children are online now, who are
> > subjected to spam that isn't always "child friendly" to say
> > the least.
> > Maybe the answer is still "no" but the time is right to at least
> > revisit the question.
> >
>
> I agree.
>
> Tony
>
>
>
>
>




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
John Stracke wrote:
> I think you mean that, if people believed the new system would reduce 
> spam, it wouldn't take much to convince them.  

Yes.

> It *would* take a lot to 
> convince them that it would reduce spam; people with a 
> normal, healthy 
> cynicism gland (and without the expertise to analyze the new 
> protocols) 
> would assume that it was just a marketing ploy.

But a coordinated marketing ploy by the major service providers would
not be taken with the same level of cynicism as the normal hype.

Tony






RE: spam

2003-05-30 Thread Christian Huitema
> However, creating new publick/private key pairs is an incredibly
> expensive operation, and one that a legitimate email wouldn't have to
> do very often, but a spammer would if we just keep blacklisting their
> keys.

Uh? Creating a Diffie-Hellman public/private key pair is actually quite
simple. Even an RSA pair is not all that hard, considering that a set of
N prime numbers can generate N.(N-1)/2 key pairs. The logical
consequence of authenticated e-mail is bound to be authenticated spam...

-- Christian Huitema




Re: spam

2003-05-30 Thread Dean Anderson
On Thu, 29 May 2003, Iljitsch van Beijnum wrote:

> However, creating new publick/private key pairs is an incredibly
> expensive operation, and one that a legitimate email wouldn't have to
> do very often, but a spammer would if we just keep blacklisting their
> keys.

Of course, this results in another Type 3 attack, where you get messages
with lots of bogus keys, and you have to verify the keys.

--Dean




RE: The utilitiy of IP is at stake here

2003-05-30 Thread David Morris


On Thu, 29 May 2003, Tony Hain wrote:

> Dave Crocker wrote:
> > Please indicate some historical basis for moving an installed
> > base of users on this kind of scale and for this kind of reason.
>
> their customers about the opportunity to use a new app. The larger
> providers (AOL, MSN, Yahoo, ...) can drive media attention and might

The providers you have listed all have what I'd call closed applications.
Yahoo is (largely) browser based working from a MUA coded in their server.
AOL is client-server, again the MUA is in their server and, I believe but
have never observed, MSN is similar to AOL. Other examples as well.

Once a new/updated mail protocol is available, then each of the above must
implement updates to their servers.  Then deploy the changes. The new
revised system will just happen to the average user of those services.

The slower process will be the millions of smaller mail infrastructures,

As long as the new protocols provide a migration plan and support, upgrade
over a year or two is a reasonable expectation. A key requirement on the
providers of the server and client software is to NOT include dependancies
on related system software versions which would force the prospective
upgradee to encounter the upgrade domino chain which ends up in
substantial costs for unrelated software or hardware.

Dave Morris




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Dean Anderson


On Thu, 29 May 2003, Iljitsch van Beijnum wrote:

> About the law: current laws are unable to keep spam in check. Is this a
> problem with the law? I don't think so. A good percentage of all spam
> (but certainly not all of it) breaks existing laws. It seems unlikely
> that additional laws will make people who already operate outside the
> law change their behavior.

Type 3 spammers are doing most of this.  These abusers are usually also in
violation of criminal federal statutes (viruses and cracking), but the
feds won't pursue them, since it seems to be a victimless, low value
crime.  This doesn't require more legislation so much as it requires Law
Enforcement to focus on the problem.

> It seems the answer to this was "no" five or six years ago. In the mean
> time, many things have changed. We now have more advanced techniques
> and more processing power at our disposal. Also, spamming in general
> has become much worse and many more children are online now, who are
> subjected to spam that isn't always "child friendly" to say the least.
> Maybe the answer is still "no" but the time is right to at least
> revisit the question.

Yes. But quite obviously, the "spammers" appearing to sell stuff like
child porn are not really selling anything. This is Type 3 abuse (no doubt
by radical anti-spammers) meant to offend people.

Spam volume is up quite a bit over the last year.  But there aren't more
spammers. There are more Type 3 abusers running larger stables of virus
infected machines, and using those stables to send junk that looks like
spam.  This isn't Type 1 or usually Type 2 spam.

The timing of the rise seems to correspond to MAPS loss in Exactis, and
the realization by certain radicals that they have to use illegal means.

--Dean




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Paul Hoffman / IMC
At 2:22 PM -0700 5/29/03, Eliot Lear wrote:
Please indicate some historical basis for moving an installed base of
users on this kind of scale and for this kind of reason.
History is replete with examples.  From the Internet Worm to Code 
Red, consumers do install software when they perceive either a 
threat or a benefit.
Tony's proposal is not for new software: it is for software that 
*replaces* what they have now. Further, it is not a one-to-one 
replacement. It requires new administrative actions by the sysadmin 
and by the user to validate who they want to get mail from.

  Getting rid of spam is a HUGE benefit.
And all the proposals so far have some amount of cost. The trick is 
to come up with a solution whose benefit to at least half of the 100 
million mail users overwhelms the cost. That is, the bother of using 
the new system has to be less than the bother of getting spam.

  Heck.  What I've found so amusing is that people seem to upgrade 
their Microsoft systems just 'cause, with no perceived benefit, but 
merely protecting from Bit Rot.
This is because (despite history) people believe that the replacement 
will be no harder to user than the previous version.

--Paul Hoffman, Director
--Internet Mail Consortium


Re: The utilitiy of IP is at stake here

2003-05-30 Thread John Stracke
Tony Hain wrote:

it wouldn't take much to convince people that moving to a new
mail system would either reduce spam, or had adequate mechanisms for
financial recourse.
I think you mean that, if people believed the new system would reduce 
spam, it wouldn't take much to convince them.  It *would* take a lot to 
convince them that it would reduce spam; people with a normal, healthy 
cynicism gland (and without the expertise to analyze the new protocols) 
would assume that it was just a marketing ploy.

--
/=\
|John Stracke  |[EMAIL PROTECTED]  |
|Principal Engineer|http://www.centive.com|
|Centive   |My opinions are my own.   |
|=|
|*BOOM* "Thank you, Beaker. Now we know that is definitely too|
|much gunpowder." -- Dr. Bunsen Honeydew  |
\=/




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Scott W Brim
> Please indicate some historical basis for moving an installed base of
> users on this kind of scale and for this kind of reason.

Times have changed.  End users aren't the problem anymore.  We have
easy, if not automatic, updating for every major user environment.  The
critical point is the SMTP servers.  I believe the great majority of
them understand the spam pain, so they would be motivated to change.
You throttle SMTP relative to the enhanced protocol to motivate the
remaining good guys to convert, and as time goes on and only the bad
guys are left, you throttle it even more.

.swb



Re: The utilitiy of IP is at stake here

2003-05-30 Thread Vernon Schryver
> From: Eliot Lear <[EMAIL PROTECTED]>

> > Please indicate some historical basis for moving an installed base of
> > users on this kind of scale and for this kind of reason.
>
> History is replete with examples.  From the Internet Worm 

What?  The Morris Worm resulted in a significant marketshare decline
for sendmail?  That's strange, since my recollections are that sendmail
became more instead of less popular, in part because SMTP swamped
other protocols.

>   to Code Red, 
> consumers do install software when they perceive either a threat or a 
> benefit.

Do you really intend to say what those words mean in context, that
Microsoft products were replaced wholesale by other software.


>   Getting rid of spam is a HUGE benefit.  Heck.  What I've found 
> so amusing is that people seem to upgrade their Microsoft systems just 
> 'cause, with no perceived benefit, but merely protecting from Bit Rot.

Installing patches or updates that do not significantly change the
form, fit or function of a system is entirely different from pitching
SMTP and switching to something else with major differences not only
in form, fit, and function but fundamental assumptions.

Spam is an implicit problem in any mail protocol that lets you receive
mail from strangers.  If a message is from a stranger, how do you know
the stranger isn't sending copies to 30,000,000 of your intimate
friends?  Any protocol that keeps a stranger and so possible spamemr
from sending you a message will be a radical change far larger than
the change from IPv4 to IPv6, not to mention turning off the debug
switch in sendmail or pasting yet another a security bandaid on IIS.
For example, Cisco will stop receiving spam as well as inquiries from
prospective customers, at least not as freely and with semi-anomity
as today.  This mailing list will stop receiving new subscriptions by
the old mechanism of sending a "subscribe" mail message.


Vernon Schryver[EMAIL PROTECTED]



Re: spam

2003-05-30 Thread Clint Chaplin
I've been lurking all this time, and was about to give up completely on
this thread, but then I got sucked into the reality distortion field,
drank the kool-aid, and, well

One problem with attaching the "secret" string to an email address is
how that is done at the sender's side.  I can see email clients
automating the process, which is fine, until a virus comes along and
starts popping off random emails.

Plus, how would CC: and vast To: lists hide the secret string?

Clint (JOATMON) Chaplin

>>> "Anthony Atkielski" <[EMAIL PROTECTED]> 5/28/03 21:20:47 >>>
Tony writes:

> Which is precisely the goal. It is not so extreme
> as to make routine mail unusable, but extreme enough
> to make random bulk mail not worth the cost.

Point taken, although I think conventional encryption would probably a
better choice for this purpose.

I think, though, that a more effective method would be to find
something
that one can require on each message and that is not trivially easy for
a
computer to do automatically.

For example, the various admininstrations passing through the White
House
have long had a policy of establishing a "secret number" or similar
text
that must be placed on any incoming letter that is to be forwarded
directly
to the President or his family with minimal screening.  The President
and
family then give this number to a select few people.  Any
correspondence
without the number goes through all the usual screening.

This works because the number is an out-of-band datum that the average
sender is not likely to have.  It is communicated from human being to
human
being, and isn't to be found anywhere in public.  So it cannot be
automatically added by a machine, nor can unauthorized people add it.

A simple e-mail implementation of this would be to place a random
string in
the subject line of a message intended for a specific recipient that
serves
the same purpose as this "secret number."  The string would be
different for
each recipient, and the only way to obtain it would be through some
out-of-band process (such as contacting the recipient by phone, or
something).  Since there would be no record of this anywhere that
spammers
could harvest, it would be impossible for spammers to include these
numbers
on outgoing mail.  Very simple, and very effective.  It would, however,
be
nice to have e-mail clients that automated this, by allow for a secret
number field in address books that would make it possible to insert
them
automatically on outgoing mail (most clients already provide a way to
filter
for such numbers on incoming mail).

Digital signatures and similar authentication would work but are
overkill.
All you need is some bit of information that spammers cannot harvest,
and
the above random string fits that purpose.  Spammers might pick up
your
address on a newsgroup or Web site, but they'd have no way of
discovering
your secret number.

> That simply provides message integrity ...

Hash it and sign it with the public key of the recipient.  That would
work,
because spammers would not have the public key, whereas legitimate
senders
would.

However, I think the secret-number concept described above would be
much
similar and would be just as effective.




This email has been scanned for computer viruses.



RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
Iljitsch van Beijnum wrote:
> On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony 
> Hain wrote:
> 
> > The fundamental legal issue we need to deal with is the ability to 
> > absolutely identify the originator of the mail. Is that 
> precluded by 
> > any existing privacy laws? If not, identity would provide 
> the means to
> > pursue financial recourse for wasted time and resources. If 
> so, we have
> > a non-technical issue that may prevent any solution.
> 
> Too bad the bad ideas get much more air time than the good ones. 
> Yesterday some really good points were brought up, today we're mostly 
> rehashing the bad stuff.
> 
> About the law: current laws are unable to keep spam in check. 

I was not asking about spam law. I was trying to be specific about any
privacy laws that would prevent identification of the originator of a
message. As long as there is a legal way to undeniably trace the message
origin, there is a chance we can build a technical approach to bulk
message handling system that will end random spam. 

> ...
> The real question is whether the current protocols 
> exhibit flaws that make the spam problem worse than it would 
> be without 
> those flaws; and whether improved protocols can be implemented and 
> deployed at reasonable levels of effectiveness and efficiency.

I would argue yes, in that it is impossible to nail down the originator
with the current system. 

> 
> It seems the answer to this was "no" five or six years ago. 
> In the mean 
> time, many things have changed. We now have more advanced techniques 
> and more processing power at our disposal. Also, spamming in general 
> has become much worse and many more children are online now, who are 
> subjected to spam that isn't always "child friendly" to say 
> the least. 
> Maybe the answer is still "no" but the time is right to at least 
> revisit the question.
>

I agree.

Tony

 




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
Dave Crocker wrote:
> Please indicate some historical basis for moving an installed 
> base of users on this kind of scale and for this kind of reason.

WWW browser deployment shows that given appropriate motivation, users
will aggressively take advantage of a new app. Yes I consider this to be
a new app, even though it is replacing an existing capability. Rather
than force people to move or upgrade, give them a new tool and explain
the value. They will move as soon as they believe it is less painful
than staying where they are. Given the growing level of complaint, and
the fact that it will be at least 2 years before anything is ready to
deploy, just about anything will be an easy sell.

> 
> 
> TH>  If the courts routinely granted judgments to
> TH> individuals of 100 $/euro for every received unsolicited message, 
> TH> people
> 
> a transition plan for 100 million users that relies on an 
> "if" concerning entirely new behaviors for a large number of 
> independent judicial systems around the world is a rather 
> fragile dependency, to say the least.
> 
> (and, yes, I realize that that was just an example.  so, 
> please, go ahead and provide a scenario that is not equally 
> fragile.  i can't.)
> 

I would argue this is not entirely new behavior, just that one widely
publicized instance needs to establish precedent that receiving
unsolicited email constitutes an abuse of personal resources and
establish the value of that abuse. Since I think we are talking
small-claims here ($100/day per spam source), it would be most efficient
for the courts to have a procedure where the claimant provided the
abusing email with tracability to the origin, then an automatic judgment
could be issued (yes that is new, but the newness is about efficiency,
not basic process). 

Defining an alternative mechanism is the IETF's job. As long as we
explicitly refuse to allow interoperability, we don't need to worry
about a transition. The mail service providers have the means to inform
their customers about the opportunity to use a new app. The larger
providers (AOL, MSN, Yahoo, ...) can drive media attention and might
even help with any legal efforts to make the case that the new app will
have anti-spam characteristics. In any case, transition is not a problem
when we simply let the spam laden legacy die off as people start
refusing to use the old apps.

> 
> TH> would jump at the chance to run the new mail tool, and spam as we 
> TH> know it would loose its economic viability. Making that 
> work means 
> TH> absolute traceability of the message origin.
> >> For this effort to be effective, I think it will have to 
> be done in a 
> >> way that is at odds with the traditional IETF thinking:
> >> 
> >> 1) Compatibility with SMTP is not desirable
> 
> why?

See above about this being a new app. Requiring integration and
compatibility will only create unnecessary complexity, and won't show
any quantitative value to the end user. Also, as Alain pointed out in
the mail I was responding to, interoperability simply creates a forward
path for the SMTP based spam. Just make them parallel systems and move
on.

> 
> 
> >> 2) Some form of privacy is not desirable
> >> 3) To much scalability is not desirable
> 
> scalability is not desirable?  wow.
> 
> please explain.

You cut off my comment that scalability is desirable everywhere except
at the originator. The point is to raise the cost at the origin to bias
the economics against random spamming. Something like requiring
recipient based public key cryptography substantially raises the
originator cost for mass mailings. 

Mail list servers would be a problem if we only use public key, so
another part of the new system could be establishing a symmetric key as
part of subscribing to a mail list. Clearly we have a number of
technologies available, we just need to define the characteristics of
the desired system and start applying technologies to build a new app. 

Tony





Re: spam

2003-05-30 Thread Iljitsch van Beijnum
On donderdag, mei 29, 2003, at 23:06 Europe/Amsterdam, Dave Aronson 
wrote:

[Having to do crypto for each outgoing spam]

Keep in
mind, they could always simply apply the usual Microsoft solution: 
throw
more and faster hardware at it.  Note also that a lot of spam is 
already
sent to single recipients per piece.  In those cases, the extra costs 
of
hashing and encryption MIGHT make a SMALL dent, but I doubt it would be
enough to be worth the hassle.
I think the people selling crypto accelerators will be very happy about 
this...

However, creating new publick/private key pairs is an incredibly 
expensive operation, and one that a legitimate email wouldn't have to 
do very often, but a spammer would if we just keep blacklisting their 
keys.




Re: spam

2003-05-30 Thread Dean Anderson
Last time I refuted you, I got hit by 2400 sites trying to abuse our
relays for 10 days.  Sorry. Not this time.

You're too late for this discussion anyway.  Your points were already made
by others. There is no point to rehashing them with you.

--Dean

On Thu, 29 May 2003, Scott Francis wrote:

> On Mon, May 26, 2003 at 06:17:23PM -0400, [EMAIL PROTECTED] said:
> [snip]
> > > Spam on my measured-rate cellular-data PDA is real cost. Spam on my
> > > measured-rate ISDN line (California) is real cost. Extra staffing to
> > > counteract spam at my [isp|university|business] is real cost (setting
> > > aside other costs that you seem willing to ignore). There are plenty of
> > > examples to pick from.
> >
> > Don't get email on measured rate services, then. Or don't publish the
> > email to measured rate services. Put your measured rate services on the
> > do-not-send list. There are many options besides banning commercial email.
>
> Want to lay odds on how many of the hardcore spammers (spamsites hosted on
> Chinanet, etc.) will respect a do-not-send list? They already ignore various
> state legislations against spam (I'm a California resident, for instance, and
> get any number of spams to various accounts daily that ignore existing
> legislation on this topic); why would they pay any attention to a do-not-send
> list?
>
> (I'm also fairly sure such a list will not allow wildcards, and for those of
> us running a domain where one address receives [EMAIL PROTECTED], listing every
> unique address we've created over the years would be tiresome, to say the
> least. I'm sure if this is not the case, someone will correct me.)
>
> > > These are abnormal expenses which go directly into maintaining the
> > > usefulness of my property and which do not increase its value. The right
> > > to commercial speech would not warrant these costs for any other venue,
> > > and there is nothing sufficiently different and unique about this venue to
> > > warrant it here.
> >
> > These are not abnormal expenses. You have deal with abuse no matter what
>
> so, because I have an abuse person to deal with legitimate abuse problems
> (both ingress and egress), I should consider it part of the cost of doing
> business to put up with whatever the spammers want to do to me?
>
> I wonder if AOL considers the cost of dealing with 2 billion spams _daily_ an
> "abnormal expense". Especially when comparing their costs for dealing with
> spam from 2 years ago. Or 6 months ago.
>
> > the form. You have to have an abuse person. Persons intent on performing
> > abuse will abuse whatever is handy.
>
> Only too true, but it doesn't mean we have to 1) make it easy for them, or 2)
> ignore it when they do.
>
> > There are no costs to warrant.  Spam cannot cost you more than $1 or $2
> > per month per user. It doesn't matter how many abuse administrators you
> > have, or how big and expensive your servers are.  Email (including spam)
> > is too cheap to meter. It is practically free, per person.  Sites that
> > have 10 million users are going to have larger expenses than sites that
> > have 10 users. That isn't a surprise, nor a compelling reason to ban spam.
>
> Tell that to AOL. Or Hotmail. Or any other large provider for whom the vast
> majority of their network traffic is unsolicited commecial email. Your
> assertions simply do not hold water. I bet they consider the costs of dealing
> with that illegitimate traffic a fairly compelling reason to ban spam.
>
> > Anyway, I think commercial speech including spam _could_ be regulated, but
> > there so far is no justification for doing so. I don't think there is any
>
> If you can make that statement after considering the cost (personnel,
> bandwidth, and intangibles like degradation of the quality of Internet
> experience the average consumer has) of spam traffic now, compared with the
> cost just 18 months ago, I guess there is no chance you will ever see the
> flaws in your reasoning.
>
> > chance whatsoever that spam will ever be banned completely, and if it
> > were, it would suffer the same fate as the Junk Fax law, which had much
> > more signficant costs (consumption of paper at 10 cents per page) and
>
> 10 cents per page, but there was also no single organization handling 2
> billion incoming junk faxes a day. Apples and oranges, Dean.
> --
> Scott Francis || darkuncle (at) darkuncle (dot) net
>   illum oportet crescere me autem minui
>




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Eric A. Hall

on 5/29/2003 3:39 PM Peter Deutsch wrote:

> I personally want a next generation system that would *increase* my
> privacy, not attempt to make a virtue out of *removing* the few shreds
> of annonymity I have left. I would specifically refuse to use such a
> system. And yes, I also want it to make unsolicited, bulk email harder
> to send to me, but not at the cost of my privacy.

Everybody wants to see caller-ID but nobody wants to send it.

Actually, the use of an identification system doesn't necessarily have to
go directly against privacy or anonymity. It leaves the door open for some
kinds of abuses in that area, but those aren't a whole lot worse.

A ~certificate would validate the identity you are using for that piece of
email. That identity doesn't have to be your name or anything else that
identifies you personally. Hell, use 20 certificates, call yourself Batman
in one group and Wonder Woman in the other, nobody will care. As long as
they all verify -- and as long as I can track you down with a court order
that exposes what I need to know when I have a demonstrable reason to know
it -- nobody should care about the identitiers you choose to use.

The real risk here is that the delegator will know who you really are and
might tell somebody. I don't see much difference between that and the risk
we already have from upstreams being able to sniff and delegate, though.

Besides, if everybody feels that strongly about it, a mail system like the
one I laid out doesn't *require* user identification, only host and domain
identification. If folks want the user part to be optional, that's fine
with me.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Iljitsch van Beijnum
On donderdag, mei 29, 2003, at 21:34 Europe/Amsterdam, Tony Hain wrote:

The fundamental legal issue we need to deal with is the ability to
absolutely identify the originator of the mail. Is that precluded by 
any
existing privacy laws? If not, identity would provide the means to
pursue financial recourse for wasted time and resources. If so, we have
a non-technical issue that may prevent any solution.
Too bad the bad ideas get much more air time than the good ones. 
Yesterday some really good points were brought up, today we're mostly 
rehashing the bad stuff.

About the law: current laws are unable to keep spam in check. Is this a 
problem with the law? I don't think so. A good percentage of all spam 
(but certainly not all of it) breaks existing laws. It seems unlikely 
that additional laws will make people who already operate outside the 
law change their behavior.

Another preposterous idea: charging money for sending email. Economics 
dictates that this will increase the overall cost of emailing by many 
orders of magnitude and there is no reasonable upgrade path from the 
current situation to the new one.

Both points are moot anyway as they fall outside the scope of the 
IETF's activities. The real question is whether the current protocols 
exhibit flaws that make the spam problem worse than it would be without 
those flaws; and whether improved protocols can be implemented and 
deployed at reasonable levels of effectiveness and efficiency.

It seems the answer to this was "no" five or six years ago. In the mean 
time, many things have changed. We now have more advanced techniques 
and more processing power at our disposal. Also, spamming in general 
has become much worse and many more children are online now, who are 
subjected to spam that isn't always "child friendly" to say the least. 
Maybe the answer is still "no" but the time is right to at least 
revisit the question.




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Eliot Lear
Dave,

Please indicate some historical basis for moving an installed base of
users on this kind of scale and for this kind of reason.
History is replete with examples.  From the Internet Worm to Code Red, 
consumers do install software when they perceive either a threat or a 
benefit.  Getting rid of spam is a HUGE benefit.  Heck.  What I've found 
so amusing is that people seem to upgrade their Microsoft systems just 
'cause, with no perceived benefit, but merely protecting from Bit Rot.

Eliot





Re: The utilitiy of IP is at stake here

2003-05-30 Thread John Morris
At 10:19 PM +0200 5/29/03, Anthony Atkielski wrote:
John writes:

 In the US, ISPs are not, and never have been
 viewed, as common carriers.
I recall a case involving CompuServe in which it was treated at least
partially as a common carrier, not responsible for the content of its
network.
The Compuserve case went the general way you suggest, and the Prodigy 
case went the other way.  Both cases predate the passage of 47 U.S.C. 
Section 230, which was a part of the Communicaitons Decency Act, 
which in turn was a part of the Telecommuncations Act of 1996. 
Section 230 was enacted specifically to reverse the holding of the 
Stratton Oakmont v. Prodigy  decision, which did impose liability on 
Prodigy.

 >(1) Treatment of publisher or speaker
No provider or user of an interactive
computer service [read, an ISP] shall be
treated as the publisher or speaker of
any information provided
by another information content provider.
How is this reconciled with the DMCA?
The DMCA does not in general make ISPs liable for copyright 
infringement by their customers, but instead puts certain takedown 
obligations on ISPs.   So there is no conflict.

John



Re: spam

2003-05-30 Thread Andrew Shore
Vernon Schryver wrote:

 - becoming famous for having stopped spam, or at least getting into
the RFC index.
And on that subject, would Doug be willing to write up his 
"subaddresses" proposal as a draft? Or would that be counterproductive 
to its eventual acceptance? At least three of us have proposed variants 
on this theme, and while it will not put an end to spam overnight, it 
will be a useful beginning. I realise there may be patent issues... ^^

Andrew.
--
Andrew Shore.


Re: spam

2003-05-30 Thread Dave Aronson
On Thursday 29 May 2003 01:13, [EMAIL PROTECTED] wrote:

 Va> On Thu, 29 May 2003 06:20:47 +0200, Anthony Atkielski
 Va> <[EMAIL PROTECTED]>  said:
 ...
 Va> > Hash it and sign it with the public key of the recipient.
 Va> > That would work, because spammers would not have the
 Va> > public key, whereas legitimate senders would.
 Va>
 Va> Only if it's an *UNPUBLISHED* public key - at which point
 Va> it just degenerates into your "secret number" protocol,
 Va> with the same bootstrapping issues.

Correct, but still methinks Anthony is onto something.

Yes, a spammer could get hold of your public key.  However, this 
"tailoring" means that he's going to have to send the spam to each 
recipient individually, instead of using a huge Bcc list.  This won't 
get rid of spam entirely, but it could put somewhat of a damper on the 
flow.

The big question is, how many recipients are there (To + Cc + Bcc), for 
the average piece of outbound spam?  That is roughly the ratio by which 
such a scheme will make it costlier to spam.  (I'm purposesly ignoring 
the extra cost of the hashing and encryption.  These will probably make 
a small contribution, by comparison.)  Anybody got a large corpus of 
spam, COMPLETE WITH BCC LISTS, to analyze?

Then comes the followup question of whether that ratio is enough to be 
worth the trouble of further investigation along this path.  Keep in 
mind, they could always simply apply the usual Microsoft solution: throw 
more and faster hardware at it.  Note also that a lot of spam is already 
sent to single recipients per piece.  In those cases, the extra costs of 
hashing and encryption MIGHT make a SMALL dent, but I doubt it would be 
enough to be worth the hassle.

-- 
David J. Aronson, Unemployed Software Engineer near Washington DC
See http://destined.to/program/ for online resume, and other info




Re: spam

2003-05-30 Thread Anthony Atkielski
I simply mean that when the returns are low enough, spammers will stop.  If
spam produces so much noise that people stop using e-mail, that will stop
the spammers.

However, I think that for the vast majority of Internet users, spam is only
a minor nuisance, and they will probably continue to use e-mail with or
without spam.

- Original Message -
From: "Michael Thomas" <[EMAIL PROTECTED]>
To: "Anthony Atkielski" <[EMAIL PROTECTED]>
Cc: "IETF Discussion" <[EMAIL PROTECTED]>
Sent: Thursday, May 29, 2003 22:56
Subject: Re: spam


> Anthony Atkielski writes:
>  > Noel writes:
>  >
>  > > It *better* be solvable, otherwise when email
>  > > becomes 99% spam, everyone will stop reading email.
>  >
>  > I wouldn't worry about that.  When everyone stops reading e-mail, spam
will
>  > disappear again.  Remember, spammers only send out spam because people
reply
>  > to it.  If nobody replies, they'll stop.
>
> You mean I might yet achieve salvation without my
> procmail rosary beads? Will it be preceded by the
> RFC 822 apocalypse?
>
> Mike
>




Re: spam

2003-05-30 Thread Michael Thomas
Anthony Atkielski writes:
 > Noel writes:
 > 
 > > It *better* be solvable, otherwise when email
 > > becomes 99% spam, everyone will stop reading email.
 > 
 > I wouldn't worry about that.  When everyone stops reading e-mail, spam will
 > disappear again.  Remember, spammers only send out spam because people reply
 > to it.  If nobody replies, they'll stop.

You mean I might yet achieve salvation without my
procmail rosary beads? Will it be preceded by the
RFC 822 apocalypse?

Mike



Re: spam

2003-05-30 Thread Scott Francis
On Mon, May 26, 2003 at 06:17:23PM -0400, [EMAIL PROTECTED] said:
[snip]
> > Spam on my measured-rate cellular-data PDA is real cost. Spam on my
> > measured-rate ISDN line (California) is real cost. Extra staffing to
> > counteract spam at my [isp|university|business] is real cost (setting
> > aside other costs that you seem willing to ignore). There are plenty of
> > examples to pick from.
> 
> Don't get email on measured rate services, then. Or don't publish the
> email to measured rate services. Put your measured rate services on the
> do-not-send list. There are many options besides banning commercial email.

Want to lay odds on how many of the hardcore spammers (spamsites hosted on
Chinanet, etc.) will respect a do-not-send list? They already ignore various
state legislations against spam (I'm a California resident, for instance, and
get any number of spams to various accounts daily that ignore existing
legislation on this topic); why would they pay any attention to a do-not-send
list?

(I'm also fairly sure such a list will not allow wildcards, and for those of
us running a domain where one address receives [EMAIL PROTECTED], listing every
unique address we've created over the years would be tiresome, to say the
least. I'm sure if this is not the case, someone will correct me.)

> > These are abnormal expenses which go directly into maintaining the
> > usefulness of my property and which do not increase its value. The right
> > to commercial speech would not warrant these costs for any other venue,
> > and there is nothing sufficiently different and unique about this venue to
> > warrant it here.
> 
> These are not abnormal expenses. You have deal with abuse no matter what

so, because I have an abuse person to deal with legitimate abuse problems
(both ingress and egress), I should consider it part of the cost of doing
business to put up with whatever the spammers want to do to me?

I wonder if AOL considers the cost of dealing with 2 billion spams _daily_ an
"abnormal expense". Especially when comparing their costs for dealing with
spam from 2 years ago. Or 6 months ago.

> the form. You have to have an abuse person. Persons intent on performing
> abuse will abuse whatever is handy.

Only too true, but it doesn't mean we have to 1) make it easy for them, or 2)
ignore it when they do.

> There are no costs to warrant.  Spam cannot cost you more than $1 or $2
> per month per user. It doesn't matter how many abuse administrators you
> have, or how big and expensive your servers are.  Email (including spam)
> is too cheap to meter. It is practically free, per person.  Sites that
> have 10 million users are going to have larger expenses than sites that
> have 10 users. That isn't a surprise, nor a compelling reason to ban spam.

Tell that to AOL. Or Hotmail. Or any other large provider for whom the vast
majority of their network traffic is unsolicited commecial email. Your
assertions simply do not hold water. I bet they consider the costs of dealing
with that illegitimate traffic a fairly compelling reason to ban spam.

> Anyway, I think commercial speech including spam _could_ be regulated, but
> there so far is no justification for doing so. I don't think there is any

If you can make that statement after considering the cost (personnel,
bandwidth, and intangibles like degradation of the quality of Internet
experience the average consumer has) of spam traffic now, compared with the
cost just 18 months ago, I guess there is no chance you will ever see the
flaws in your reasoning.

> chance whatsoever that spam will ever be banned completely, and if it
> were, it would suffer the same fate as the Junk Fax law, which had much
> more signficant costs (consumption of paper at 10 cents per page) and

10 cents per page, but there was also no single organization handling 2
billion incoming junk faxes a day. Apples and oranges, Dean.
-- 
Scott Francis || darkuncle (at) darkuncle (dot) net
  illum oportet crescere me autem minui


pgp0.pgp
Description: PGP signature


Re: The utilitiy of IP is at stake here

2003-05-30 Thread Peter Deutsch
g'day,

Tony Hain wrote:
> 
> Alain Durand wrote:
> > I tend to agree with Dave Crocker, getting 100+ millions
> > users to upgrade to SMTPng is not going to be any easier than
> > getting them to move to IPv6... It will also suffer from the
> > second design syndrome. I will not fool myself and believe it
> > can happen overnight
> 
> In this case, I disagree. Yes SMTP will have to exist for some time to
> come, but it wouldn't take much to convince people that moving to a new
> mail system would either reduce spam, or had adequate mechanisms for
> financial recourse. If the courts routinely granted judgments to
> individuals of 100 $/euro for every received unsolicited message, people
> would jump at the chance to run the new mail tool, and spam as we know
> it would loose its economic viability. Making that work means absolute
> traceability of the message origin.
> 
> > For this effort to be effective, I think it will have to be
> > done in a way that is at odds with the traditional IETF thinking:
> >
> > 1) Compatibility with SMTP is not desirable
> > 2) Some form of privacy is not desirable
> > 3) To much scalability is not desirable
> 

Sorry, guys, I don't see this one taking wing. I'd agree that many of us
would jump at the chance to receive the occasional $100 gratuity, but
far fewer would want to sign up for the corollary, a system in which you
willingly and consciously abandon all hopes for privacy and anonymity. I
think the issue of preserving privacy will be a major one for us all in
the coming years, so starting the design of a new system with the axiom
that privacy is not desirable seems, well, I find it hard to describe
without being either flip or rude.

I personally want a next generation system that would *increase* my
privacy, not attempt to make a virtue out of *removing* the few shreds
of annonymity I have left. I would specifically refuse to use such a
system. And yes, I also want it to make unsolicited, bulk email harder
to send to me, but not at the cost of my privacy.

As I've already pointed out, I think we need to have another look at the
problem definition before we get too far down the design path. For
example, virtually every posting on this topic over the past few days
seems to be labouring under the assumption that the spammer wants to
trigger a commercial exchange of some sort with the recipient (with the
corollaries that the commercial entities can be traced, they will allow
you to impose costs upon them as a cost of doing business, etc). From
looking at a lot of the crap I'm getting, I'd say that a certain
percentage of it has no reasonable expectation that I'll react to it at
all (e.g. the Portugese language spam, the spam containing viruses, the
spam containing random strings of junk which I assume might help it get
past spam filters, but which guarantee that I wont take the sender
seriously as a someone I'd be willing to share my credit card with,
etc). 

Here's a radical thought, what if some percentage of this problem is
simply economic terrorism and random script kiddies doing the equivalent
of scribbling on the walls and tagging the billboards? No amount of
legislated Subject lines, protocol design and/or education will solve
that problem. In case you missed it, graffitti is already illegal, but
it hasn't been eliminated by legislation.

Maybe somebody should get some foundation to fund study to trace a pile
of this stuff to its roots and do some statistically valid analysis on
its origins, goals, etc. Otherwise, we seem to be in grave danger of
designing a system (spam control) without ever talking to its users (the
spam generators). Sounds like a recipe for disaster to me...

- peterd



-- 
-
Peter Deutsch   [EMAIL PROTECTED]
Gydig Software

"Bungle..."
   "That's an 'i', you idiot..."
  "Oh, right. 'Bingle..."

- Red versus Blue...

-



Re: spam

2003-05-30 Thread Scott Francis
On Mon, May 26, 2003 at 04:58:41PM -0400, [EMAIL PROTECTED] said:
[snip]
> Most of the examples of harmful spam are of the Type 2 and Type 3 variety,
> which is why Congress and the states have moved to address Type 2. Type 3
> is already illegal.

there's a non-harmful kind of spam? Do tell ...
-- 
Scott Francis || darkuncle (at) darkuncle (dot) net
  illum oportet crescere me autem minui


pgp0.pgp
Description: PGP signature


Re: The utilitiy of IP is at stake here

2003-05-30 Thread Dave Crocker
Tony,

TH> come, but it wouldn't take much to convince people that moving to a new
TH> mail system would either reduce spam,

Please indicate some historical basis for moving an installed base of
users on this kind of scale and for this kind of reason.


TH>  If the courts routinely granted judgments to
TH> individuals of 100 $/euro for every received unsolicited message, people

a transition plan for 100 million users that relies on an "if"
concerning entirely new behaviors for a large number of independent
judicial systems around the world is a rather fragile dependency, to say
the least.

(and, yes, I realize that that was just an example.  so, please, go
ahead and provide a scenario that is not equally fragile.  i can't.)


TH> would jump at the chance to run the new mail tool, and spam as we know
TH> it would loose its economic viability. Making that work means absolute
TH> traceability of the message origin.
>> For this effort to be effective, I think it will have to be
>> done in a way that is at odds with the traditional IETF thinking:
>> 
>> 1) Compatibility with SMTP is not desirable

why?


>> 2) Some form of privacy is not desirable
>> 3) To much scalability is not desirable

scalability is not desirable?  wow.

please explain.



d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA , 




Re: spam

2003-05-30 Thread Anthony Atkielski
Dean writes:

> I expect that Type 1 spammers will comply. Some already are.

Of course they will.  The whole idea of Type 1 spammers is to provide a way
for you to contact them, anyway, so they have little incentive to hide.




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Anthony Atkielski
John writes:

> In the US, ISPs are not, and never have been
> viewed, as common carriers.

I recall a case involving CompuServe in which it was treated at least
partially as a common carrier, not responsible for the content of its
network.

>(1) Treatment of publisher or speaker
>No provider or user of an interactive
>computer service [read, an ISP] shall be
>treated as the publisher or speaker of
>any information provided
>by another information content provider.

How is this reconciled with the DMCA?





Re: spam

2003-05-30 Thread Anthony Atkielski
Noel writes:

> It *better* be solvable, otherwise when email
> becomes 99% spam, everyone will stop reading email.

I wouldn't worry about that.  When everyone stops reading e-mail, spam will
disappear again.  Remember, spammers only send out spam because people reply
to it.  If nobody replies, they'll stop.

Actually nearly 99% of my e-mail _already is_ spam, but I still read the
non-spam messages.

As for the problem being solvable, I'm not at all confident about that.

It's interesting to note that almost all spam references a handful of
products or services.  Clearly, there are quite a few people out there who
want larger penises, or are in tremendous debt, or are being crushed by
large mortgages, or are in search of pictures of teenage girls, otherwise
these advertisements would not dominate spam.  And somebody is still trying
to cut deals with mysterious executives of Nigerian Oil Development Central
Bank, judging by the number of letters I receive on that.

Maybe the real problem is that there are too many dolts on the Net who
actually reply to this spam.  Eliminate them, and the spam will go away.
Maybe an IQ test for each new Internet subscriber; anyone with a
single-digit score isn't allowed to sign up without adult supervision.

> I'm willing to spend $.25 to communicate with someone
> I've never sent email to before.

I'm not.  The e-mail only costs $0.7 to send, so why should I give
anyone $0.25 for it?

> I doubt very much the spammers who boast of sending
> millions of messages a day are willing to spend $.25
> each message for the privilege.

I don't blame them, nor do I think they should be required to pay that.  I
won't even spend that on one message.  If I want to throw money out the
window, there are already lots of other scams that will deprive me of my
wealth just as quickly.




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
Alain Durand wrote:
> I tend to agree with Dave Crocker, getting 100+ millions 
> users to upgrade to SMTPng is not going to be any easier than 
> getting them to move to IPv6... It will also suffer from the 
> second design syndrome. I will not fool myself and believe it 
> can happen overnight 

In this case, I disagree. Yes SMTP will have to exist for some time to
come, but it wouldn't take much to convince people that moving to a new
mail system would either reduce spam, or had adequate mechanisms for
financial recourse. If the courts routinely granted judgments to
individuals of 100 $/euro for every received unsolicited message, people
would jump at the chance to run the new mail tool, and spam as we know
it would loose its economic viability. Making that work means absolute
traceability of the message origin.

 
> For this effort to be effective, I think it will have to be 
> done in a way that is at odds with the traditional IETF thinking:
> 
> 1) Compatibility with SMTP is not desirable
> 2) Some form of privacy is not desirable
> 3) To much scalability is not desirable

I agree, with the condition that scalability should be a factor
everywhere except the originator. 

Tony




RE: The utilitiy of IP is at stake here

2003-05-30 Thread Tony Hain
John Morris wrote:
> FWIW, and not to drag us too far into a legal discussion, but the 
> above is not correct for the United States.   In the US, ISPs are 
> not, and never have been viewed, as common carriers. 

I agree on the legal point, but note that as we move further down the
path of VOIP that is likely to change. My point was more about the
inconsistency of wanting absolute control, but zero responsibility. For
starters, they don't have absolute control, and even if they try to
establish it, the endpoints will simply push them down a layer and
tunnel over whatever is allowed. More importantly they want to maintain
their zero responsibility position, and that will take precedence over
control as soon as they are taken to court because they didn't prevent
an action which they had the means to control through ever deeper packet
inspection. 

The fundamental legal issue we need to deal with is the ability to
absolutely identify the originator of the mail. Is that precluded by any
existing privacy laws? If not, identity would provide the means to
pursue financial recourse for wasted time and resources. If so, we have
a non-technical issue that may prevent any solution.

Tony




Re: spam

2003-05-30 Thread Eric A. Hall

on 5/29/2003 12:18 PM Bill Cunningham wrote:
> Personally I think the best idea I've seen yet is the idea of a prefix,
>  such as ADV in the subject line.

Using the current transfer and message-format models, that requires
post-transfer processing. At a minimum, you would be legitimizing
artificially increased bandwdith and processing demands (assuming that
everybody complied with the law).

> It maybe possible to put something like ADV in a protocol header. Or
> maybe that is too extreme.

A special header would be feasible if the transfer headers and message
headers were separate, since you could reject the message before the
transfer. The same results would also be possible with ESMTP using
something like an ;ADV extension to the MAIL FROM command. Both of those
require wholesale upgrades to have any impact, so in the meantime you'd
still have to rely on post-transfer processing.

There is another significant problem with using an ADV tag with all
commercial mail, which is that it doesn't adequately distinguish between
spam and legitimate commercial mail. Would upgrade notification messages
for stuff like software need to be marked? Would domain renewal notices
from your registrar need to be marked? Would you need to explicitly opt-in
to get those messages without them being marked?

Seems to me we should be defining laws that put the onus on the spammers
rather than on the recipients and legitimate business communications.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Dave Crocker
Folks,

JM> FWIW, and not to drag us too far into a legal discussion, but the 
JM> above is not correct for the United States.   In the US, ISPs are 
JM> not, and never have been viewed, as common carriers.  And, as one can


I can see that my point was entirely missed:

Yes, this is an important topic.

But no, it does not belong in the IETF.  We have no *** IETF *** work to
do.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA , 




Re: The utilitiy of IP is at stake here

2003-05-30 Thread Alain Durand
I tend to agree with Dave Crocker, getting 100+ millions users
to upgrade to SMTPng is not going to be any easier
than getting them to move to IPv6... It will also suffer from
the second design syndrome. I will not fool myself and believe
it can happen overnight
... although, due to the volume of spam, there is little choice but 
doing it.

For this effort to be effective, I think it will have to be done
in a way that is at odds with the traditional IETF thinking:
1) Compatibility with SMTP is not desirable
   ==> if not, spam will be forward compatible!
2) Some form of privacy is not desirable
   ==> You cannot define Spam but you know this is spam when you see one.
   As you cannot put any reliable filters in place,  your only
   solution is the legal route. For this to work, you want to 
be able
   to trace exactly who was sending the mail.

3) To much scalability is not desirable
==> There is (almost) no direct cost per mail, but a lot of 
indirect costs.
   This may actually very well be the root cause of the problem.
   There is relatively little spam in regular snail mail or 
telephone,
   not only because of legislative regulations, but also
   because it cost money per message. This regulate the flow.
   One cannot sent millions of mail/phone calls for just $20...
   Another way of saying this is that SMTP is a victim of the 
IETF credo,
   the protocol scales too well.

- Alain.







Dave Crocker wrote:

Tony and Steve, et al,

TH> In context, it is clearly the right of a mail server operator to refuse
TH> mail. My concern is more about the precedent where a large ISP decides
TH> that address ranges have particular application semantics. 
...
TH> The IETF needs to recognize that the ISPs don't really have a good
TH> alternative, and work on providing one.

and

SMB> Yes.  Normally, I'd worry a lot about backwards compatibility.  In this
SMB> case, I think the problems for ISPs -- and users -- are so severe that
SMB> people will switch *rapidly* to a new protocol if it solved most of the
SMB> spam problem.
Most of this thread is really about legal and customer service issues.
I do not see how it is an IETF topic, no matter how much each of us
might (and do) feel strongly about it.
However I'll join the ranks of those heartily supporting your
conclusion about the absence of good alternatives...
However there is a catch:

 With respect to spam, and many other content-related activities,
 what does it mean to provide a good alternative?
 To answer this means we need to understand the problem very well
 and understand the technical underpinnings of the problem very
 well.
It is easy to note features that are lacking from email, but dangerous
to assume that adding those features will result in their being adopted
or that their adoption will magically fix the problem at hand.
Worse is that, by and large, spam is a topic for which reasoned
discussion -- and especially careful analysis -- is so far proving
impossible in an open forum. Between the formal fuzziness of the topic,
the strong emotion it engenders, and the compulsive self-interest of
many constituencies, the reality is fragmented, heated exchanges, rather
than anything really productive.
Here are some realities that I think we must juggle:

1.  We do not understand the full range of email (ie, electronic
mediated human exchanges) very well at all;
2.  An installed base of 100 million users should be expected to adopt
changes very, very slowly
3. Each change will have large, unintended consequences, most of which
will be undesirable. (This statement is an absolute cliché in serious
discussions about organizational and social change.)
Note that the definition of spam largely depends upon the person making
the definition; unless and until we can develop of reasonably simple
definition that has a) broad acceptance, and b) a largely technical
basis, then it is pure folly for the IETF to think it can do anything
major in this arena.  It might be useful for us to standardize some relatively
straight tools, like a client/filter-server exchange protocol, but we
are not going to achieve really strategic improvements.
I should also note that the last two years have seen at least two
efforts to consider a replacement email service -- or at least an
alternative one -- but that neither seems to have achieved a critical
mass of interest.
And before anyone claims that spam will be the flag around which
Email(ng) troops will rally, I'll ask what changes anyone thinks are
required. As soon as anyone tries to answer that, everyone else should
watch the style of responses they get...
(if you want to save time, just look at the discussion of spam on the
ietf over the last few days. has it been analytic? has it been systemic?
has it been productive? -- except for the thread that Tony just started,
of course.)
d/
--
Dave Crocker 

Re: spam

2003-05-30 Thread Fritz F. Saad
I can only echo Bill's comment on that regards, and I don't find that too
extreme.

Cheers,
Fritz.
- Original Message - 
From: "Bill Cunningham" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 29, 2003 11:18 AM
Subject: spam


> Personally I think the best idea I've seen yet is the idea of a prefix,
such
> as ADV in the subject line. The real problem I agree is with sorting
through
> unsolicited mail for what you really want. It maybe possible to put
> something like ADV in a protocol header. Or maybe that is too extreme.
>
> Bill
>
>
>
>



Re: Re: spam

2003-05-30 Thread Dean Anderson
Radical anti-spammers, like other kinds of radicals, make unreasonable
demands, employ illegal methods such as extortion and terrorism (or
techno-terrorism, in this case), feel there is no other point of view
other than their own, and that other points of views can be supressed.
They feel that because the law won't give them what they want, that they
can employ whatever methods they feel like to achieve their goals.

Frequently, they do more harm to their goals as a result. For example,
Palestinian radicals blow themselves up. Radical Jewish settlers create
illegal settlements, and terrorize the local population.

When the leadership of a group doesn't repudiate and root out the
radicals, significant harm is done to their goals.

For example, the Israeli government repudiates and cracks down on illegal
settlements. While the Palestinian government doesn't repudiate the
Palestinian radicals. The result is a loss of credibility for the
Palestinians.  By contract, the actions of the radical settlers inflaming
the Palestinians is clearly harmful to Israel, but has little effect on
the credibility of the Israeli government.

Some might think it is inappropriate to compare violent terrorism to
techno-terrorism.  The difference is primarilly that techno-terrorism
doesn't result in loss of life. Just crashed computers.  But the mentality
is essentially the same.   Radical Anti-spammers are willing to give their
jobs and livelihood for their beliefs.

And like the Palestinians, the lies, abuse, and misdeeds of the radical
anti-spammers discredit the entire group, because the leadership refuses
to root them out. The leadership is itself radical.

--Dean

On Thu, 29 May 2003, [UTF-8] John Loughney wrote:

> Hi,
>
> What is a 'radical anti-spammer'?
>
> --
>
> This is the _false_ assertion of
> radical anti-spammers, who seem to me to be the abusers.  Chris Neill
> (antispammer open relay abuser eventually fired from Verio--he was
> ironically, an abuse admin) was shocked to learn he was't anonymous, like
> he thought.
>
> The claims made by antispammers about open relays are false. Type 1
> spammers seem to get that, judging by their behavior.  But radical
> antispammers don't.
>
>   --Dean
>
> On Wed, 28 May 2003, John Stracke wrote:
>
> > Dean Anderson wrote:
> >
> > >We are lucky that spammers don't get a discount
> > >
> > Open relays give them a five-finger discount.
> >
> > --
> > /===\
> > |John Stracke  |[EMAIL PROTECTED]|
> > |Principal Engineer|http://www.centive.com  |
> > |Centive   |My opinions are my own. |
> > |===|
> > |"Power corrupts; Powerpoint corrupts absolutely." -- Vint Cerf |
> > \===/
> >
> >
> >
> >
>
>
> 
>




Re: spam

2003-05-30 Thread Dean Anderson


On Thu, 29 May 2003, Iljitsch van Beijnum wrote:

> It shows that even five years ago or so most ligitimate businesses
> advertising legitimate services through spam employed header forgery.
> If we can't stop spammers from spamming we should at least be able to
> stop them from doing so in ways that add insult to injury by derailing
> the entire email service.
>
> So let's have that BOF.

Agreed. But I think the current legislation will make header forgery
illegal, and already is in some states.

I expect that Type 1 spammers will comply. Some already are.

--Dean




spam

2003-05-30 Thread Bill Cunningham
Personally I think the best idea I've seen yet is the idea of a prefix, such
as ADV in the subject line. The real problem I agree is with sorting through
unsolicited mail for what you really want. It maybe possible to put
something like ADV in a protocol header. Or maybe that is too extreme.

Bill





Re: spam

2003-05-30 Thread Vernon Schryver
> From: Iljitsch van Beijnum <[EMAIL PROTECTED]>

> ...
> Stopping header forgery would be useful in and of itself, 

Many people who say that have strange notions of "header forgery."
They consider using your home mail address as a sender or return email
address when sending mail while away from home to be "forgery" but
they don't have any problems using their home postal addresses on
postcards while on vacation.

>   but 
> regardless of that it will also help against unsollicitated bulk email. 

That is not logical, unless you assume that spammers have no
alternative to using header forgery.

> I downloaded the list with known spam address blocks from spews.org. It 
> lists around 1600 spammers and 14000 addresses or address blocks. 
> Obviously spammers are trying hard to cover their tracks. Filtering out 
> 1600 spammers is easier than filtering out many more thousands of 
> individual addresses. I'm assuming we can come up with some identifier 
> that's harder to change than an IP address.

That is a tall assumption.  Unless you involve national governments,
I've never yeard of an identifier that is harder to change than an IP
address, except when you get your IP addresses from ISPs that look away
from the spam of their customers and the customers of their resellers.
Such ISPs would be as happy to sell new identifiers of whatever sort
you like to spammers as they have been happy to rent IP addresses.


> A quick look at a week's worth of email for an account I've used to 
> post to Usenet for nearly 10 years (370, 98% spam or mailinglists I 
> can't unsubscribe) tells me around 75% of the spam I received either 
> has obvious header problems or employs some kind of anti-anti-spam 
> measure. Also around 75% is of a pharmaceutical, sexual or financial 
> nature (often at least two of those at the same time). There is no 
> obvious correlation.

I notice that you wrote "header problems" instead of "forgery."

> > That leads to a major problem in dealing with spam.  Most people
> > who say they want to stop spam in fact have other goals that they
> > value more.
>
> Yes, it seems like many of them are more interested in perpetuating the 
> status quo.

I do not agree with that.  Some people do have usually unconcious
interests in the status quo, but most people are doing illogical
things like attacking header forgery as if spammers could not create
zillions of valid user names at free or cheap providers or domain
names and avoid header forgery.


Vernon Schryver[EMAIL PROTECTED]



Re: spam

2003-05-30 Thread Iljitsch van Beijnum
On donderdag, mei 29, 2003, at 17:44 Europe/Amsterdam, Vernon Schryver 
wrote:

I found the following to be an interesting read:
http://www.cdt.org/spam/

It shows that even five years ago or so most ligitimate businesses
advertising legitimate services through spam employed header forgery.
...

It is an article of faith for many people that most spam involves
header forgery, but no one seems to have better support than intuition
for that faith.  Where in the report at http://www.cdt.org/spam/ does
it say that "most ligitimate businesses advertising legitimate services
through spam employed header forgery?"
Ok, I can't find it right now, and the thing is too big to completely 
reread.

A lot of spam does involve header forgery, but a lot clearly does not.
The problem with concluding that "most" spam uses header forgery is
that it encourages looking for solutions to header forgery instead of
stopping unsolicited bulk mail.
Stopping header forgery would be useful in and of itself, but 
regardless of that it will also help against unsollicitated bulk email. 
I downloaded the list with known spam address blocks from spews.org. It 
lists around 1600 spammers and 14000 addresses or address blocks. 
Obviously spammers are trying hard to cover their tracks. Filtering out 
1600 spammers is easier than filtering out many more thousands of 
individual addresses. I'm assuming we can come up with some identifier 
that's harder to change than an IP address.

A quick look at a week's worth of email for an account I've used to 
post to Usenet for nearly 10 years (370, 98% spam or mailinglists I 
can't unsubscribe) tells me around 75% of the spam I received either 
has obvious header problems or employs some kind of anti-anti-spam 
measure. Also around 75% is of a pharmaceutical, sexual or financial 
nature (often at least two of those at the same time). There is no 
obvious correlation.

That leads to a major problem in dealing with spam.  Most people
who say they want to stop spam in fact have other goals that they
value more.
Yes, it seems like many of them are more interested in perpetuating the 
status quo.




Re: spam

2003-05-30 Thread Vernon Schryver
> From: Iljitsch van Beijnum <[EMAIL PROTECTED]>

> ...
> I found the following to be an interesting read: 
> http://www.cdt.org/spam/
>
> It shows that even five years ago or so most ligitimate businesses 
> advertising legitimate services through spam employed header forgery. 
> ...

It is an article of faith for many people that most spam involves
header forgery, but no one seems to have better support than intuition
for that faith.  Where in the report at http://www.cdt.org/spam/ does
it say that "most ligitimate businesses advertising legitimate services
through spam employed header forgery?"  I found "forged addresses and
domain names as the source of innumerable problems" and similar
statements, but they differ signficiantly from the familiar claims
that most spam involves header forgery.  Moreover, since that report
there have been the Flowers.com case and many state laws against header
forgery that I think have discouraged a lot of header forgery.

A lot of spam does involve header forgery, but a lot clearly does not.
The problem with concluding that "most" spam uses header forgery is
that it encourages looking for solutions to header forgery instead of
stopping unsolicited bulk mail.

That leads to a major problem in dealing with spam.  Most people
who say they want to stop spam in fact have other goals that they
value more.  Those other goals include:
  - stopping header forgery,
  - making all mail "authenticated," for various notions of that word,
  - stopping commercial email, and never mind that an order confirmation
 is commercial,
  - stopping unsolicited commercial email (Never mind that many of us
 depend on unsolicited non-bulk commercial email for our daily bread),
  - selling anti-spam services or software,
  - counting coup on spammers by "LARTing" them, signing them up for
 junk postal mail, etc,
  - becoming famous for having stopped spam, or at least getting into
 the RFC index.


Vernon Schryver[EMAIL PROTECTED]



Re: spam

2003-05-30 Thread Iljitsch van Beijnum
On woensdag, mei 28, 2003, at 21:39 Europe/Amsterdam, Dean Anderson 
wrote:

It surprises me that so many people are so eager to declare defeat
before even trying the protocol route.

We tried protocols 5 years ago. They haven't worked.  I've explained 
why
specifically, and why in theory they can't work.
I'm not interested in a discussion about semantics so we can define the 
problem as solvable or unsolvable.

I found the following to be an interesting read: 
http://www.cdt.org/spam/

It shows that even five years ago or so most ligitimate businesses 
advertising legitimate services through spam employed header forgery. 
If we can't stop spammers from spamming we should at least be able to 
stop them from doing so in ways that add insult to injury by derailing 
the entire email service.

So let's have that BOF.




Re: The utilitiy of IP is at stake here

2003-05-30 Thread John Morris
At 6:30 AM +0200 5/29/03, Anthony Atkielski wrote:
Tony writes:

 Not if it simultaneously wants protection from
 liability for any content that the customer might
 be sending.
Now that I can fully agree with, although it's not an engineering issue.

ISPs that simultaneously want common-carrier protection from liability AND
the ability to finely dictate what types of traffic they will accept need to
choose one or the other.  Either you screen and restrict the traffic on your
network, but you take full responsibility for whatever is passing over it,
or you just provide raw bandwidth and you are shielded from any claims of
impropriety in the use thereof.  You can't have it both ways, as companies
like Prodigy have discovered.
FWIW, and not to drag us too far into a legal discussion, but the 
above is not correct for the United States.   In the US, ISPs are 
not, and never have been viewed, as common carriers.  And, as one can 
see in the on-going arguments made about the possibility that cable 
ISPs might interfere with content, ISPs in general have strongly 
resisted being treated as common carriers.  They do not want to take 
on the obligations that common carrier status would bring.

Having said that, ISPs in the US do have common carrier-like 
protection from liability for content of their customers and others 
-- but this protection from liability is by statute, not as a result 
of any common carrier status.  Section 230(c)(1) of chapter 47 of the 
U.S. Code states:

  (1) Treatment of publisher or speaker
  No provider or user of an interactive computer service [read, 
an ISP] shall be
  treated as the publisher or speaker of any information provided
  by another information content provider.

This protection from liability is in no way dependent on what 
restrictions an ISP places on its traffic.  Thus, for purposes of 
this thread, if an ISP wants to "finely dictate what types of traffic 
they will accept" they can do so without loss of liability protection.

John