Re: Careful with those spamtools.....

[Dr. Jeffrey Race]

A few comments (interleaved) to clarify the record :)

On Sun, 14 Sep 2003 19:14:14 -0400 (EDT), Dean Anderson wrote:
>Indeed.  These open relay blacklist sites were always a highly
>questionable source for mail filtering.  Quite obviously, open relays have
>no relationship to spam, so using an open relay blacklist is going to
>block a lot of non-spam email. 

==> That is the only way to get the attention of overworked (or
 incompetent) admins.In one case I had to contact (personally)
 Ziggy Switkowski, the chairman of Telstra, to get his firm to
 crack down on misuse of his network.  That solved the immediate
 problem (and that's what it took because the admins didn't do a
 thing except send auto-ignore messages), yet three years later Telstra
 is still a menace to the Internet.  See today's article

 


>[snip]
>
>On Sat, 13 Sep 2003, Harald Tveit Alvestrand wrote:
>> I followed some links today, and discovered to my horror that one of the
>> spamtools I'd been using had been throwing away some valid messages -
>> including some from this very list.
>>
>> It turned out that OSIRUSOFT had gone belly-up,


==>Reportedly they had to cease operations because of DDOS attack. They
   must have been doing something right, and they deserve a cheer for
   that.   However they could indeed have shut down more gracefully. Boo.

>>[snip]
>>  Harald

Jeffrey Race

Re: Careful with those spamtools.....

[Dr. Jeffrey Race]

On Sun, 14 Sep 2003 23:34:04 -0400 (EDT), Dean Anderson wrote:
>On Mon, 15 Sep 2003, Dr. Jeffrey Race wrote:
>>> A few comments (interleaved) to clarify the record :)
>>>> On Sun, 14 Sep 2003 19:14:14 -0400 (EDT), Dean Anderson wrote:
>> >Indeed.  These open relay blacklist sites were always a highly
>> >questionable source for mail filtering.  Quite obviously, open relays have
>> >no relationship to spam, so using an open relay blacklist is going to
>> >block a lot of non-spam email.
>>
>> ==> That is the only way to get the attention of overworked (or
>>  incompetent) admins.
>
>No, it isn't. And it is an illegal method, because you (if you are an
>ISP), probably don't have permission to block non-spam mail. 

You may wish to take legal advice on this as you are incorrect in your
belief.   It is a matter of contract between ISP and customer.


> Blocking communications without permission is a (US) federal felony,

Perhaps if you are a common carrier, which ISPs are not


>It obviously isn't necessary, as you point out:
>
>> In one case I had to contact (personally)
>>  Ziggy Switkowski, the chairman of Telstra, to get his firm to
>>  crack down on misuse of his network. 

Contacting the chairman of the offending firm (in this case the
state telecom monopoly) is obviously not scalable.


Jeffrey Race  (with apologies for delay in reply while I was travelling)

Re: Spam

[Dr. Jeffrey Race]

On Wed, 17 Dec 2003 23:10:43 -0500, Bill Cunningham wrote:
>Now that the federal government has taken some steps in regulating spam,
>does that mean that a technical need as the IETF would look for, isn't
>needed?>Maybe the Spam should be forgot about.

Bill has the CMOS backup battery failed in your workstation?   It is
December 17, not April 1 :)

Jeffrey Race

Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?]

[Dr. Jeffrey Race]

You must base your business plan on the fact that your problem has no
solution, technical or otherwise.   Any technical means to restrict
access or identify a host can be defeated by a determined hacker, and
you can be 100% sure that your hackers are more motivated than your
employees.

Even were technical solutions to exist (which they don't), you still
face the implications of Sturgeon's Law
[] that ninety
percent of everything is crap, including human mentality (in my
opinion a low estimate).   Social engineering possibilities are
endless in this environment.

As a business you must take defensive measures against technical
failures and human gullibility.  Probably start with good lawyers
and good contracts, placing all responsibility on the customers.

My (very excellent) little bank in Cambridge Massachusetts has just
written my wife that the checking account database was stolen by
a bank employee so she should inform the credit reporting agencies
of likely identity theft.   You see the problem . . . .

Having some technical knowledge of how secure these systems are, I
have chosen never to use either electronic banking or an ATM card.
The losses from the regularly recurrent frauds against my few credit
cards are entirely borne by the sloppy merchants who tolerate
fraudulent usage.

Jeffrey Race


>> -Forwarded Message-
>> From: Parry Aftab <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]
>> Subject: [isdf] need help from the ietf list...can someone post this for
>> me? or allow me to post directly?
>> Date: 20 Dec 2003 16:50:33 -0500
>>
>>
>>
>> We have been experiencing a huge growth in phishing (e-mails designed to
>> trick people into providing sensitive information (creditcard, account
>> passwords, etc.) to a spoofed website masquerading as a trusted
>> financial institutional site.
>>
>> For example, you receive an e-mail telling you that there has been a
>> security breach at PayPal, and you need to log into the site and correct
>> your info, by using the bogus link they provide.
>>
>> Every time we announce a way to confirm that the site is what it claims
>> to be (checking the certificate, history bar, etc.) the phishers find a
>> tech solution to improve their frauds.
>>
>> Now IE has a bug that allows them to mask the real site more easily, by
>> showing the spoofed site in the navigation bar.
>>
>>
>>
>> Do any of the IETF members have suggestions for easy ways of confirming
>> that the site you just linked to is really the site you wanted to
>> access?
>>
>> I am asking in my capacity of the world¢s largest online safety and help
>> group, WiredSafety.org.>>
>>
>> Parry Aftab

Re: Primal urges in the can-the-spam movement

[Dr. Jeffrey Race]

It is a pleasure to see someone bringing common sense about human
behavior to the discussion, but I dread seeing another proposal like
this, which entails a new technical mechanism which the victims have
to pay to establish.Society has dealt with problems comparable
to spam for at least five thousand years, and the mechanisms for
dealing with antisocial behavior are quite simple to understand and
implement.   There is no need for additional complex technical mechanisms
(though anything enhancing traceability is desirable).  Just apply to
the internet the mechanisms which are used everywhere else in society
to deal (successfully) with comparable problems.

 See 

   based on

 

Jeffrey Race

On Fri, 13 Feb 2004 13:46:05 -0500, Dan Kolis wrote:
>Dan says:
>If I follows Roberts scenerios, he visualizes ways to own things like MTA's,
>etc and evade the cost per by magnitudes.
>
>Generally, as the second fragment of text describes, Robert's suggesting
>catch-me-if-you-can enforcement is the way to go.
>
>If that's a logical mode, IETF can possibly see a mandate to tighten
>technology to find our true sources of messages, packets, etc. Generally,
>like MPLS, and 802.11b, the trend is moving slowly the other way.
>
>I think instead of detailed calculations, an observation which might seem
>familiar to economists is closer to the issue. 
>
>If you expect people paid to enforce things to do it, they will always Jones
>for more people and resources, and probably no enforcement in the world
>accounts for capturing more than some ones of percents of undesired
>activity. Like any community, there will always be a "crisis" or some
>description requirement more of: everything. Cooperation, legal scope,
>education, and of course always more money. This constitutes part of the
>noise level that degrades much of modern life. (Like the incredible
>competition to have the most interesting possible up and coming new disease,
>mental problem or crime).
>
>On the other hand, we all have a vested interest in watching the eggs in our
>basket. 
>
>Allthough I've never seen a note posted to this effect, If I walked in off
>the street into the office up front in this building and started loading
>office supplies into a hand cart and roll them out the door; Secretaries,
>salespeople, the shipping guy, would come piling out of the spaces and stop
>me. Nobody put that in there job description, or has to.
>
>By making some catagories of messaging a chargable cost, and making sure
>somebody has to pay; (easiest as an anonymous cost up front), now everyone
>in the cost pipeline has something to gain and lose with enforcement.
>
>Its easy to visualize this. the MTA's look at a MIME type field and its a
>very large prime number. Its forwarded to an agency or heirarchy of
>agencies. They return a go/no-go message (UDP probably). If the number is
>already used, the message declines it and the message is aborted from
>delivery; (or just downgrades to free). If its accepted, the factors are
>return and the software verifies it by multiplying them. Having the factors
>on file proves the identity of the agency. Each handoff offers the MTA a new
>prime. Only the first is chargable. Any MTA can downgrade a message to free,
>(or upgrade it with a top level seeded prime). This works right down to a
>home box type MTA, like a POP3 program. Subsideary primes have a mappable
>relation to the seed ones; (doesn't matter what it is. As long as the
>relation can be detmined).
>
>MTA's which do not cooperate in the scheme incur no cost, and add or lose no
>value to themselves or anyone else. No message status changes. Some may
>encounter MTA's elsewhere in the system to modify that, but there is no red
>flag day at all.
>
>It involves trust of only one agency at the top of the heirarchy. You have
>to trust them to want old fashioned, hard currency, money. I can refer you
>to a number of personal aquiaintances with that characteristic, (if you do
>not know people of that ilk).

Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

John, your summary distils a lot of hard work but is deeply troubling,
because it is constructed entirely on a "make the victims pay"
foundation.  As long as that is your stance, then sure it is so that
"Spam . . . will remain a long-term battleground".   However it is 
just NOT so if the community will change its stance to that which 
society uses (successfully) in every other area of human interaction
beside the internet: make the perpetrator pay.A number of us have
given this a lot of thought to come up with a practical solution which
requires no new technology and no new legislation.   It has been 
proven to work within hours.   

Those interested may view an interim document (comments welcome) at

 

   based on

 

I grind my teeth every time I read a summary like yours because while
the lemmas are true, the conclusions are contrary to reality and 
contrary to everything known about human behavior.

Jeffrey Race 


On Tue, 2 Mar 2004 19:32:00 -0500, John Leslie wrote:
>   I'm planning to post a summary to the MARID-planning list mentioned
>elsewhere in this thread -- hopefully before 5:00 pm Korea time.
>I expect there will be a proto-WG mailing list declared by the close of
>the MARID BoF at 11:30 Thursday (Korea time). I recommend the discussion
>continue there.
>
>   The current draft of what I will post follows:
>
>=== cut here ===
>On the <[EMAIL PROTECTED]> mailing list there has been discussion of
>Principles of Spam Abatement. This is a brief summary of principles
>which _may_ have consensus of that list. I accept full responsibility
>for editing errors and misunderstandings.
>
>- All communications must be by mutual consent.
>
>- The spam problem starts with freely accepting mail from strangers.
>
>- Spam is and will remain a long-term battleground and it needs serious
>  effort to counter.
>
>- Every mail message carries a practically unforgeable token: the IP
>  address of the SMTP client.
>
>- It is pointless to erect some expensive Maginot Line and pretend it
>  will solve the problem.
>
>- There is not and can never be a hoop low enough to pass all human
>  strangers but exclude spammers' computers.
>
>- If you want more of something, subsidize it; if you want less, tax it.
>
>- Spammers need scale because they get a very low return. Therefore,
>  part of the solution should be to deny scalability to spammers.
>
>- If we can communicate to the sender (without adverse side effects)
>  that a message is discarded, then occasional false positives aren't
>  as much of a problem.
>
>- If you reject the message during the SMTP session you don't need to
>  generate a bounce message, the other side will do this.
>
>- Errors returned after the close of the SMTP transaction are likely
>  to go to an innocent party; and should be deprecated for any email
>  identified as spam.
>
>I also recommend perusing the summary of principles expressed on the
>Next-Generation Mail <[EMAIL PROTECTED]> list at:
>
>http://www.cs.utk.edu/~moore/opinions/user-visible-email-ng-goals.html
>
>--
>John Leslie <[EMAIL PROTECTED]>
>

Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Fri, 12 Mar 2004 16:06:04 -0500, Nathaniel Borenstein wrote:
>With respect, I think this argument is going nowhere because 
>some of us want to discuss it in terms of property rights, and others 
>of us want to discuss it in terms of human rights.  I believe that 
>communication should be viewed as a human right, and that property 
>rights can and should be limited where necessary to ensure those rights. 

I propose we recenter this discussion on our mission, which is
enhancing communication.   With that in mind we can ask ourselves whether
--on the evidence--hypothetically protective measures like blacklisting
are useful or not for enhancing communication (not just for one person
but for the entire community of users).   Property rights and human rights
issues are not irrelevant but they are not central to this discussion.   

At the moment the Internet is lawless.   We are discussing among ourselves
what measures the community can take until law comes, and enforcement comes. 
Issues like abuses by (hypothetical) monopolies are peripheral.   I don't
have all the answers (though I have formulated one which I think is a good
one, see URL below) but I believe "will it enhance communication" is the only
way to approach the problem in the current state of lawlessness.

Jeffrey Race

Re: Principles of Spam-abatement (fwd)

[Dr. Jeffrey Race]

On Sat, 13 Mar 2004 17:03:14 -0500 (EST), Dean Anderson wrote:

>No such thing was ever found. And just the opposite was proved to you in
>Exactis V.  MAPS.  That lawsuit was settled out of court, 

Dean you have expressed your case well but in the end you must agree
none of this is persuasive because the case was never litigated on 
its merits.  We have only "he said, she said"; maybe MAPS folded for
lack of money or some other reason unrelated to the merits; happens
all the time.

I have been hoping for this issue to be litigated to a judgment but
this has not happened to my knowledge.   It may be significant (someone
who knows more correct me) that even though there is more blocking now
than then, no one affected has ever seen fit to sue on like grounds
since them.   Please correct me if I am wrong.

Jeffrey Race

Re: The right to refuse, was: Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Sun, 14 Mar 2004 11:12:12 +0100, Iljitsch van Beijnum wrote:
>What we need here is a fundamentally different approach: one where 
>desired communication is tagged as such explicitly.

You are right a different approach is needed, but not this one
because it does not admit communication from strangers.

The only solution is one which removes from connectivity those
who dump their trash on the commons.   This is easy to do.  

Jeffrey Race

Re: Apology Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Mon, 15 Mar 2004 10:27:46 -0500, Nathaniel Borenstein wrote:
>This is exactly right -- we have people arguing from two different 
>paradigms, both fundamentally orthogonal to the expertise of the IETF.  
>What this suggests to me is that until the larger society -- i.e. the 
>courts and international institutions -- reach a determination of the 
>"right" paradigm for dealing with spam, the IETF is going to spin its 
>wheels on these issues.  If someone could tell us definitively "this is 
>a question of property rights" or "this is a question of human rights" 
>or whatever, the IETF as a community would be well qualified to do the 
>engineering implied by that conclusion.  Until then, it's probably an 
>unresolvable issue for a community as open and democratic as the IETF.

The larger society HAS ALREADY REACHED A DETERMINATION because the
larger society has dealt with this kind of problem, successfully, since
the dawn of civilization.  That's why it is called civilization.  The
principle, simply stated, is "Actions must have consequences".  When
they don't, any sociologist will tell you that you will get exactly
the results you see on the internet.

This is all spelled out in 
which is based on .

The IETF and other standards bodies can almost completely STOP spam,
viruses, trojans, and other security threats,  if they will
develop tools  (for example traceability) and norms (for example
null-routing polluting sources) to impose consequences on actions.
Once you do it (and there are tricks to make it work, easily, when
you decide to do it) then the problems go away in HOURS (not after
years of hot air such as we see on certain discussion groups).

Now antisocial behavior produces only good for the perps, not the
reverse.

This is just common sense which every parent knows.

Until the standards bodies start this process in motion, everything
else is just useless whining.

OK, I feel better now.

Jeffrey Race

Re: Apology Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Mon, 15 Mar 2004 15:58:25 -0500, Yakov Shafranovich wrote:

>My concern with your approach is with the fact that SPs can employ such 
>measures against someone else without proof, 

Some do it now.  This consideration is unrelated to my proposal. 


>simply cutting off 
>connectivity for some stupid reason and blaming it on not handling abuse 
>reports.

Section 3 of my draft proposes a staged enforcement procedure after
careful investigation.

I am not wedded to any particular procedure.  I just want to move the
discussion from the present 'make the victims pay' model  to the only
one that will ever work, viz. 'make the polluters pay'.  It is fun,
easy to do, shows fast results, and is proven by thousands of years
of experience.

Jeffrey Race

Re: Apology Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Mon, 15 Mar 2004 18:12:22 -0800, Ed Gerck wrote:
>BTW, how can we talk about "actions that have consequences" in terms of a 
>technical solution that the IETF can pursue?


The whole point is there are NO TECHNICAL SOLUTIONS and never will be.
(There are some technical aspects to improving traceability, however.)

IETF would not apply the consequences; the victims would apply the
(behavioral) consequences using  established guidelines, employing
technical measures already established in RFCs.

IETF and other standards bodies can bless agreed procedures for using
the existing technical steps in new behavioral ways.

There are two reasons this is crucial:

1) Courts often, perhaps usually, defer to declared norms of industry
   standards bodies, in establishing reasonableness of disputed 
   behavior.   We can be decisive in establishing these norms.  The
   courts can't easily act to use the COMPLETELY ADEQUATE EXISTING
   LAWS in part because of this lacuna.

2) Normative documents, and personal leadership, convert a group or a 
   mob into an "emergent structure" (say a business firm, a dance
   company, a charitable organization, a military unit, a religious
   order, a teen gang) in which the norms absolutely bind the behavior 
   of the participants, even to death.

I say, in a completely non-deprecating way, that these points from law
and sociology may not be apparent to engineers (or in fact to anyone else
who is not an attorney or a sociologist) but they are completely true
and completely binding on human behavior.


>The consequences are not 
>technical. In addition, they would need to be arbitrated and we know how 
>long, ineffective and expensive that can be.


No arbitration needed.  Please re-read the proposal.

My proposal (which received input from many people) is basically just
common sense.   That's what we need now.   The answers are in.  The
proof is in.  Let's do it.  Now.

Jeffrey Race

Re: Apology Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Wed, 17 Mar 2004 00:44:58 -0500 (EST), Robert G. Brown wrote:

>Ed, are you not paying attention?
>
>It is fundamentally, intrinsically, eternally IMPOSSIBLE TO IDENTIFY
>INDIVIDUAL HUMANS on the internet.

   "No one knows you're a dog on the Internet" seems to capture it.

   (Dilbert?)

Re: Apology Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Wed, 17 Mar 2004 12:26:13 -0500 (EST), Dean Anderson wrote:
>However, I think there are things that show some promise that might be
>harder to adapt to, such as automated text summarization, bayesian
>filters, mail agents that filter on the user's interest in the message
>subject, and such.

How about "You are a polluter, your connectivity has terminated, you
are on a customer blacklist, and you will never get connectivity from
us again"?  Spammers would have a little trouble adapting to that.

>I think these are worth pursuing, but these are not
>subjects for the IETF. 

IETF's documenting that this is the behavior expected of any firm offering
connectivity is certainly within the IETF's purview.  And it would have
a dramatic effect.  (Partly because of norms; partly, at least in the
U.S., because it would expose pollution-enabling ISPs to heavy-duty
legal liabilities.  Stockholders would get after their boards.)

Jeffrey Race

Re: "Principles" of "Spam-abatement"

[Dr. Jeffrey Race]

On Wed, 17 Mar 2004 14:04:58 -0500, John Leslie wrote:

>> - If you say that third party organization could assure you that
>>   a mail sender is not a spammer, then you must agree that an ISP
>>   could check with that organization before adding a password to
>>   a RADIUS server or or turn on a DSLAM, and that an ISP could
>>   terminate an account when that third party revokes is assurance.
>
>   The first part is actually true: I think we'd actually see that
>if such third-party services come into common use. :^)
>
>   The second part (terminating) is not true, IMHO. There's a real
>danger of getting sued for that,

Depends entirely on what the contract of carriage says.  Obviously
one of the norms we have to universalize in standards and practice
documents is that carriage is denied to polluters as part of the
contract, and this provision must bind everyone else who shares
connectivity under the contract.


> not to mention the loss of revenue.

There you have it!  Polluting pays!  See 


Jeffrey Race

Re: "Principles" of "Spam-abatement" REALITY CHECK TIME

[Dr. Jeffrey Race]

On Wed, 17 Mar 2004 15:48:05 -0500 (EST), Dean Anderson wrote:

>How would you define "responsiveness"?

That's an easy one!  'Does the pollution cease?' is the answer.

Let's pause this very interesting thread for a momentary reality
check.  See ROKSO.   The world's top spammers, accounting for
the great bulk of the packets, are known by name, address and telephone
number.  Their upload paths are known.  Their software is known.  The
stigmata of their transmissions are known.  (In many cases their
criminal records are known.)   It is trivially easy
to verify _at any moment_ whether a pollution-enabler has responded.

Does everyone agree?  Dean, you too?  :)

Jeffrey Race

Re: "Principles" of "Spam-abatement"

[Dr. Jeffrey Race]

On Wed, 17 Mar 2004 17:21:42 -0500 (EST), Robert G. Brown wrote:

>To even START to "fix" this problem, postmaster has to work on the relay
>and be responsive.  The relay host manager has to know that their access
>to the entire Internet will be effectively terminated if they don't have
>a working postmaster address

Work has already started on this:

 

Re: Categorization of TCP/IP service provision types (was: Re: The right to refuse, was: Re: Principles of Spam-abatement) (FWD: I-D ACTION:draft-klensin-ip-service-terms-00.txt)

[Dr. Jeffrey Race]

On Mon, 22 Mar 2004 13:19:12 -0500, John C Klensin wrote:

>And, as far as I can tell, you do intelligible English very well.

I am travelling just now but when I come to rest I volunteer to
look over if this would be of value.   

Jeffrey Race

Re: Fw: namedroppers, continued (flamed in less than an hour. figures)

[Dr. Jeffrey Race]

On Sun, 05 Jan 2003 23:34:55 -0500, [EMAIL PROTECTED] wrote:

>> chose to insult someone by referring to him as a woman.

Actually women are a superior life form (to men that is).

Jeffrey Race

Re: namedroppers, continued

[Dr. Jeffrey Race]

On Tue, 07 Jan 2003 15:26:55 -0500, [EMAIL PROTECTED] wrote:
>The trick here is to remember that except for the relative few spammers that
>are advocating a religious/political/philosophical viewpoint (a la "Uncertainty
>Principle is Untenable!"), the spammers *WANT* you to be able to contact them
>via *some* means - they can't extract money


See 

If the contact data are invalid, report to RIR or to ICANN.  They
are obliged to correct the data.

Jeffrey Race

Re: IAB policy on anti-spam mechanisms?

[Dr. Jeffrey Race]

On Thu, 27 Feb 2003 17:34:54 -0800, [EMAIL PROTECTED] wrote:

>Certainly. Just about every ISP (except for those run as fronts by the
>spammers themselves) has an acceptable use policy that prohibits
>spamming along with activities that are actually illegal. Nearly every
>ISP maintains an "abuse" address to which complaints can be sent. I
>use these addresses myself on a regular basis, either directly or
>through spamcop.
>
>I see nothing wrong with holding users accountable after the fact for
>spamming or illegal activities. My only problem is with pre-emptive
>mechanisms that block perfectly legitimate applications and hurt
>people who have never spammed or broken the rules.

The default is blocking Port 25.  Would an acceptable compromise
be to make IAB policy that Port 25 would be opened to legitimate
customers, just as rate-limited is relaxed now for legitimate
users upon application?   This would preserve the block against
Black Hats while allowing legit users like yourself to do your
business.  

Do any ISPs now have such a policy?

Jeffrey Race

Re: IAB policy on anti-spam mechanisms?

[Dr. Jeffrey Race]

On Thu, 27 Feb 2003 10:48:31 -0700 (MST), Vernon Schryver wrote:

>UUNet in particular has demonstrated this sad syndrome.  For years,
>instead of ejecting its spamming and spam-friendly resellers, it lied.
>Then it lied for years about installing port 25 filtering.  Finally,
>it got port 25 filtering working, and reduced the amount of dial-up
>spam it was spewing.  All of that was instead of enforcing an anti-spam
>AUP and genuinely cracking down on spammers.  (By "lies" I mean official
>public statements in news.admin.net-abuse.email and to individuals that
>the UUnet spokesmen could not possibly have failed to know were false.)
>
>Of course, UUNet is far from the only example.  Another good one is
>Sprint, which had the audacity to claim to not know how to use ANI to
>find spammers running up 5-figure bills on stolen credit numbers or
>how to interest law enforcement agenciesthis from a telco!

I have to second the comments about UUNet and Sprint from my own
personal experience.  I served up a complete case for prosecution
under the Va Computer Crimes Act, including the legal service address
and all logs.  The UUNet counsel (Neil Patel) refused to take any
action.   He told me this was management policy.  The fact is UUNet
profited from spamming.  We know from their subsequent collapse that
dishonesty pervaded the firm (maybe still does).

With another carrier, instead with good ethical standards (AT&T), an
incident I document (see ) 
the problem was negligence, rather than witting enablement of
criminal activity.   (The frontline saps didn't even validate the
credit cards until the first billing period, so the users of stolen
cards had a whole month.   This went on for about 6 months until
I jerked management's chain; they stopped it as soon as they noticed
it.   But management were "too busy" with other things until someone
screamed.  I am an AT&T customer.  This is the Environmental Polluter
business model.)

I am about to nominate a solution for these problems.   Watch this
space.  (In the meantime read above PDF file.)

Jeffrey Race

Re: IAB policy on anti-spam mechanisms?

[Dr. Jeffrey Race]

Phil et al, pls see inline comments.  I am preparing a detailed
proposal on a related issue (releasing draft in a few days) and would 
welcome your replies so as to incorporate inputs as appropriate.

On Wed, 26 Feb 2003 19:49:15 -0800, [EMAIL PROTECTED] wrote:
>I would like to propose that the IAB consider drafting and adopting a
>position statement on the highly deleterious effect that certain
>anti-spam mechanisms have on legitimate, efficient uses of the
>Internet.
>>I am thinking mainly of the MAPS DUL (Dialup User List), a remarkably
>ill-conceived mechanism that complicates life considerably for those
>who prefer not to use their ISP's mail servers for reasons of
>efficiency, latency and security while doing remarkably little (or
>nothing) to actually combat spam.

It seems there's a need to balance interests among different groups of
users.   What is your proposed solution to prevent emission of
spam via dialup, if you propose to discourage the DUL?  (My
proposal imposes a positive duty of care of ISPs to prevent
emission of spam, so I am quite concerned about this.)


[snip]
 which the IETF formally rejected calls to design Internet protocols
>to facilitate wiretapping. Yet anti-spam mechanisms that block direct
>end-to-end SMTP transfers effectively disables the routine use of
>STARTTLS, an automatic, transparent and highly effective
>anti-wiretapping mechanism, and makes it a trivial matter for an ISP
>to log every email sent or received by its users.

Behavioral Studies 1 teaches that responsibility is ensured only
by accountability, and accountability entails traceability.  What
is your alternative to ensure traceability for abusive transmissions?


[snip]

>However, I believe the IETF and IAB should state some basic principles
>that should be observed by everyone working on the spam problem. And
>the most basic principle of all should be that no anti-spam mechanism
>should ever block email between consenting end-parties without giving
>those parties the ability to disable those blocking mechanisms.

Could you explain this please?   The difficulty I foresee is that
ISPs are under legal obligations to prevent their property from being
abused to injure others.  (Unfortunately many ISPs don't fulfill
their obligation diligently as of now, but that is another story.)
If the ISP chooses system-wide blocking, how could it be disabled
on a per-user basis without facilitating spamming?

>
>As currently implemented, however, end users rarely (if ever) have
>such control. They are the "collateral damage" of the spam war, and
>are shrugged off just like foreign civilian casualties in most
>wars. But a formal policy statement by the IAB or IETF just might give
>them something to defend themselves.

Well in fact collateral damage is the ONLY THING that motivates
certain scum ISPs to reform, as has been repeatedly proven.  I can
give you the cites if you like.   So collateral damage may have to
be viewed as an interim necessity given the low ethical standards
of some of the leading firms in the industry.

>Comments?

 Poof! There they are!

Jeffrey Race

Re: IAB policy on anti-spam mechanisms?

[Dr. Jeffrey Race]

On Wed, 26 Feb 2003 19:49:15 -0800, [EMAIL PROTECTED] wrote:
[snip]
>
>There is precedent for the IAB taking a stand on this sort of
>thing. In particular, RFC2775 on "Internet Transparency" expresses the
>view that the end-to-end principle that underlies the Internet
>architecture is still vitally important and worth preserving. Although
>RFC2775 spoke mainly to the problems introduced by the widespread use
>of NATs, spam filtering is mentioned in passing.
>

Thanks for the reference to RFC2775 which I have now read.  I
understand it to say end-to-end transparency with unique addresses
was the guiding principle in the days of essentially limitless IP
addresses and an environment of trust.   It then seems to go on to
say that there are now valid reasons (having to do with shortage
of IP addresses under IPv4 and with insecurity from the rabble now
infesting the Net) which have produced an acceptable limitation on
the earlier guiding principle. 

I may read this wrongly and welcome correction.

Jeffrey Race

Re: IAB policy on anti-spam mechanisms?

[Dr. Jeffrey Race]

On Fri, 28 Feb 2003 09:32:42 -0500, Robert Moskowitz wrote:

>Perhaps this is a business model for someone here?
>
>For a modest fee to run an SSH gateway to allow tunneling past ISP 
policies  :)


I have collected a whole potful of constructive suggestions and
workarounds from my friends on Spam-L and will repost here (sans
attribution) shortly.

Jeffrey Race

Re: BLOCK: Abstract of proposed Internet Draft for Best Current Practice

[Dr. Jeffrey Race]

See inline comments

On Sat, 15 Feb 2003 17:34:46 +0700, Gary Feldman <[EMAIL PROTECTED]>
wrote: [snip]
>
>Also, is there any reason to introduce new language instead of using
>existing language?  ISP is already accepted for Internet Service 
Provider;
>SP isn't 

I want to encompass both webhosting firm and ISP.   I agree it is
clumsy to introduce a new acronym.   Please offer a suggestion here.

>The term "abuse" is already well-known to describe the
>entire class of problems; calling it "pollution" is at best an annoying
>distraction.

Here I have a particular psychological point in mind.   I want to 
build on the success in suppressing physical pollution, by moving
to the "polluter pays" principle from the present "victim pays".
If I use "polluter" the audience may more easily make the mental
connection.

Jeffrey Race

Re: rfc-ed reference style [Re: Last Call: Instructions to Request for Comments (RFC) Authors to BCP]

[Dr. Jeffrey Race]

On Tue, 18 Mar 2003 00:06:37 +0200 (EET), Pekka Savola wrote:

>I have a problem of writing the author list as "Eastlake, D., and E.  
>Panitz", rather than "Eastlake, D., and Panitz, E."

"Eastlake, D., and E. Panitz" is standard footnote form

Jeffrey Race

RE: Testing Root A going away

[Dr. Jeffrey Race]

On Sat, 30 Aug 2003 18:03:59 -0400 (EDT), Dean Anderson wrote:
> Spam can be detected, and stopped after detection, but it cannot
>be made impossible to send.
>>The question is really whether SMTP has sufficient identification
>information to track down an abuser, or infected user. The answer to this
>question is "yes".  Even with an open proxy, the SMTP information will
>identify the open proxy.

You cannot prevent it from being sent ONCE and, as you have so elegantly
stated, no technical means will ever succeed in stopping spam.

But (as you say above) you can identify the upload path.  

The only solution is to shut down the upload path, which is the method
(generically speaking) that society at large uses to handle such problems. 
Those interested in this variant approach may wish to take a look at

  [the reasoning]

and

   [the fix].

On the sound basis, shown time over time in multiple industries, that
"quality is free", the variant approach I nominate will be essentially
costless.

I'd welcome any comments.

Jeffrey Race