Re: Principles of Spam-abatement

[Ted Hardie]

Please note that the BoF scheduled for Korea, MARID, has a
very specific topic and that discussion of other spam-related
issues is not appropriate for that session. The BoF agenda is
available at:
http://www.ietf.org/ietf/04mar/marid.txt

To quote the salient part of the agenda:

This BoF will be strictly limited to measures related to MTA 
authentication; no
other anti-spam measures or topics will be considered.  The BoF will 
explicitly
consider how DNS-based MTA authentication mechanisms would be implemented and
deployed, and it will consider the impact on the overall DNS infrastructure of
this deployment.
With best regards,
Ted Hardie
co-chair, MARID BoF


At 3:59 PM -0500 02/26/2004, John Leslie wrote:
   I strongly recommend gathering some principles of spam-abatement to
enlighten the spam BOF at IETF-59. (I'd be happy to edit such a
document, but it might be better to chose someone who will attend
IETF-59...
Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
 If we can communicate the fact that a message is discarded because it
 was categorized as spam back to the sender without adverse side
 effects, then occasional false positives aren't much of a problem.
   I nominate this statement for #1 on that list of principles.

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Dave Crocker]

John,

>> If we can communicate the fact that a message is discarded because it
>> was categorized as spam back to the sender without adverse side

unfortunately, that act of communication _is_ the adverse side
effect.  it tells the spammer that yours is an active, responsive
email account.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[John Leslie]

Dave Crocker <[EMAIL PROTECTED]> wrote:
> 
>>> If we can communicate the fact that a message is discarded because it
>>> was categorized as spam back to the sender without adverse side
> [ effects, then occasional false positives aren't much of a problem.]
> 
> unfortunately, that act of communication _is_ the adverse side
> effect.  it tells the spammer that yours is an active, responsive
> email account.

   I must disagree.

   Iljitsch stated it precisely and well: "the fact that a message is
discarded as spam" need not give any information about whether the
recipient is an active email account -- least of all "responsive".

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[John Leslie]

Ted Hardie <[EMAIL PROTECTED]> wrote:
> 
> Please note that the BoF scheduled for Korea, MARID, has a
> very specific topic and that discussion of other spam-related
> issues is not appropriate for that session.

   While I am _very_ sympathetic to the need to limit the discussion,
I really don't see how anything useful can be accomplished if the
chair rules "principles of spam-abatement" to be irrelevant.

   Regardless, "principles of spam-abatement" don't need to be
_discussed_ at this BoF in order to "enlighten" it.

   Thus, if Ted meant to indicate such principles shouldn't be discussed
here, I respectfully disagree.

> At 3:59 PM -0500 02/26/2004, John Leslie wrote:
>> I strongly recommend gathering some principles of spam-abatement to
>> enlighten the spam BOF at IETF-59. (I'd be happy to edit such a
>> document, but it might be better to chose someone who will attend
>> IETF-59...
>>
>> Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
>>>
>>> If we can communicate the fact that a message is discarded because
>>> it was categorized as spam back to the sender without adverse side
>>> effects, then occasional false positives aren't much of a problem.

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Tom Petch]

From: Dave Crocker <[EMAIL PROTECTED]>
To: John Leslie <[EMAIL PROTECTED]>
Cc: Iljitsch van Beijnum <[EMAIL PROTECTED]>; IETF Discussion
<[EMAIL PROTECTED]>
Date: 27 February 2004 07:38
Subject: Re: Principles of Spam-abatement

>John,
>
>>> If we can communicate the fact that a message is discarded because it
>>> was categorized as spam back to the sender without adverse side
>
>unfortunately, that act of communication _is_ the adverse side
>effect.  it tells the spammer that yours is an active, responsive
>email account.
>

So send it back from a different e-mail address, with headers which
disguise its real origin.

One reason why spam works is that it is so cheap to send 1M messages that
even if 99.99% fail to reach a destination, the operation is still a
success.  If sending 1M messages got back a 1% response saying 'you
failed' with no clue as to which 1% failed, we might cut down on the spam.

Tom Petch

>--
> Dave Crocker 
> Brandenburg InternetWorking 
> Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[John Leslie]

Tom Petch <[EMAIL PROTECTED]> wrote:
> From: Dave Crocker <[EMAIL PROTECTED]>
>
 If we can communicate the fact that a message is discarded because it
 was categorized as spam back to the sender without adverse side
>>
>> unfortunately, that act of communication _is_ the adverse side
>> effect.  it tells the spammer that yours is an active, responsive
>> email account.
> 
> So send it back from a different e-mail address, with headers which
> disguise its real origin.

   It is not obvious to me that there is any way to do that.

   Nothing in the (SMTP) envelope info is trustworthy except the
IP address of the SMTP sender. Using _anything_ other than that IP
address (which isn't even required to accept email at all) will
likely generate _more_ "spam".

   Thus I'd like a Principle to the effect of:

" Errors returned after the close of the SMTP transaction are likely
" to go to (and confuse) an innocent party; thus such errors should
" be deprecated for any email identified as spam.

> One reason why spam works is that it is so cheap to send 1M messages
> that even if 99.99% fail to reach a destination, the operation is still
> a success.  If sending 1M messages got back a 1% response saying 'you
> failed' with no clue as to which 1% failed, we might cut down on the
> spam.

   There may be a Principle there, about any "cost" imposed upon
spammers tending to reduce the spam problem...

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Dave Aronson]

On Fri February 27 2004 09:29, Tom Petch wrote:

 > If sending 1M messages got back a 1% response
 > saying 'you failed' with no clue as to which 1% failed, we might cut
 > down on the spam.

Maybe I just have too much blood in my caffeine stream, but I don't see 
the connection.  J. Random Spammer spews 1M spams, and receives back 
(assuming he used a valid sending address) 10K "this looked like spam" 
DSNs, in addition to the usual load of angry replies, removal requests, 
"no such user", "no such domain", "over quota", etc., plus the 
occasional purchase.  What incentive do the 10K new DSNs give him, to 
mend his evil ways, or even just to scale back?  Indeed, it seems to me 
that if anything, it helps him see what does or does not work against 
spam filters, so he can tune his filter-evasion strategies.

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.

Re: Principles of Spam-abatement

[Ted Hardie]

At 9:29 AM -0500 02/27/2004, John Leslie wrote:
   While I am _very_ sympathetic to the need to limit the discussion,
I really don't see how anything useful can be accomplished if the
chair rules "principles of spam-abatement" to be irrelevant.
Perhaps this would be clearer:  The BoF proposes that the IETF
take on a particular engineering task, with a specific scope and
an intended effect.  It is within the purview of the BoF to discuss
whether that is the right scope, whether the intended effect
is a good idea, and so on.  General discussion of the "principles
of spam-abatement" , however, is out of scope (largely because such discussions
tend to be non-terminating and will swamp the more focused engineering
discussion).  But the context of  the "is this the right scope, and a good
idea" no doubt includes the participants understandings of those principles.
regards,
Ted Hardie

Re: Principles of Spam-abatement

[John Leslie]

Dave Aronson <[EMAIL PROTECTED]> wrote:
> 
> On Fri February 27 2004 09:29, Tom Petch wrote:
> 
>> If sending 1M messages got back a 1% response saying 'you failed'
>> with no clue as to which 1% failed, we might cut down on the spam.
> 
> Maybe I just have too much blood in my caffeine stream,

   ;^)

> but I don't see the connection.  J. Random Spammer spews 1M spams,
> and receives back (assuming he used a valid sending address)

   Yes, let us assume the actual sender gets the "spam-refused" error.

> 10K "this looked like spam" DSNs, in addition to the usual load of
> angry replies, removal requests, "no such user", "no such domain",
> "over quota", etc., plus the occasional purchase.  What incentive do
> the 10K new DSNs give him, to mend his evil ways, or even just to
> scale back? 

   No incentive to "mend his evil ways"; but a cost which may reduce
the total amount of spam. (Recall that many believe a one-cent-per-
spam cost would essentially eliminate the problem.)

> Indeed, it seems to me that if anything, it helps him see what does or
> does not work against spam filters, so he can tune his filter-evasion
> strategies.

   I claim that benefit is minimal -- spammers have other ways of
gathering the data to tune their filter-evasion.

   The benefit to the false-positive-sender, OTOH, is major. S/he knows
that the email never got through, and can use one of the many available
out-of-band methods to communicate the message. Iljitsch's point was
that the false-positive problem is much less serious if senders of
non-spam learn their email was discarded as spam.

   (I'd rather not speculate on whether the minimal benefit to the
spammer is greater or less than the admittedly-minimal cost.)

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Dave Aronson]

On Fri February 27 2004 11:26, John Leslie wrote:
 > Dave Aronson <[EMAIL PROTECTED]> wrote:
 > > On Fri February 27 2004 09:29, Tom Petch wrote:
 > >> If sending 1M messages got back a 1% response saying 'you failed'
 > >> with no clue as to which 1% failed, we might cut down on the spam.
 [...]
 > > What incentive do the 10K new DSNs give him,
 > > to mend his evil ways, or even just to scale back?
 >
 >No incentive to "mend his evil ways"; but a cost which may reduce
 > the total amount of spam. (Recall that many believe a one-cent-per-
 > spam cost would essentially eliminate the problem.)

Again, I don't see how this imposes a non-negligible new cost on him.  
He's probably already receiving tens of thousands of now-typical DSNs, 
not to mention out-of-office notes, angry replies, etc.  The "this 
looks like spam" DSNs therefore would probably not incur significant 
additional normal email processing costs (bandwidth, disk, CPU, etc.).  
He has no need to do anything with them, so they don't incur any, let 
alone significant, additional special processing costs.  Indeed, if 
they're readily identifiable as such, they can easily just be filtered 
out, so they don't even take his "human bandwidth" (attention).  (Gee, 
sounds just like fighting spam!)  Where's the beef?

 > > Indeed, it seems to me that if anything, it helps him see what
 > > does or does not work against spam filters, so he can tune his
 > > filter-evasion strategies.
 >
 >I claim that benefit is minimal -- spammers have other ways of
 > gathering the data to tune their filter-evasion.

Fair enough.

 >The benefit to the false-positive-sender, OTOH, is major.

Oh, agreed, absolutely.  I understand how this mechanism would allow 
people to tighten their spam filters, which could cut down on the spam 
that person receives.  I'm just arguing over how the spammer receiving 
X number of "bugger off, spambreath!" DSNs per Y spams sent (whether 
using the original 1% or what), is going to "cut down on the 
spam" (which I am interpreting as "the spam that spammer sends" or 
possibly spam in general).

 > S/he knows that the email never got through, and can use one of
 > the many available out-of-band methods to communicate the message.

...assuming that an OOB method has been established already, or is given 
in the DSN.  (E.g., "this looked spam; if it really was legit and you 
want to contact me, call me at 1-900-SPAMSUX".)

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.

Re: Principles of Spam-abatement

[John Leslie]

Dave Crocker <[EMAIL PROTECTED]> wrote:
> 
> The difference is that there are practicalities of implementation and
> use that we have to anticipate.  This falls under the unfortunate
> reality that the real-world is not conducted so carefully.

   I have great respect for Dave's viewpoint on that issue.

   But I do think there's a principle here that doesn't depend upon the
implementation: that silently dropping a false-positive _does_ create
problems as perceived by the end users -- and that those problems would
be significantly reduced if the innocent sender of the false-positive
email were notified of the failure to deliver.

> On the average, user-level Internet mechanisms need to be pretty
> simple and straightforward, if they are to be successful.

   Omigosh yes! I've taken far too many support calls: "Is the Internet
down?" to think otherwise...

   But I, at least, am thinking in terms of an implementation where we
notify the SMTP-sending-server during the SMTP session, with a message
including a URL for more information. IMHO, this would tend to converge
to a situation where end-users understood the issue -- and learned to
route around it. ;^)

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: John Leslie <[EMAIL PROTECTED]>

> ...
>But I, at least, am thinking in terms of an implementation where we
> notify the SMTP-sending-server during the SMTP session, with a message
> including a URL for more information. IMHO, this would tend to converge
> to a situation where end-users understood the issue -- and learned to
> route around it. ;^)

Where is the business of the main IETF mailing list in that suggestion?
It is already a de facto standard.  Many and probably most well run
SMTP servers include an appropriate message in their 5yz rejection
messages when spam detection is the issue.  Today an appropriate
message is often a URL.

There are details that could be officially standardized such as formats
that MUAs could more easily recognize and present to end users.  The
bounces generated by the near-end MTA after a failed SMTP session are
incomprehensible to many people.  Some MTAs (e.g. Hotmail's when I last
checked) include random text in their session transcripts apparently
drawn from random SMTP sessions during that last several hours.  However,
this sort of standardization seems more appropriate for some SMTP WG
or the ASRG than here.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[John Leslie]

Vernon Schryver <[EMAIL PROTECTED]> wrote:
>> From: John Leslie <[EMAIL PROTECTED]>
> 
>> But I, at least, am thinking in terms of an implementation where we
>> notify the SMTP-sending-server during the SMTP session, with a message
>> including a URL for more information. IMHO, this would tend to converge
>> to a situation where end-users understood the issue -- and learned to
>> route around it. ;^)
> 
> Where is the business of the main IETF mailing list in that suggestion?

   That statement -- outlining my personal thinking -- was intended to
solicit consensus on Iljitsch's principle from Dave Crocker and/or
those who think like him. (I know most people have given up on ever
finding consensus from Dave, but I'm a slow learner...)

> It is already a de facto standard. 

   (Most people, when they say "de facto standard", mean something already
done by a strong majority. But, of course, that's not what the words
mean, so I won't argue your usage.)

   I'm frankly not concerned whether that practice is endorsed as a
standard.

> Many and probably most well run SMTP servers include an appropriate
> message in their 5yz rejection messages when spam detection is the
> issue.  Today an appropriate message is often a URL.

   Agreed. Enough people are doing it that the idea will surely spread.
Even the dinosaurs (cable companies and incumbent phone companies) will
catch on eventually.

> There are details that could be officially standardized such as formats
> that MUAs could more easily recognize and present to end users.  The
> bounces generated by the near-end MTA after a failed SMTP session are
> incomprehensible to many people.  Some MTAs (e.g. Hotmail's when I last
> checked) include random text in their session transcripts apparently
> drawn from random SMTP sessions during that last several hours.

   All items which I'd be happy to see discussed in MARID.

> However, this sort of standardization seems more appropriate for some
> SMTP WG or the ASRG than here.

   There is no MARID mailing-list yet, so we're stuck here for a few
more days. (ASRG is not an IETF group.) In the meantime, I'm trying to
solicit consensus -- no matter how "rough" -- on principles of spam
abatement, not details of its implementation.

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Tom Petch]

inline

>Tom Petch <[EMAIL PROTECTED]> wrote:
>> One reason why spam works is that it is so cheap to send 1M messages
>> that even if 99.99% fail to reach a destination, the operation is still
>> a success.  If sending 1M messages got back a 1% response saying 'you
>> failed' with no clue as to which 1% failed, we might cut down on the
>> spam.
>
>   There may be a Principle there, about any "cost" imposed upon
>spammers tending to reduce the spam problem...
>
>John Leslie <[EMAIL PROTECTED]>

Yes, that is what I had in mind; use any means available to make it
unattractive; persuade them to turn their attention to some other
technology.

My other thought is triggered by an e-mail which came interspersed amonst
this thread containing the following (and I hope this content does not
trigger too many false positives)


*** Anonymous Bulk Email Software

*** is a super fast bulk email software that sends out at speeds greater
than 1,000,000 emails per hour* on a dedicated mailing server. *** has the
capability to use Proxies and Relays and also to send directly.

Some of the features include:
Anonymous Mailing using Proxies
Message Randomization to bypass Spam Filters
Speeds over 850-950K emails per hour on Turbo Mode
Up to 1000 Threads
Unlimited Email List Size (up to 100 Million per file)
HTML and Plain Text Emails
Tag Macros to personalize and randomize emails
Custom Headers ... more on


Something along the lines of 'Know your enemy' comes to mind; get hold of
such a product, reverse engineer it, find its weaknesses and nullify it.  I
am thinking that spam is and will remain a long-term battleground and it
needs serious effort to counter, perhaps a Cert-like organisation, and we
are just not putting in enough serious effort yet; perhaps the cost to us
is not yet high enough to stir us to action.

Tom Petch

Re: Principles of Spam-abatement

[Paul Vixie]

excuse me but...

> >> One reason why spam works is that it is so cheap to send 1M messages
...
> >   There may be a Principle there, about any "cost" imposed upon
> >spammers tending to reduce the spam problem...
...
> Yes, that is what I had in mind; use any means available to make it
> unattractive; persuade them to turn their attention to some other
> technology.
...
> Something along the lines of 'Know your enemy' comes to mind; get hold of

...the point of the original post was to identify principles.  discussions
among this engineering-centric community are naturally about methods.  the
principle i've always followed is that "all communications must be by mutual
consent" and i havn't seen anything in this thread to tell me there's some
more-universal or more-relevant way to approach it.

the messaging protocols we use today do not encode consent in any way.  that's
why  is written exactly the way it is.
if the protocols could reliably ensure consent, then the definition of abuse
could be much more broad.

improving authentication sure feels like it's a good way to make consent more
likely, but let's not lose sight of the principle, which is consent, while
we deal with methods, like authentication.
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Robert G. Brown]

On Sat, 28 Feb 2004, Tom Petch wrote:

> 
> *** Anonymous Bulk Email Software
> 
> *** is a super fast bulk email software that sends out at speeds greater
> than 1,000,000 emails per hour* on a dedicated mailing server. *** has the
> capability to use Proxies and Relays and also to send directly.
> 
> Some of the features include:
> Anonymous Mailing using Proxies
> Message Randomization to bypass Spam Filters
> Speeds over 850-950K emails per hour on Turbo Mode
> Up to 1000 Threads
> Unlimited Email List Size (up to 100 Million per file)
> HTML and Plain Text Emails
> Tag Macros to personalize and randomize emails
> Custom Headers ... more on
> 
> 
> Something along the lines of 'Know your enemy' comes to mind; get hold of
> such a product, reverse engineer it, find its weaknesses and nullify it.  I
> am thinking that spam is and will remain a long-term battleground and it
> needs serious effort to counter, perhaps a Cert-like organisation, and we
> are just not putting in enough serious effort yet; perhaps the cost to us
> is not yet high enough to stir us to action.

I keep swearing that I'm not going to respond yet again, but I keep
getting drawn into it as people miss a key point... such as the real
point of this "extract".

It has been pointed out several times that this sort of battle is one
that you cannot "win" on the grounds of technology alone.  At the same
time you are reverse engineering their spam engine, they are reverse
engineering your reverse-engineered anti-spam engine, and they have the
distinct advantage that your anti-spam engine is quite likely to be open
source while their spam engine is quite likely to be completely closed
source.  Every move you make to block them, they make a move to counter
your block, and they can move faster.  Look at the "features" list above
-- what is it if not "moves" against blacklists (using proxies), keyword
and bayesian spam filters (message randomization, tag macros),
slow/blocking MTA's (lots of threads), browser and text based message
review by the user (if they get in with a plausible tag-macro-generated
subject line, the user HAS to see the actual message in order to do end
stage rejection of material that makes it through their local filter, if
any).

Move-countermove.  This is not a technology problem, it is a war, an
exercise in practical biology.  There are attackers and defenders and it
is pointless to erect some expensive Maginot Line and pretend it will
solve the problem.

Adding encryption or signature simply causes spamware vendors to add an
encryption and signature module to their code and mailing list database
and address-grazing webbots.  This in turn makes the people who sell
spamware still more money selling their "new improved version",
cheerfully payed by the spammer who continues to make all that lovely
money and can easily afford the latest version.  Add solving a "puzzle"
and you might cut down on the peak throughput -- until they add puzzle
solvers in a backing cluster, and of course that adds tremendous
MATCHING expense to every legitimate MTA on the planet.  Add a delay,
and they add more threads where the MTA can wait out your delay but
maintain net throughput in parallel connections up to the limits of the
bandwidth of their MTA POP bottleneck (likely to be much lower than the
capacity of their spamware in any event).  In all cases they continue
saturating their connection with outgoing messages, which is all they
can afford to do anyway.

SPAM is not a static problem, it is a dynamic problem, being developed
and driven by Evil systems and software engineers every bit as talented
and dedicated as their Good opponents.  As long as spammers make money,
they will find ways around and through any mere "algorithmic" defense,
because the algorithmic defense has an unpassable boundary where false
positives become an unacceptable barrier (whether or not they are
rejected at the MTA or further downstream at the MUA), and plenty of
email traffic related to legitimate commerce has a finite chance of
being a false positive by an overaggressive filter.

There is one and only one way to "stop spam" (as opposed to learning to
live with it so that it doesn't bother you -- much -- as Vernon and I
and many others do already). Change the fundamental rules of the game.
When spamming is openly illegal and/or spammers stop making money (on
average), spam will stop.  Until then, history clearly shows that as
long as there is a buck to be made, there will be those trying to make
the buck, and they will route around every obstacle you are willing to
put in their path because they can automate their attack and can scale
expenses and find products that make them money even with a 0.001%
response rate, while you have to defend one system and user at a time,
some of whom BUY the products the spammers are selling.  We are NOT
going to stop spam with protocol, software, technology, as long as it
legitimately makes money.  We won't even slow it down.

Re: Principles of Spam-abatement

[John Leslie]

Paul Vixie <[EMAIL PROTECTED]> wrote:
> 
> the principle i've always followed is that
> "all communications must be by mutual consent"
> ...

   Excellent principle, Paul. I'd like to put it at the head of the
list.

   I've also gleaned (mostly from this list over the last week):

Ed Gerck <[EMAIL PROTECTED]> wrote:
> The spam problem starts with *freely* accepting mail from strangers.

"Tom Petch" <[EMAIL PROTECTED]> wrote:
> Spam is and will remain a long-term battleground and it needs serious
> effort to counter.

Vernon Schryver <[EMAIL PROTECTED]> wrote:
> Every mail message carries a practically unforgeable (for spammers)
> token identifying its source.  That token is the IP address of the
> SMTP client.

"Robert G. Brown" <[EMAIL PROTECTED]> wrote:
> it is pointless to erect some expensive Maginot Line and pretend it
> will solve the problem.

Vernon Schryver <[EMAIL PROTECTED]> wrote:
> There is no and can never be a hoop that is low enough to pass
> enough human strangers but exclude spammers' computers.

Senator Gordon Humprey said:
> If you want more of something, subsidize it; if you want less, tax it.

Ed Gerck <[EMAIL PROTECTED]> wrote:
> Spammers need scale (because they get a very low return). Therefore,
> part of the solution should be to deny scalability to spammers.

Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
> If we can communicate the fact that a message is discarded because
> it was categorized as spam back to the sender without adverse side 
> effects, then occasional false positives aren't much of a problem.

Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
> If you reject the message during the SMTP session you don't need to
> generate a bounce message, the other side will do this.

John Leslie <[EMAIL PROTECTED]> wrote:
> Errors returned after the close of the SMTP transaction are likely
> to go to (and confuse) an innocent party; thus such errors should
> be deprecated for any email identified as spam.


   Not a bad start, IMHO. :^)

   Additions are welcome; corrections by the authors are welcome;
suggestions for re-wording are acceptable...

--
John Leslie <[EMAIL PROTECTED]> 

Re: Principles of Spam-abatement

[jfcm]

At 20:46 28/02/04, Paul Vixie wrote:
let's not lose sight of the principle, which is consent, while we deal 
with methods, like authentication.
Full agreement. Five basic Human e-Rights seem to be to e-exist, to e-own, 
to e-send and e-receive what one wants, to e-associate. The principle 
should be "I have a mail for you, may I forward it?", probably best 
implemented in the day to day life as "I have mail for you, you may want to 
retreive".

Re: Principles of Spam-abatement

[Dave Crocker]

John,

>> unfortunately, that act of communication _is_ the adverse side
>> effect.  it tells the spammer that yours is an active, responsive
>> email account.

JL>I must disagree.

JL>Iljitsch stated it precisely and well: "the fact that a message is
JL> discarded as spam" need not give any information about whether the
JL> recipient is an active email account -- least of all "responsive".

If this were a math exercise, I would have to agree with your point.
And even though it is not a math exercise, your point certainly is
relevant.

The difference is that there are practicalities of implementation and
use that we have to anticipate.  This falls under the unfortunate
reality that the real-world is not conducted so carefully.

On the average, user-level Internet mechanisms need to be pretty
simple and straightforward, if they are to be successful.



d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Dave Crocker]

John,

JL>While I am _very_ sympathetic to the need to limit the discussion,
JL> I really don't see how anything useful can be accomplished if the
JL> chair rules "principles of spam-abatement" to be irrelevant.

It is a small matter of seeking to have a productive meeting.

Discussion about the definition of spam or other broad topics, such as
principles of abatement are certainly important, but they also suffer
from a) taking a long time, and b) tending not to converge on a rough
consensus agreement.

By contract, discussion of specific techniques can be very efficient.
 This falls under the category of "I may not know much about spam, but
 I know what spam control mechanisms I like".

Yes, there are weaknesses in this approach, but they aren't as bad as
wasting an entire BOF debating philosophy.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Paul Vixie]

> >> unfortunately, that act of communication _is_ the adverse side effect.
> >> it tells the spammer that yours is an active, responsive email account.

that's only true from the smtp perspective.  since smtp does not encode any
aspect of consent, existence implies reachability.  however, since smtp is
dead meat rotting in the sun waiting for us to figure out what to replace it
with, smtp is not relevant in a discussion of "principles" which this claims
to be.  (anyone who thinks that smtp can be upgraded to encode consent needs
to spend a few more years Just Hitting Delete before you can sit at the
grownups table.)
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Dave Crocker]

Paul,

>> >> unfortunately, that act of communication _is_ the adverse side effect.
>> >> it tells the spammer that yours is an active, responsive email account.

PV> that's only true from the smtp perspective.  since smtp does not encode any
PV> aspect of consent, existence implies reachability.

rogue spammers are not concerned with consent.  they just want to know
that you and your address are alive.  feedback gives them that
informationl


PV>   however, since smtp is
PV> dead meat rotting in the sun waiting for us to figure out what to replace it

ready-fire-aim.  the dead meat is what the world uses today and will
continue to use for quite some time.  reports of its death are just a
tad premature.

When folks agree on the new mail transfer services that we need and
when we try to add them to smtp and fail, THEN we can have productive
discussions about a replacement transfer protocol.  until then, calls
for a new protocol very much constitute firing before aiming.


PV> with, smtp is not relevant in a discussion of "principles" which this claims
PV> to be.  (anyone who thinks that smtp can be upgraded to encode consent needs
PV> to spend a few more years Just Hitting Delete before you can sit at the
PV> grownups table.)

And everyone else needs to move from the generic reference to
"consent" on to something that is more concrete, as well as being
integrated into a full range of human uses for email.  It would be
nice to still have the baby around, after we have gotten rid of its
bath water.

d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Paul Vixie]

> [smtp] is what the world uses today and will continue to use for quite
> some time.  reports of its death are just a tad premature.
> 
> When folks agree on the new mail transfer services that we need and
> when we try to add them to smtp and fail, THEN we can have productive
> discussions about a replacement transfer protocol.

well, except that that's not how dns was created, or http, or html, or
nntp, or xml, or rpc/xdr/nfs, or sip, or pgp, or jabber.  i guess that's
how a lot of people now think it should be done, but the counterexamples
are extensive, and so i'm not convinced that smtp will be replaced under
precisely the conditions you describe.

> until then, calls for a new protocol ... constitute firing before aiming.

i guess we'll all see how it turns out.

> And everyone else needs to move from the generic reference to
> "consent" on to something that is more concrete, as well as being
> integrated into a full range of human uses for email.

i'm pretty comfortable with www.dictionary.com's definition of "consent".

Re: Principles of Spam-abatement

[Dave Crocker]

Paul,

>> When folks agree on the new mail transfer services that we need and
>> when we try to add them to smtp and fail, THEN we can have productive
>> discussions about a replacement transfer protocol.
PV> well, except that that's not how dns was created, or http, or html, or
PV> nntp, or xml, or rpc/xdr/nfs, or sip, or pgp, or jabber.

_New_ services get created in all sorts of ways and for all sorts of
reason.  However changing an existing, popular service is subject to
very different concerns than a new service.  In particular, it is
subject to careful attention to preservation of the installed base.

Facile assumptions that we will blithely move an installed base of 500
million people, to a new set of protocols, reminds me of a cliche
cartoon. It has a blackboard -- it's a very old cliche -- almost
filled with formulas, except for one blank strip that separates the
formulas into two sections. The board is being explained by one guy to
another. He is responding to a question, pointing to the blank space
and says "that? oh, that's where a miracle happens."

Switching 1/2 billion people requires quite a lot of force and time,
and so do the hundreds of thousands of implementors and operators who
have to make it happen.  They need clear and compelling incentives for
the considerable energy it will take and discomfort it will cause.

So far, claims that smtp needs to be replaced, to fix spam problems,
fail to provide anything more compelling than some strong emotions.

Let's remember that no action to date has reduced the global level of
spam.  So folks need to be a tad circumspect when calling for massive
infrastructure change for which there is no basis to guarantee
results.

>> And everyone else needs to move from the generic reference to
>> "consent" on to something that is more concrete, as well as being
>> integrated into a full range of human uses for email.

PV> i'm pretty comfortable with www.dictionary.com's definition of "consent".

Me too, for casual discussion, but it has nothing to do with technical
specification nor for careful understanding of the human and social
dynamics of messaging.

Really, Paul.  Pursuit of spam control needs far more detail and
deliberation.  It's urgent, but that's no excuse for being vague and
generic.

At a minimum, claims that we need to replace smtp need to include a
specific proposal that offers specific features absent from smtp. And
it needs to include a transition plan for those hundreds of thousands
of operators and 1/2 billion users.

d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Paul Robinson]

Quoting Dave Crocker <[EMAIL PROTECTED]>:

> _New_ services get created in all sorts of ways and for all sorts of
> reason.  However changing an existing, popular service is subject to
> very different concerns than a new service.  In particular, it is
> subject to careful attention to preservation of the installed base.

I think the point Paul Vixie was making was that saying we would discuss the new
protocol at all was not likely to happen. Already there is a mailing list over
at IMC for "mail-ng" where a lot of good ideas are being throw around. I expect
somebody is going to sit down and start writing code one day, and release it.
It will work over the existing infrastructure (e.g. use MXes from DNS records,
etc.) and address many of the concerns people have. If it does it well, it will
propogate and be used by more and more sites. There will be hook-ins for old
SMTP (in the same way that there were hook-ins for UUCP when SMTP came along),
and it will begin to propogate.

I very much doubt that the IETF will be in charge of any aspect of it.

What is important, is that we ensure that commercial interests that effectively
hands control of the mail infrastructure to a body with a commercial objective
does not happen. Ignoring such schemes (a la Microsoft and Yahoo!) will not
work - it will just make the IETF irrelevant.

Like it or not, it's time for all of us to get very serious, very quickly about
a replacement for SMTP. There is a clear need, the user requirements are
starting to firm up, and it's make or break time.
 
> Facile assumptions that we will blithely move an installed base of 500
> million people, to a new set of protocols, reminds me of a cliche

We will not move anybody. We will provide a specification, programmers will
produce the code, ISPs and Software vendors will do the moving if their
customers request it.

> Switching 1/2 billion people requires quite a lot of force and time,
> and so do the hundreds of thousands of implementors and operators who
> have to make it happen.  They need clear and compelling incentives for
> the considerable energy it will take and discomfort it will cause.

Is it just me, or is this just the IPv6 conversation again, but with "Mail"
replacing "IP"?
 
> So far, claims that smtp needs to be replaced, to fix spam problems,
> fail to provide anything more compelling than some strong emotions.

The IMC list is producing some good ideas. I was due to collate them all into
one big document, but time has got the better of me, as has the several hundred
(maybe, thousand?) messages I need to go through to get all the ideas
captured.
 
> Let's remember that no action to date has reduced the global level of
> spam.  So folks need to be a tad circumspect when calling for massive
> infrastructure change for which there is no basis to guarantee
> results.

Statistics have a reputation you know. It's impossible to put an accurate figure
on the amount of spam sent at a global level. Even if you could, that's not the
same figure as the amount that ends up in user's inboxes (some gets 550'ed,
some gets marked for deletion and filtered). We don't know the precise figures,
we can only guess. And we know that as a percentage, the signal-to-noise ratio
is pretty poor, from personal experience.

However, in my inbox, I get less spam confronting me on a daily basis than I did
6 months ago. My spam folder has grown considerably, but my inbox is relatively
clean. The problem is, the techniques I've used to make that so are beyond most
users, and it would seem, most ISPs.

-- 
Paul Robinson

Re: Principles of Spam-abatement

[JORDI PALET MARTINEZ]

I think that considering that the time to deploy a new mail system will take longer 
than deploying IPv6 ... it make sense to deploy both together, I mean a new mail 
system WITH IPv6, possible using IPsec. I think it will be even faster than if we try 
to do now the deployment of IPv6, and tomorrow the deployment of the "new" email 
system ...

It could be also a nice value added for IPv6, that could help on the deployment.

I had this idea in my mind since a long time ago ... we just need to sit down and make 
out of it a nice architecture !

Regards,
Jordi

- Original Message - 
From: "Paul Robinson" <[EMAIL PROTECTED]>
To: "Dave Crocker" <[EMAIL PROTECTED]>; "Dave Crocker" <[EMAIL PROTECTED]>
Cc: "Paul Vixie" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, March 01, 2004 9:08 PM
Subject: Re: Principles of Spam-abatement


> Quoting Dave Crocker <[EMAIL PROTECTED]>:
> 
> > _New_ services get created in all sorts of ways and for all sorts of
> > reason.  However changing an existing, popular service is subject to
> > very different concerns than a new service.  In particular, it is
> > subject to careful attention to preservation of the installed base.
> 
> I think the point Paul Vixie was making was that saying we would discuss the new
> protocol at all was not likely to happen. Already there is a mailing list over
> at IMC for "mail-ng" where a lot of good ideas are being throw around. I expect
> somebody is going to sit down and start writing code one day, and release it.
> It will work over the existing infrastructure (e.g. use MXes from DNS records,
> etc.) and address many of the concerns people have. If it does it well, it will
> propogate and be used by more and more sites. There will be hook-ins for old
> SMTP (in the same way that there were hook-ins for UUCP when SMTP came along),
> and it will begin to propogate.
> 
> I very much doubt that the IETF will be in charge of any aspect of it.
> 
> What is important, is that we ensure that commercial interests that effectively
> hands control of the mail infrastructure to a body with a commercial objective
> does not happen. Ignoring such schemes (a la Microsoft and Yahoo!) will not
> work - it will just make the IETF irrelevant.
> 
> Like it or not, it's time for all of us to get very serious, very quickly about
> a replacement for SMTP. There is a clear need, the user requirements are
> starting to firm up, and it's make or break time.
>  
> > Facile assumptions that we will blithely move an installed base of 500
> > million people, to a new set of protocols, reminds me of a cliche
> 
> We will not move anybody. We will provide a specification, programmers will
> produce the code, ISPs and Software vendors will do the moving if their
> customers request it.
> 
> > Switching 1/2 billion people requires quite a lot of force and time,
> > and so do the hundreds of thousands of implementors and operators who
> > have to make it happen.  They need clear and compelling incentives for
> > the considerable energy it will take and discomfort it will cause.
> 
> Is it just me, or is this just the IPv6 conversation again, but with "Mail"
> replacing "IP"?
>  
> > So far, claims that smtp needs to be replaced, to fix spam problems,
> > fail to provide anything more compelling than some strong emotions.
> 
> The IMC list is producing some good ideas. I was due to collate them all into
> one big document, but time has got the better of me, as has the several hundred
> (maybe, thousand?) messages I need to go through to get all the ideas
> captured.
>  
> > Let's remember that no action to date has reduced the global level of
> > spam.  So folks need to be a tad circumspect when calling for massive
> > infrastructure change for which there is no basis to guarantee
> > results.
> 
> Statistics have a reputation you know. It's impossible to put an accurate figure
> on the amount of spam sent at a global level. Even if you could, that's not the
> same figure as the amount that ends up in user's inboxes (some gets 550'ed,
> some gets marked for deletion and filtered). We don't know the precise figures,
> we can only guess. And we know that as a percentage, the signal-to-noise ratio
> is pretty poor, from personal experience.
> 
> However, in my inbox, I get less spam confronting me on a daily basis than I did
> 6 months ago. My spam folder has grown considerably, but my inbox is relatively
> clean. The problem is, the techniques I've used to make that so are beyond most
> users, and it would seem, most ISPs.
> 
> -- 
> Paul Robinson

Re: Principles of Spam-abatement

[Robert G. Brown]

On Mon, 1 Mar 2004, Paul Vixie wrote:

> > And everyone else needs to move from the generic reference to
> > "consent" on to something that is more concrete, as well as being
> > integrated into a full range of human uses for email.
> 
> i'm pretty comfortable with www.dictionary.com's definition of "consent".

Ah, are we about to develop psmtp (psychic simple mail transport
protocol)?  The first mail protocol that can read my mind and see if I
"consent" to a particular communication before I (or rather, my mail
agent, since that's where one part of the abuse occurs) receive it?

That's a neat trick...

Logical analysis reveals that psychic filtering is what is required to
avoid any chance that I could get abusive email, e.g. spam, while still
permitting a full range of desired communications including those from
strangers, without extra "approval" steps (of which most
users/administrators will definitely not approve and which would let
spam through anyway, at least to the point where they have to see it and
not approve).

Or is "consent" a mnemonic for breaking the entire Internet into White
and Black lists with no grey sites whatsoever according to a common
standard, PRESUMING that I and all other users would consent (in fact
have consented, via inherited Acceptable Use agreements) to turn off all
internet access -- at least to those resources we control -- to those
that chronically abuse those resources?

The latter is not so crazy.  It is more or less what "enforcing existing
AU agreements" would be, were there an actual PROTOCOL for such
enforcement instead of an incomplete and inconsistent hodgepodge of AUs
with spotty enforcement and no way to make enforcement universal.  I've
called for something like this as an obvious first step to regulating
spam and other abuse in a couple of my earlier responses.  My attention
was drawn to:

  http://www.camblab.com/misc/univ_std.txt

which seems to be a very, very practical and immediately feasible way to
secure the protocols we have now.  Curiously, it works by formally
defining a process for converting the Internet into white (or at least,
very light grey:-) and blacklists of a sort and enfolding this into
effectively all internet services.  It has the delightful effect of
punishing the abusers and not the innocent, and of punishing (by
blacklisting) the SPs of chronic abusers (the ones who profit the most
from abuse) to precisely the point where they responsively police their
own networks or go out of business, whichever comes first, and of
permitting that "disconnection" to be done by anybody from a common list
rather than waiting for the SP's PoP provider to go through THEIR
various internal due processes (if any) and pull a plug that might be
making THEM a lot of money...to the discomfiture and waste of money
spent by everybody else.

This document puts forth a >>measure<< of abusive behavior that causes
us (the "Internet") to withdraw our >>consent<< for all kinds of
transactions and is the first step to a >>protocol<< that permits this
consent to be effectively immediately withdrawn from a common and
dynamic (in both directions, as black sites are policed white again).
In a consensual anarchy like the Internet, it is definitely the right
way to proceed, as for the first time newsletters such as Security Wire
Digest contain rumblings calling for and warning of government
regulation that (while certainly welcome with respect to certain forms
of abuse) can easily turn into the nose of a big, ugly, smelly camel
under the Internet tent.  Or end up endorsing a witless and expensive
solution to the great profit of some congressman's biggest donor.

Maybe I just like it because it agrees with my own point of view (the
definition of an intelligent person being "somebody who agrees with
you", after all:-).  It's worth a read.

   rgb

-- 
Robert G. Brownhttp://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525 email:[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: Paul Vixie <[EMAIL PROTECTED]>

> ...
> > And everyone else needs to move from the generic reference to
> > "consent" on to something that is more concrete, as well as being
> > integrated into a full range of human uses for email.
>
> i'm pretty comfortable with www.dictionary.com's definition of "consent".

That is the fatal flaw in the calls for technical mechanisms
"communicating consent" to fix spam.  Webster's definition of consent
also applies to keeping solicitors from knocking on your door and
bandits from mugging you on the streets.  What keeps enough of them
from lying about having your consent are the non-technical protocols
of the justice system.

No matter what additional token of consent that you require spammers
to present to demonstrate that you have agreed to their mail, either
spammers will be able to forge it or legitimate strangers won't be
able to obtain it without contacting you or your agents and ceasing
to be strangers.

The usual response to that (and one which I think you've suggested)
is to have a third party act as your agent.  But that is exactly
equivalent to the Microsoft/Verisign crypto authentication FUSSP.
Whether SMTP is involved is irrelevant; the fatal flaw of such agencies
applies to any messaging scheme.  It is that unless a mail identity
is practically unforgeable thanks to $10,000 costs or enforced legal
penalties, spammers will sign up for new identities as each is executed
for spamming.  If an identity costs less than $50/year and there are
no enforced laws against having as many identites as the recent spurt
of "Zhang Jung" and "Media Dreamland" domain names, it will be impossible
for your consent/identity/reputation agency to ensure that 1000 of the
next 1,000,000 applications are really Al Ralsky in disguise.

There are other problems with the "consent" or "identity" or "reputation
agencies" that are often talked about.  One is that giving Microsoft/AOL
a franchise to levy a $0.001 toll on or append an ad to every message
in the Internet is a Bad Thing unless you are stockholder.

These problems have nothing to do with SMTP.   You give aid and comfort
to the spammers and parasites on the spam problem by suggesting that
a replacement to SMTP might solve these non-technical problems with
"communicating consent."   You are implicitly supporting the worse
than snake oil being flogged as spam solutions by big outfits.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Paul Vixie]

> PV> well, except that that's not how dns was created, or http, or html, or
> PV> nntp, or xml, or rpc/xdr/nfs, or sip, or pgp, or jabber.
> 
> _New_ services get created in all sorts of ways and for all sorts of reason.

if you believe that ssh was a new service (compared to telnet) then i agree
with this perspective.  i think that you won't, though.  new ways of doing
old things can appear, and old ways of doing those same things can disappear,
and this is good and right and healthy.  smtp won't have to be declared dead
in order for me to stop using it when something better comes into existence.

it's worth remembering that mail was once transferred using the ftp protocol.

> ...
> Really, Paul.  Pursuit of spam control needs far more detail and
> deliberation.  It's urgent, but that's no excuse for being vague and
> generic.

probably you should Just Hit Delete until yahoo "domainkeys" saves smtp, then.

> At a minimum, claims that we need to replace smtp need to include a
> specific proposal that offers specific features absent from smtp. And
> it needs to include a transition plan for those hundreds of thousands
> of operators and 1/2 billion users.

actually, they don't.  and, if you stack the problem grain to grain like
that, you'll never cut through.

Re: "Principles" of "Spam-abatement"

[Paul Vixie]

> > i'm pretty comfortable with www.dictionary.com's definition of "consent".
> 
> Ah, are we about to develop psmtp (psychic simple mail transport protocol)?

no.  but through a combination of open source and public benefit licensing,
we are eventually going to be able to tell whether a message was generated
by someone who was present and gave consent, or whether it's just wormware;
and whether the owner of an ip-using device intends to act as a mail server;
and whether a bond has been posted by this present/consenting sender and if
so how much; and whether there exists or not a trust path from the sender,
through their bank or school or employer or insurance company to the
recipient.  the internet doesn't care what your meatspace identity is and
anonymity is a necessary way of life -- but we do care very much whether
transitive trust exists.  "who you are" matters less than "who you know",
and this is true not just for messaging but also for web service accounts and
passwords, for trading and payments, and for so-called "social networking."

> ... document puts forth a >>measure<< of abusive behavior that causes
> us (the "Internet") to withdraw our >>consent<< for all kinds of ...

ok, so two weeks ago i grabbed a spare /16 and put database-writing "servers"
on ports 25 and 80, and watched for worm spoor.  i also hooked it up to a
ddns "blackhole zone" that i can use in postfix and apache to reject 
connections from addresses who have attempted to worm into this /16.  after
16 days of operation the zone has 149076 addresses in it and my spam volume
(nonrejected) is down 80%.  (now that arin has an experimental allocation
policy i hope to add more address space to the basin, and there's been some
thought given to publishing the data thus gathered via http://oarc.isc.org/.)

what this means is, needing a basis for withdrawing consent is just wrong,
and what we need is a basis for offering it.

all attempts to encode this kind of information in the message header or
payload, to date, have failed.  usually because it's a consortium of large
commercial enterprises seeking to monetize the trust paths, much as verisign
is now planning (see http://news.com.com/2100-7355-5163410.html?tag=nl).  i
don't expect to see another x509-like hierarchy succeed in the marketplace,
it's too brittle and too abuse-prone and too beneficial to early adopters
and monopolistic behemoths.  the real solution will be more pgp-like and
will have a hairball topology, for survivability and palatability reasons.

(and it's lots more likely to get built on top of jabber than on top of smtp.)

Re: "Principles" of "Spam-abatement"

[Vernon Schryver]

> From: Paul Vixie <[EMAIL PROTECTED]>

> ...
> we are eventually going to be able to tell whether a message was generated
> by someone who was present and gave consent, or whether it's just wormware;
> and whether the owner of an ip-using device intends to act as a mail server;
> and whether a bond has been posted by this present/consenting sender and if
> so how much; and whether there exists or not a trust path from the sender,
> through their bank or school or employer or insurance company to the
> recipient.  the internet doesn't care what your meatspace identity is and
> anonymity is a necessary way of life -- but we do care very much whether
> transitive trust exists.  "who you are" matters less than "who you know",
> and this is true not just for messaging but also for web service accounts and
> passwords, for trading and payments, and for so-called "social networking."

The trouble with that is that trust is not and cannot be made transitive.

There is a finite chain of people that connects you with anyone you
care to name, with each person asserting any sort of trust you want
for the next person in the chain.  The chain that connects you with
Al Ralsky for the trust operator "the next person to corrently identifies
people" is probably shorter than 6 people.  The chain that connects
you with Ralsky for "next person to does not spam" is probably longer
than 6, but shorter than a couple dozen.  Even worse, the chain the
connects you to Al Ralsky for "the next person is not Al Ralsky" is
probably shorter than the first, short chain.

The notion of transitive trust makes as much sense as assuming that
all of the keys on the key rings of the people who will be signing PGP
keys at the IETF this week are of people who you can trust to not send
you mail you'd not want.

In the real world, there is nothing like transitive trust.  That's why
it is so hard to cash third-party checks.  The closest you can get to
transitive trust is something like the check clearing system, which
has only about 5 parties, with three (the two banks and the Federal
Reserve) so entangled that they can be considered a single outfit.
And check forgery remains a major problem.

If transitive trust could be made to work, then government security
clearances would be easy.  If it could work, we would have more than
3 credit reporting agencies, and we would not have so much machinery
to deal with their errors.  If transitive trust cannot be made to work
for those cases where there are major penalties for cheating, how can
you expect to make it work for mail, which no one values at more than
$30/year/seat?

You might say that you don't want fully transitive trust but only
to trust the people who know people you know.  If you want that
kind of mail system that does not carry message between strangers, 
you've already got it with any of the many kinds of whitelisting.

These problems with trust have nothing to do with the network protocols
involved.  They are fundamentally non-technical.  Talking about replacing
SMTP to implement transitive trust is at best a distraction.


Vernon Schryver[EMAIL PROTECTED]

Re: "Principles" of "Spam-abatement"

[Paul Vixie]

> If transitive trust could be made to work, then government security
> clearances would be easy.  If it could work, we would have more than 3
> credit reporting agencies, and we would not have so much machinery to
> deal with their errors.  If transitive trust cannot be made to work for
> those cases where there are major penalties for cheating, how can you
> expect to make it work for mail, which no one values at more than
> $30/year/seat?

that's not an unreasonable question.  and yet, the meatspace world copes.
the thing cybertrust hasn't done is to take advantage of existing meatspace
relationships.  probably there's no way i'll ever have reason to trust you
but i'll bet my bank has ways of trusting your bank.  (or your school or
my insurance company or whatever.)  if you think in terms of pgp then trust
can't scale.  if you think in terms of the meatspace world and its millenia
of traditions and mechanisms, trust clearly can scale.

if your bond is only $30/year then i probably wouldn't trust you no matter
what my bank told me about your insurance company or what your insurance
company said about you.  remember, i don't want to know who you are, i only
want to know who you know.  if the world has no hooks into you then i would
withhold my consent.  presumably there are others who would only give consent
if your religion was the same as theirs or if your identity was known -- but
that all fits under the "all communications by mutual consent" banner.

> You might say that you don't want fully transitive trust but only
> to trust the people who know people you know.  If you want that
> kind of mail system that does not carry message between strangers, 
> you've already got it with any of the many kinds of whitelisting.

no, i want it to be as big as meatspace.

> These problems with trust have nothing to do with the network protocols
> involved.  They are fundamentally non-technical.  Talking about replacing
> SMTP to implement transitive trust is at best a distraction.

unfortunately you're right about that last part.  smtp's major problem is its
unpleasant distinction between the transport and mailbox, and it *will* get
replaced with something that can carry trust indicators and deal with
multilevel agency.  but the real and larger work is the meatspace-sized trust
web, without which smtp is probably as good as e-messaging can ever get.
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Dean Anderson]

On Mon, 1 Mar 2004, Robert G. Brown wrote:

> On Mon, 1 Mar 2004, Paul Vixie wrote:
> 
> > > And everyone else needs to move from the generic reference to
> > > "consent" on to something that is more concrete, as well as being
> > > integrated into a full range of human uses for email.
> > 
> > i'm pretty comfortable with www.dictionary.com's definition of "consent".
> 
> Ah, are we about to develop psmtp (psychic simple mail transport
> protocol)?  The first mail protocol that can read my mind and see if I
> "consent" to a particular communication before I (or rather, my mail
> agent, since that's where one part of the abuse occurs) receive it?
> 
> That's a neat trick...

It seems that many of the people who consider themselves to be sitting at
the "grownup-table" really have a child-like ignorance of causality
constraints in their schemes.

I am always amused when people naively critcize SMTP for permitting spam,
as though changing the protocol would make people not want break the
rules.  I am also impressed by the people who think that people just
aren't taking the problem very seriously.

The list of the "Principles of Spam-abatement" is itself very naive. It
assumes that spammers are people who make money selling products.  
Certainly, there are some who would prefer people believed this.
Unfortunately, the (January) results coming back from the CAN-SPAM show
that 56% of the 95 top spammers are _fully_ compliant with the CAN-SPAM
act.  Yet few messages in my inbox are even partially compliant. This
gives one some idea of how much spam is being sent by viruses and "fake"
spammers: Quite a lot.  The genuine spammers are permission based, and
have honest opt-out facilities and aren't annoying anyone except the
radicals who can't abide their existance.

Any "solution" to spam has to stop the viruses that have no genuine
products or services to sell, no interest in finding out if they reach
real addresses, no concern for taxes, nor any regard for civil or criminal
law.

> 
> *** Anonymous Bulk Email Software
>
> *** is a super fast bulk email software that sends out at speeds greater
> than 1,000,000 emails per hour* on a dedicated mailing server.
>
> *** has the capability to use Proxies and Relays and also to send
> directly.
>
> Some of the features include:
> Anonymous Mailing using Proxies
> Message Randomization to bypass Spam Filters
> Speeds over 850-950K emails per hour on Turbo Mode
> Up to 1000 Threads
> Unlimited Email List Size (up to 100 Million per file)
> HTML and Plain Text Emails
> Tag Macros to personalize and randomize emails
> Custom Headers ... more on
> 

The above description is for a product that violates the CAN-SPAM act,
which prohibits deceptive practices. But wait, it also claims to advertise
proxies and relays--that's something I know about:  Analysis of our logs
over a long period have only found anti-spammers scanning for relays.  We
know this because for one to scan for a relay, they have to include an
email address that recieves email. Setting up an "unused" mailserver
allows easy collection of the email addresses of those scanning relays.  
So far, all such scanning has been by anti-spam sites. So, this "spamware"
is not a truly genuine product--it is either a complete fraud (no
product), or a deception sold by "anti-spammers" to identify potential
spammers, or it is a group of people (anti-spammers) helping spammers
spam--presumably hoping to annoy people into helping their cause.

While it is harder to identify the people scanning for proxies, it is
still easy to detect such scanning, and stop the scanning. After stopping
the scanning, we are left with the technique of having the virus-infected
computer "phone home". However, this can also be used to identify the
operator.

Clearly, there are people out there trying to make the spam problem worse.
Paul Vixie told me (in email)  back in 1997 that it was his "goal to make
things worse", that anything that makes the spam problem worse, makes it
more likely that spam will be banned.  Undoubtedly, there are people who
have taken that goal too literally.  He's also said recently that he's
been in contact with the "script kiddies"  (who operate viruses) and that
they are mostly anti-spam. Yet almost all viruses send spam.  Any
realistic measure needs to consider how to stop those radical antispammers
and script kiddies who just want to annoy people until they "take spam
seriously".

Someone else wrote:
> Something along the lines of 'Know your enemy' comes to mind; get hold
> of such a product, reverse engineer it, find its weaknesses and nullify
> it.

People have been doing this for many years. Probably since 1994, but
certainly in earnest since 1996 or 1997.  No luck for a permanent
solution. It is just a whack-a-mole operation.

Someone else wrote:
> I am thinking that spam is and will remain a long-term battleground
> and it needs serious effort to counter, perhaps a Cert-like
> organisation, and we are just not putt

Re: "Principles" of "Spam-abatement"

[Vernon Schryver]

> From: Paul Vixie <[EMAIL PROTECTED]>

> ...
> that's not an unreasonable question.  and yet, the meatspace world copes.

The real world copes only by having laws against enforced violations
of trust.  Until the first spammer goes to jail for breaking the laws
that have long made most current spam illegal, all talk of trust fixing
spam is academic.  If the activities of the ROKSO 200 really get them
real penalties, then talk of trust vs. spam becomes relevant, but only
for as one among many fixes for what is currently a trivial part of
the spam problem, the spam from people who are not criminals.

> the thing cybertrust hasn't done is to take advantage of existing meatspace
> relationships.  ...
>... meatspace world and its millenia
> of traditions and mechanisms, trust clearly can scale.

It is not trust that scales but police.  There is no transitive trust
in the real world.  There are only bi- and sometimes trilateral contracts
and lots of people with guns ready to punish those who break trust.  If
transitive trust were even in the real world, buying a house would not
be such a big expensive ritual with escrow, title insurance, and so
forth.  If trust "scaled" in the real world, it would be a lot easier
to get the title for your car converted from one state to another.

Some might offer title insurance as a model for stopping spam, but
only if they've never paid for it.

> if your bond is only $30/year then i probably wouldn't trust you no matter
> what my bank told me about your insurance company or what your insurance
> company said about you.  remember, i don't want to know who you are, i only
> want to know who you know.  if the world has no hooks into you then i would
> withhold my consent.  presumably there are others who would only give consent
> if your religion was the same as theirs or if your identity was known -- but
> that all fits under the "all communications by mutual consent" banner.

There are problems there.  First is that you are not talking about
anything that might be called "transitive" trust.  The word "transitive"
is wrong and misleading.  Please use something like "secondary trust"
or "bonding" or "letter of recommendation."  Second, as Dave Crooker
wrote, your "hooks" are too nebulous.

There's a cool and relevant article in the March-April 2004 issue
"American Scientist."  It concerns how religious groups manage to trust
their members.  The problem/analogy with your trust model is that mail
is not worth $30/year to anyone, not to mention self-mutilation.  How
much does a "check guarantee card" or real estate title insurance or
a jail bail bond cost?


> ...
> unpleasant distinction between the transport and mailbox, and it *will* get
> replaced with something that can carry trust indicators and deal with
> multilevel agency.  but the real and larger work is the meatspace-sized trust
> web, without which smtp is probably as good as e-messaging can ever get.

I do not agree, but mostly because I doubt that vastly larger goal
of "a meatspace-sized trust web."  Whether SMTP disappears doesn't
matter to me.  I was using email long before it appeared.

And I say again: every time you, with your standing, even whisper about
replacing SMTP with a protocol that carries trust tokens, you give aid
and comfort to spammers and the parasites using the spam problem.
Regardless of what you mean, they translate your words as "Paul Vixie
agrees that TOES/SPF/RMX/SMTP-AUTH/CalleriD/HashCash/E-postage/...
is the Final Ultimate Solution to the Spam Problem."


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Dave Crocker]

Paul,

>> _New_ services get created in all sorts of ways and for all sorts of reason.
 PV> if you believe that ssh was a new service (compared to telnet) then i agree
PV> with this perspective.  i think that you won't, though.  new ways of doing
PV> old things can appear, and old ways of doing those same things can disappear,
PV> and this is good and right and healthy.

Interesting example. It would help if ssh had achieved Internet-scale
use and had displaced telnet. On the other hand, terminal-oriented
traffic used to dominate net statistics and now probably does not show
up in the top 5.

So it would help to see an example that showed massive displacement of
a very large, installed base, before we assume that switching email
protocols is that straightforward.


PV> smtp won't have to be declared dead
PV> in order for me to stop using it when something better comes into existence.

of course.  the is not about declarations.  it is about the challenge
of convincing 500 million people and perhaps 200,000 organizations, to
switch.


PV> it's worth remembering that mail was once transferred using the ftp protocol.

Indeed it was.  And it is worth noting that the protocol that replaced
it provided nearly the same service, other than the efficiency
enhancement of multiple addressees during a single transfer.  Users
saw no change to email semantics, only better performance for when
there were long address list.

However, I suspect you have in mind a change that is a tad more
disruptive to the end user service model than that.

But that is only a guess since there is no detailed proposal to
comment on.

(I also should not avoid the chance to make the trivial observation
that the scale of Internet operations was a tad smaller then.)



>> At a minimum, claims that we need to replace smtp need to include a
>> specific proposal that offers specific features absent from smtp. And
>> it needs to include a transition plan for those hundreds of thousands
>> of operators and 1/2 billion users.

PV> actually, they don't.  and, if you stack the problem grain to grain like
PV> that, you'll never cut through.

It's difficult to see the superior basis for making wholesale changes
to a very large installed base. The current style people have, for
discussing any of this topic in public fora looks pretty much
identical to clinical hysteria.

ready, fire, aim.

d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Michael Thomas]

John Leslie writes:
 > Paul Vixie <[EMAIL PROTECTED]> wrote:
 > > 
 > > the principle i've always followed is that
 > > "all communications must be by mutual consent"
 > > ...
 > 
 >Excellent principle, Paul. I'd like to put it at the head of the
 > list.

Ok, I'm dense. How do I meaningfully consent to
somebody for which I have no a priori information
about their consentworthiness? I mean, I can
blackhole them after the fact, but until I have
some information to inform my consent, I'm not
sure what this principle buys you. 

  Mike

Re: Principles of Spam-abatement

[Paul Vixie]

> > > the principle i've always followed is that
> > > "all communications must be by mutual consent"
> > 
> > Excellent principle, Paul. I'd like to put it at the head of the list.
> 
> Ok, I'm dense. How do I meaningfully consent to
> somebody for which I have no a priori information
> about their consentworthiness?

you can't.  that's why you're getting spammed.

> I mean, I can
> blackhole them after the fact, but until I have
> some information to inform my consent, I'm not
> sure what this principle buys you. 

right.

Re: Principles of Spam-abatement

[John Leslie]

Michael Thomas <[EMAIL PROTECTED]> wrote:
> John Leslie writes:
>> Paul Vixie <[EMAIL PROTECTED]> wrote:
>>> 
>>> the principle i've always followed is that
>>> "all communications must be by mutual consent"
>>> ...
>> 
>> Excellent principle, Paul. I'd like to put it at the head of the
>> list.
> 
> Ok, I'm dense. How do I meaningfully consent to
> somebody for which I have no a priori information
> about their consentworthiness?

   Much the same as you do with the telephone: some people just pick up,
expecting to complain to the telephone company if it's an obscene call;
others check caller-ID, and let an answering machine take any calls
they don't recognize; still others hire a sectretary to screen their
calls...

> I mean, I can blackhole them after the fact, but until I have some
> information to inform my consent, I'm not sure what this principle
> buys you. 

   It doesn't necessarily buy you anything: it's a way to look at what
we're trying to engineer.

   I take it to mean that we should look at the system in terms of
informing the consent, rather than rules to cover every case; and
specifically that we shouldn't be communicating back any information
except by consent of the recipient.

   (This is, after all, a _difficult_ problem -- some principles may
be in competition with others...)

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Michael Thomas]

John Leslie writes:
 > Michael Thomas <[EMAIL PROTECTED]> wrote:
 > > John Leslie writes:
 > >> Paul Vixie <[EMAIL PROTECTED]> wrote:
 > >>> 
 > >>> the principle i've always followed is that
 > >>> "all communications must be by mutual consent"
 > >>> ...
 > >> 
 > >> Excellent principle, Paul. I'd like to put it at the head of the
 > >> list.
 > > 
 > > Ok, I'm dense. How do I meaningfully consent to
 > > somebody for which I have no a priori information
 > > about their consentworthiness?
 > 
 >Much the same as you do with the telephone: some people just pick up,
 > expecting to complain to the telephone company if it's an obscene call;
 > others check caller-ID, and let an answering machine take any calls
 > they don't recognize; still others hire a sectretary to screen their
 > calls...
 > 
 > > I mean, I can blackhole them after the fact, but until I have some
 > > information to inform my consent, I'm not sure what this principle
 > > buys you. 
 > 
 >It doesn't necessarily buy you anything: it's a way to look at what
 > we're trying to engineer.

Well, I don't understand because it sure seems to
me that the principle requires omniscience in
isolation which is, well, IRTF territory at the
very least. Or is this just a covert way of saying
that we need an e-Yentl?

Note that I'm not against e-Yentl per se. I just
question what this principle actually serves from
an engineering/design perspective. It would be a
lot clearer if the intent is to say that third
party introductions are a necessary possibility,
that it come out and say that instead of leaving
the possibility of oracles explicitly open.

Mike

Re: Principles of Spam-abatement

[John Leslie]

Michael Thomas <[EMAIL PROTECTED]> wrote:
> Subject: Re: Principles of Spam-abatement
> X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid
> 
> John Leslie writes:
>> Michael Thomas <[EMAIL PROTECTED]> wrote:
>>> John Leslie writes:
>>>> Paul Vixie <[EMAIL PROTECTED]> wrote:
>>>>> 
>>>>> "all communications must be by mutual consent"
>>> 
>>> Ok, I'm dense. How do I meaningfully consent to
>>> somebody for which I have no a priori information
>>> about their consentworthiness?
>> 
>> Much the same as you do with the telephone: some people just pick up,

   Case 1: consent is presumed until content is observed;

>> others check caller-ID, and let an answering machine take any calls
>> they don't recognize;

   Case 2: non-consent is presumed for unauthenticated senders;

>> still others hire a sectretary to screen their calls...

   Case 3: an external agent screens everything;

>>> I mean, I can blackhole them after the fact, but until I have some
>>> information to inform my consent, I'm not sure what this principle
>>> buys you. 
>> 
>> It doesn't necessarily buy you anything: it's a way to look at what
>> we're trying to engineer.
> 
> Well, I don't understand because it sure seems to
> me that the principle requires omniscience in
> isolation...

   No more so than the three cases listed above (or others not listed).

> Or is this just a covert way of saying that we need an e-Yentl?

   I can't say whether Paul intended that: but I don't interpret the
principle to say any such thing.

> It would be a lot clearer if the intent is to say that third
> party introductions are a necessary possibility, that it come
> out and say that instead of leaving the possibility of oracles
> explicitly open.

   You're getting into implementation details -- definitely off-topic
for a list of principles.

   I'm still open (for a few hours) to suggestions for re-wording;
but I'm not going to accept any re-wording that changes a principle
into an implementation plan.

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Michael Thomas]

John Leslie writes:
 > Michael Thomas <[EMAIL PROTECTED]> wrote:
 >  Paul Vixie <[EMAIL PROTECTED]> wrote:
 > > 
 > > "all communications must be by mutual consent"
 > >>> 
 > 
 >Case 1: consent is presumed until content is observed;
 > 
 > >> others check caller-ID, and let an answering machine take any calls
 > >> they don't recognize;
 > 
 >Case 2: non-consent is presumed for unauthenticated senders;

Neither of these furthers the discourse since
nothing prevents you from making white/black lists
today.

 > >> still others hire a sectretary to screen their calls...
 > 
 >Case 3: an external agent screens everything;

This is the only case that is "new" in the sense
that there isn't any standardized way to do this
now.

 > > Well, I don't understand because it sure seems to
 > > me that the principle requires omniscience in
 > > isolation...
 > 
 >No more so than the three cases listed above
 >   (or others not listed).

Like what? If the principle only leads to exactly
one new thing you can develop toward, then there
is no reason to be oblique.

 >I'm still open (for a few hours) to suggestions for re-wording;
 > but I'm not going to accept any re-wording that changes a principle
 > into an implementation plan.

I'm not suggesting an implementation plan. I'm
asking why this principle makes any more sense
than "do unto others as you would have them do
unto you". That and if it's really just a
platitude that leads to a single solution, that it
should be reworded to be more obvious and less
platitudinal.

Mike

Re: Principles of Spam-abatement

[John Leslie]

   I'm planning to post a summary to the MARID-planning list mentioned
elsewhere in this thread -- hopefully before 5:00 pm Korea time.
I expect there will be a proto-WG mailing list declared by the close of
the MARID BoF at 11:30 Thursday (Korea time). I recommend the discussion
continue there.

   The current draft of what I will post follows:

=== cut here ===
On the <[EMAIL PROTECTED]> mailing list there has been discussion of
Principles of Spam Abatement. This is a brief summary of principles
which _may_ have consensus of that list. I accept full responsibility
for editing errors and misunderstandings.

- All communications must be by mutual consent.

- The spam problem starts with freely accepting mail from strangers.

- Spam is and will remain a long-term battleground and it needs serious
  effort to counter.

- Every mail message carries a practically unforgeable token: the IP
  address of the SMTP client.

- It is pointless to erect some expensive Maginot Line and pretend it
  will solve the problem.

- There is not and can never be a hoop low enough to pass all human
  strangers but exclude spammers' computers.

- If you want more of something, subsidize it; if you want less, tax it.

- Spammers need scale because they get a very low return. Therefore,
  part of the solution should be to deny scalability to spammers.

- If we can communicate to the sender (without adverse side effects)
  that a message is discarded, then occasional false positives aren't
  as much of a problem.

- If you reject the message during the SMTP session you don't need to
  generate a bounce message, the other side will do this.

- Errors returned after the close of the SMTP transaction are likely
  to go to an innocent party; and should be deprecated for any email
  identified as spam.

I also recommend perusing the summary of principles expressed on the
Next-Generation Mail <[EMAIL PROTECTED]> list at:

http://www.cs.utk.edu/~moore/opinions/user-visible-email-ng-goals.html

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Dave Crocker]

Paul,

>> Ok, I'm dense. How do I meaningfully consent to
>> somebody for which I have no a priori information
>> about their consentworthiness?

PV> you can't.  that's why you're getting spammed.


What makes this such an "interesting" problem is the critical need for
spontaneous (unsolicited and uncoordinated) communication is many
human activities.  Eliminating the ability to have new people show up
without an "appointment" will cripple some activities.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[John Leslie]

Michael Thomas <[EMAIL PROTECTED]> wrote:
> From: Michael Thomas <[EMAIL PROTECTED]>
> John Leslie writes:
>> Michael Thomas <[EMAIL PROTECTED]> wrote:
>>  Paul Vixie <[EMAIL PROTECTED]> wrote:
>> > 
>> > "all communications must be by mutual consent"
>> >>> 
>> 
>> Case 1: consent is presumed until content is observed;
>> Case 2: non-consent is presumed for unauthenticated senders;
> 
> Neither of these furthers the discourse since nothing prevents
> you from making white/black lists today.

   Agreed.

>> Case 3: an external agent screens everything;
> 
> This is the only case that is "new" in the sense that there
> isn't any standardized way to do this now.

   Nor is any needed. There are a bunch of services doing this now.

>>> Well, I don't understand because it sure seems to
>>> me that the principle requires omniscience in
>>> isolation...
>> 
>> No more so than the three cases listed above (or others not listed).
> 
> Like what? If the principle only leads to exactly one
> new thing you can develop toward, then there is no reason
> to be oblique.

   Principles are there as much to prevent dis-implementation of
good things as to suggest possibilities for implementation of new
things.

>> I'm still open (for a few hours) to suggestions for re-wording;
>> but I'm not going to accept any re-wording that changes a principle
>> into an implementation plan.
> 
> I'm not suggesting an implementation plan. I'm asking
> why this principle makes any more sense than
> "do unto others as you would have them do unto you".

   It directs our attention to the issue of consent by both parties,
which is missing from "do unto others...".

   Furthermore, we're talking about engineering here. You engineer
systems, not people. We're not trying to "engineer" better people
who won't send spam -- we're trying to engineer a communication
system which helps them communicate when and if they want to do so.

> That and if it's really just a platitude that leads
> to a single solution,

   It doesn't look like one to me...

> that it should be reworded to be more obvious and less
> platitudinal.

   To repeat myself, I'm still open to suggestions for re-wording.

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[John Leslie]

Dave Crocker <[EMAIL PROTECTED]> wrote:
> 
> What makes this such an "interesting" problem is the critical need for
> spontaneous (unsolicited and uncoordinated) communication is many
> human activities.  Eliminating the ability to have new people show up
> without an "appointment" will cripple some activities.

   I find it very interesting that jabber/IRC/etc -- designed quite
specifically to allow people to show up without an "appointment" --
don't seem to suffer from spammers...

   (What do folks think about adding Dave's principle, starting at
"Eliminating the ability"? )

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Michael Thomas]

John Leslie writes:
 > Dave Crocker <[EMAIL PROTECTED]> wrote:
 > > 
 > > What makes this such an "interesting" problem is the critical need for
 > > spontaneous (unsolicited and uncoordinated) communication is many
 > > human activities.  Eliminating the ability to have new people show up
 > > without an "appointment" will cripple some activities.
 > 
 >I find it very interesting that jabber/IRC/etc -- designed quite
 > specifically to allow people to show up without an "appointment" --
 > don't seem to suffer from spammers...
 > 
 >(What do folks think about adding Dave's principle, starting at
 > "Eliminating the ability"? )

   Uh, uh, bots are a big, big problem with chat rooms.

   Mike

Re: Principles of Spam-abatement

[Paul Vixie]

> >> Ok, I'm dense. How do I meaningfully consent to
> >> somebody for which I have no a priori information
> >> about their consentworthiness?
> 
> PV> you can't.  that's why you're getting spammed.
> 
> What makes this such an "interesting" problem is the critical need for
> spontaneous (unsolicited and uncoordinated) communication is many
> human activities.  Eliminating the ability to have new people show up
> without an "appointment" will cripple some activities.

as i've said twice before on this thread in the past several days, i don't
care who you are but i do care who you know.  if the world has its hooks
into you -- mutual trust, bond, or some combination -- then i will probably
consent to communication with you even if you remain anonymous behind some
kind of trust brokerage in finland.  however, if you are completely rogue,
i will probably not give my consent to communicate with you.

note that that's just me.  others are likely to have longer or shorter lists
of demands.  some will only accept mail from folks within their own church
or political party or sexual orientation.  some will continue to accept
everything.  the point is, we all need to know what's being offered BEFORE
we've expended our resources to receive it.  

unsolicited, uncoordinated communication is wonderful, and i miss it.  let's
build a universal electronic trust hairball so that we can get it back again.
right now my choice is "deal with yahoo's endless unconfirmed spew" or "not
be able to join any of the mailing lists my neighbors have set up there" and
i would like a finer grained selection than that.
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: Paul Vixie 

> ...
> unsolicited, uncoordinated communication is wonderful, and i miss it.  let's
> build a universal electronic trust hairball so that we can get it back again.
> right now my choice is "deal with yahoo's endless unconfirmed spew" or "not
> be able to join any of the mailing lists my neighbors have set up there" and
> i would like a finer grained selection than that.

What does a transitive/secondary/whatever trust protocol have to do
with that?  Yahoo! is already the outfit bonding/hooking/whatever all
of that mail with its IP addresses.  Changing the label on what they
do to "transitive trust" will not by itself affect their policies and
practices.  As long as Yahoo! chooses to run mailing lists and domain
names the way they do, no matter how many tokens of trust or crypto
certs they slather on, their mail will remain what it is.

If Yahoo! would impose real penalities for abuse of its current
certificates of trust, the IP addresses of its mail systems, or do
anything else that really ensures that those who sign up for new domains
or new mailing lists are trustworthy, then there would also be no need
for newfangled tokens or certificates.  If Yahoo! would not always
respond to reports of spam involving its domains with "It didn't come
from us so it's not our problem" even with it did come from one of its
IP addresses, then Yahoo!'s IP addresses could be certificates saying
"This is not spam" as trustworthy as sa.vix.com [204.152.187.1].

I'm not arguing for IP addresses as security tokens.  I'm only pointing
out that issuing new identity cards to the usual suspects won't change
anything.  No IETF protocol can synthesize trust for organizations
that are not trustworthy.  Service providers that host spammers and
expect spam targets to deal with abuse will never be trustworthy.  Most
of the TBytes/day of spam comes from such providers, whether cable
modem outfits that turn blind eyes on "owned" boxes, free providers
whose penalty for abuse consists of making the spammer sign up for a
new drop box, or tier 1 providers that lie about the impossibility of
determining which of their resellers is hosting a spammer.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Ed Gerck]

Paul Vixie wrote:
> 
> i don't care who you are but i do care who you know.

Well, that's not how we learned to communicate in 1,000s of
years of history. For example, the message is usually far 
more important than who you are or who you know. If you author
a book I think it is interesting then I'll read it ... even 
if I never heard about your or who you know.

Isolationism into "who you know" is increasingly out of synch 
with an interconnected world. The Internet is at odds with "who 
you know". If someone sends me a message asking for my comment
because they read some other comment I wrote, do I really 
care who that someone is... or who they know? No, in fact I
am delighted if the question comes from a complete stranger
with no connection to me, my friends or his friends.

I think we need to be more careful in breaking email more
than what it is already.

Cheers,
Ed Gerck

Re: Principles of Spam-abatement

[grenville armitage]

Ed Gerck wrote:
> 
> Paul Vixie wrote:
> >
> > i don't care who you are but i do care who you know.
[..]
> If someone sends me a message asking for my comment
> because they read some other comment I wrote, do I really
> care who that someone is... or who they know? No, in fact I
> am delighted if the question comes from a complete stranger
> with no connection to me, my friends or his friends.

I'd suggest that in this case you _are_ reacting to who
they know. In some sense they 'know' you, because they're
reacting to something you wrote, and thus have gained entry
to your circle of people-worth-talking-with.

cheers,
gja

Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

John, your summary distils a lot of hard work but is deeply troubling,
because it is constructed entirely on a "make the victims pay"
foundation.  As long as that is your stance, then sure it is so that
"Spam . . . will remain a long-term battleground".   However it is 
just NOT so if the community will change its stance to that which 
society uses (successfully) in every other area of human interaction
beside the internet: make the perpetrator pay.A number of us have
given this a lot of thought to come up with a practical solution which
requires no new technology and no new legislation.   It has been 
proven to work within hours.   

Those interested may view an interim document (comments welcome) at

 

   based on

 

I grind my teeth every time I read a summary like yours because while
the lemmas are true, the conclusions are contrary to reality and 
contrary to everything known about human behavior.

Jeffrey Race 


On Tue, 2 Mar 2004 19:32:00 -0500, John Leslie wrote:
>   I'm planning to post a summary to the MARID-planning list mentioned
>elsewhere in this thread -- hopefully before 5:00 pm Korea time.
>I expect there will be a proto-WG mailing list declared by the close of
>the MARID BoF at 11:30 Thursday (Korea time). I recommend the discussion
>continue there.
>
>   The current draft of what I will post follows:
>
>=== cut here ===
>On the <[EMAIL PROTECTED]> mailing list there has been discussion of
>Principles of Spam Abatement. This is a brief summary of principles
>which _may_ have consensus of that list. I accept full responsibility
>for editing errors and misunderstandings.
>
>- All communications must be by mutual consent.
>
>- The spam problem starts with freely accepting mail from strangers.
>
>- Spam is and will remain a long-term battleground and it needs serious
>  effort to counter.
>
>- Every mail message carries a practically unforgeable token: the IP
>  address of the SMTP client.
>
>- It is pointless to erect some expensive Maginot Line and pretend it
>  will solve the problem.
>
>- There is not and can never be a hoop low enough to pass all human
>  strangers but exclude spammers' computers.
>
>- If you want more of something, subsidize it; if you want less, tax it.
>
>- Spammers need scale because they get a very low return. Therefore,
>  part of the solution should be to deny scalability to spammers.
>
>- If we can communicate to the sender (without adverse side effects)
>  that a message is discarded, then occasional false positives aren't
>  as much of a problem.
>
>- If you reject the message during the SMTP session you don't need to
>  generate a bounce message, the other side will do this.
>
>- Errors returned after the close of the SMTP transaction are likely
>  to go to an innocent party; and should be deprecated for any email
>  identified as spam.
>
>I also recommend perusing the summary of principles expressed on the
>Next-Generation Mail <[EMAIL PROTECTED]> list at:
>
>http://www.cs.utk.edu/~moore/opinions/user-visible-email-ng-goals.html
>
>--
>John Leslie <[EMAIL PROTECTED]>
>

Re: Principles of Spam-abatement

[Ed Gerck]

grenville armitage wrote:
> 
> Ed Gerck wrote:
> >
> > Paul Vixie wrote:
> > >
> > > i don't care who you are but i do care who you know.
> [..]
> > If someone sends me a message asking for my comment
> > because they read some other comment I wrote, do I really
> > care who that someone is... or who they know? No, in fact I
> > am delighted if the question comes from a complete stranger
> > with no connection to me, my friends or his friends.
> 
> I'd suggest that in this case you _are_ reacting to who
> they know. In some sense they 'know' you, because they're
> reacting to something you wrote, 

Who you know (even me) was not important to me. Your message's 
content was the deciding factor that made me send this reply 
to you.  

Thus, in deciding whether I would reply to your message, indeed
it was relevant to me that you read my previous posting. However, 
I did not care who you are or who you know. I wouldn't care 
even if you would claim to know of me (a claim that email scams 
from Nigeria often make) or someone I know (ditto).

> and thus have gained entry to your circle of 
> people-worth-talking-with.

Solely by what you wrote, my point exactly.

Cheers,
Ed Gerck

Re: Principles of Spam-abatement

[David Morris]

Your logic breaks over the fact that you got the message because of who
you both know ... the ietf.org mailing list. It was not unsolicited mail
from a party with which you have no relationship.

On Tue, 2 Mar 2004, Ed Gerck wrote:

> >
> > I'd suggest that in this case you _are_ reacting to who
> > they know. In some sense they 'know' you, because they're
> > reacting to something you wrote,
>
> Who you know (even me) was not important to me. Your message's
> content was the deciding factor that made me send this reply
> to you.
>
> Thus, in deciding whether I would reply to your message, indeed
> it was relevant to me that you read my previous posting. However,
> I did not care who you are or who you know. I wouldn't care
> even if you would claim to know of me (a claim that email scams
> from Nigeria often make) or someone I know (ditto).
>
> > and thus have gained entry to your circle of
> > people-worth-talking-with.
>
> Solely by what you wrote, my point exactly.

Re: Principles of Spam-abatement

[John Leslie]

Dr. Jeffrey Race <[EMAIL PROTECTED]> wrote:
> 
> John, your summary distils a lot of hard work but is deeply troubling,
> because it is constructed entirely on a "make the victims pay"
> foundation. 

   Frankly I don't see "make the victims pay" in any of the principles.

> As long as that is your stance, then sure it is so that "Spam . . .
> will remain a long-term battleground".  

   It does, alas, remain the stance of enough people that I fear spam
_will_ remain a long-term battleground. (Do enough others disagree?
Should I remove that principle?)

> A number of us have given this a lot of thought to come up with a
> practical solution which requires no new technology and no new
> legislation. It has been proven to work within hours.   
> 
> Those interested may view an interim document (comments welcome) at
> 
>  

   That is an implementation plan. I've refused to put implementation
plans into the statement of principles; and I stick by that.

   (When we find the appropriate forum, I'll be happy to comment on
your "interim document".)


   Alas: I look at the clock, and consider the delay of distribution
to this list -- I really doubt enough time remains to discuss any
more changes.

   Thus, though I'd really like to add Dave Crocker's principle, and
I'm perfectly willing to remove the "long-term battleground" one, I
expect to be posting the same document that I posted here at 19:32 EST
to the MARID-planning list in twenty minutes or less.

   Thanks to everyone for a well-informed discussion.

--
John Leslie <[EMAIL PROTECTED]>

Re: Principles of Spam-abatement

[Paul Vixie]

> > > i don't care who you are but i do care who you know.
>   [..]
> > If someone sends me a message asking for my comment
> > because they read some other comment I wrote, do I really
> > care who that someone is... or who they know? No, [...]
> 
> I'd suggest that in this case you _are_ reacting to who
> they know. In some sense they 'know' you, because they're
> reacting to something you wrote, and thus have gained entry
> to your circle of people-worth-talking-with.

precisely.  in the case of mailing list subscriptions, i'd like to be able
to trust a robotic exploder because it can prove i asked to be on the list.

this is what all of the one-time-pad and challenge/response schemes are
really aiming for but i don't see why i ought to use a different "key"
to log into somebody's web portal than they would use to prove that i
asked for some kind of push content (for example, something like e-mail.)

(and i don't think i want to have to pay an X.509 CA for that priviledge.)
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Alan Barrett]

On Wed, 03 Mar 2004, Dave Crocker wrote:
> What makes this such an "interesting" problem is the critical need for
> spontaneous (unsolicited and uncoordinated) communication is many
> human activities.  Eliminating the ability to have new people show up
> without an "appointment" will cripple some activities.

It ought to be possible to consent to contact without an appointment.

For example, you could have a protocol that allows you to encode rules
like "I consent to receiving messages from new people, provided that the
messages purport to be related to certain specified topics, and provided
that one of a set of specified escrow agents vouches for the existence
of a bond of a specified value to be paid if the message is not what it
purports to be".

--apb (Alan Barrett)

Re: Principles of Spam-abatement

[Robert G. Brown]

On Tue, 2 Mar 2004, Michael Thomas wrote:

>  >Case 3: an external agent screens everything;
> 
> This is the only case that is "new" in the sense
> that there isn't any standardized way to do this
> now.
> 
>  > > Well, I don't understand because it sure seems to
>  > > me that the principle requires omniscience in
>  > > isolation...
>  > 
>  >No more so than the three cases listed above
>  >   (or others not listed).
> 
> Like what? If the principle only leads to exactly
> one new thing you can develop toward, then there

And this isn't new either -- it is in widespread use at many different
levels today.  There are excellent reasons for it NOT to be
functionally/operationally standardized; the only aspect that can
reasonably be standardized is its "required" insertion as part of the
MTA as opposed to as a user agent.

This has been discussed, but I really don't think it has been discussed
enough, if this is the only significant outcome of a list of oblique
"principles" designed to lead to some sort of spam-resistant email.
First of all, it is impossible, literally, in protocol, to prevent MUA
spam filters from being inserted into the pipeline between MTA and mail
spool and user.  Second, filters have to be psychic to work perfectly,
so they won't work perfectly -- "consent" is a silly term to apply per
piece of mail, although not so crazy at the network level or host
level.

Third and perhaps most important, did it not occur to you that you just
used three metaphors drawn directly from telephones?  Three FAILED
metaphors from the point of view of controlling phone spam?  Phone spam
continued its time and resource expensive trail across the world until
it was prohibited by law in a way that held phone spammer's accountable
-- caller-id was a joke, call screening (letting it pick up and
listening to the message to decide whether to actually answer) cost time
and was annoying.

I repeat -- what is needed now is not significant changes to smtp (not
if one makes those changes expecting to abate spam or viruses).  What
MAY be needed is a way of tightening up the mapping between positively
identified humans, their positively IP addresses, and a mechanism for
refusing to route traffic from rogues.  ALL traffic, not just smtp.

The URL I posted a couple of days ago had a set of 'principles' for
doing just that.

I spoke of the metaphor that the Internet is like having every bad
neighborhood in the world metaphorically sitting just outside your front
door, since from the user's point of view there are "equal" routes from
every system to every system on the planet.  The only way I can think of
to abate spam and viruses and all sorts of nuisance traffic is to
engineer a way of making this no longer so -- to disconnect the bad
neighborhoods until they hire police and post agents at their own major
intersections to keep the riff-raff (spammers and abusers) and crazy
folk (virus infected ravers) off the street.  This doesn't even require
new law -- it just requires a reexamination of the notion of AUA and the
insertion of a new agency enabling the rapid disconnection of any given
branch of the Internet from all routing.  There are lovely reasons to
think about such an agent anyway -- it provides a rapid response
mechanism agains technoterrorists, for example.

One day I WILL put forth a bit of a diatribe about the difference and
barriers between evolutionary change and revolutionary change, and how
one is easy and slow but reasonably effective and how the other is
(generally) strongly resisted as an argument for why smtp might evolve
but very likely isn't going to be replaced by something radically
different, but not just now.

   rgb

-- 
Robert G. Brownhttp://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525 email:[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Robert G. Brown]

On Tue, 2 Mar 2004, John Leslie wrote:

> Dave Crocker <[EMAIL PROTECTED]> wrote:
> > 
> > What makes this such an "interesting" problem is the critical need for
> > spontaneous (unsolicited and uncoordinated) communication is many
> > human activities.  Eliminating the ability to have new people show up
> > without an "appointment" will cripple some activities.
> 
>I find it very interesting that jabber/IRC/etc -- designed quite
> specifically to allow people to show up without an "appointment" --
> don't seem to suffer from spammers...

"Yet".  Don't forget to add the "yet".

Is there anybody who doubts that if irc became "the" mail paradigm,
spammers would in very short order create automated tools to join and
spew?  Until of course they were booted, blacklisted, filtered.

Is there some intrinsic reason that you think that a fundamentally open
channel is somehow closable to spammers and automated tools?

I could be mistaken, but I don't believe that such a reason exists.  I
don't think that they are targeted for spam primarily because of a (as
of now) limited market and the ease of targeting mail.

   rgb

-- 
Robert G. Brownhttp://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525 email:[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Dave Aronson]

On Tue March 2 2004 19:32, John Leslie wrote:

 > - Errors returned after the close of the SMTP transaction are likely
 >   to go to an innocent party; and should be deprecated for any email
 >   identified as spam.

...and doubly so for viri (if you count those as spam -- they are 
unsolicited, and bulk, but some people's definitions of spam include 
that it be commercial).

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.

Re: Principles of Spam-abatement

[Robert G. Brown]

On Tue, 2 Mar 2004, Vernon Schryver wrote:

> I'm not arguing for IP addresses as security tokens.  I'm only pointing
> out that issuing new identity cards to the usual suspects won't change
> anything.  No IETF protocol can synthesize trust for organizations
> that are not trustworthy.  Service providers that host spammers and
> expect spam targets to deal with abuse will never be trustworthy.  Most
> of the TBytes/day of spam comes from such providers, whether cable
> modem outfits that turn blind eyes on "owned" boxes, free providers
> whose penalty for abuse consists of making the spammer sign up for a
> new drop box, or tier 1 providers that lie about the impossibility of
> determining which of their resellers is hosting a spammer.

Hear, hear.   

(the crowd goes wild).  Or at least it should.  Vernon speaks the truth,
and he's pointing out a fundamental flaw in the entire "consent"
approach.  We cannot now, nor will we be able to in the foreseeable
future, be able to extend meaningful trust to INDIVIDUALS on the
Internet, not when it is a large, dynamic entity that is intrinsically
anonymous at the human level (and often NEARLY anonymous at the network
protocol level where it isn't supposed to be!)  To mutilate a metaphor,
it is like extending trust on the basis of ethernet number on a non-flat
network, never mind that you don't SEE the ethernet number of the
originator -- but you can trust the number of the upstream router, can't
you? -- never mind that an ethernet number can be altered, never mind
that ethernet devices are cheap in any event.

What it is, you see, is getting even BIG organizations such as yahoo
that make money (as they see it) by providing loose unstructured
services prone to abuse and lose/spend money (no question) providing the
infrastructure and humans and tools required to properly police those
services.  They have real money at stake, investors to please, and a
need to keep their bar very low as they live or die by how many
"customers" they have for their "free" services.  Even requiring a
credit card or proof of some sort that you (as a potential client)
actually exist at all eliminates all the children in the world as well
as many (sensibly) paranoid adults who don't WANT to certify access to a
free service with a credit card or some other verifiable token like an
address and possibly expose themselves to still more unwanted contact,
identity theft, etc.

In fact, yahoo is in a lot of ways an archetype, a key problem that any
solution has to be able to manage. Will a proposed solution control spam
originating on yahoo and its even less reputable brethren?  If won't,
why bother?

"Consent" or "transitive trust" (or whatever it is that you want to call
whitelisting a class of traffic while blacklisting another with NO GREY
in between, since consent is a binary concept) of INDIVIDUALS is a
complete non-solution in the case of yahoo (not to mention all its
darkside kin).

Is it in any sense at all POSSIBLE to fractionate "consent" to email
traffic from WITHIN yahoo.com?  I don't think so, and I don't see how it
could be, given the ease with which anonymous yahoo accounts can be
created, used to spew spam, and destroyed.

Blacklisting yahoo.com across the entire Internet (even for a day), now,
that's a solution that would probably work to get them to clean up their
act, if "everybody" did it.  It would likely also serve as a salubrious
lesson to all the rest of the wicked blind-eye SPs.  A shunning, a
shunning...;-)

  rgb

-- 
Robert G. Brownhttp://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525 email:[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Ed Gerck]

David Morris wrote:
> 
> Your logic breaks over the fact that you got the message because of who
> you both know ... the ietf.org mailing list. It was not unsolicited mail
> from a party with which you have no relationship.

Do you not receive messages in your private mailbox from people who read 
the ietf list on the web? Or, from people who receive an email fwd? Or,
from people who get a hit worth pursuing in a google search? People who 
are not themselves in the ietf list and yet send messages to you.

Thus, the fact that this list acts as a trusted introducer to you is not 
the reason why I'm replying to you. I don't reply to a lot of the list's
traffic ;-)  and I read off ietf_censored ;-)

Of course, I should also care who you know and even who you are. But 
these should not be the deciding factors to _block_ email. An unsolicited 
mail from a party with which you have no relationship has the potential 
to be very important to you... even more important than from a party you 
know. The more the surprise, the more the information (Shannon).

Again, the logic is that your message's content was the deciding factor 
that made me send this reply to you.  That's why I think we need to be 
more careful in breaking email more than what it is already.

Cheers,
Ed Gerck

Re: Principles of Spam-abatement

[Robert G. Brown]

On Tue, 2 Mar 2004, David Morris wrote:

> 
> Your logic breaks over the fact that you got the message because of who
> you both know ... the ietf.org mailing list. It was not unsolicited mail
> from a party with which you have no relationship.

But c'mon, I get plenty of mail from people I REALLY don't know and who
AREN'T on a list I'm on.  So do lots of people.

So his logic is just fine.

   rgb

> 
> On Tue, 2 Mar 2004, Ed Gerck wrote:
> 
> > >
> > > I'd suggest that in this case you _are_ reacting to who
> > > they know. In some sense they 'know' you, because they're
> > > reacting to something you wrote,
> >
> > Who you know (even me) was not important to me. Your message's
> > content was the deciding factor that made me send this reply
> > to you.
> >
> > Thus, in deciding whether I would reply to your message, indeed
> > it was relevant to me that you read my previous posting. However,
> > I did not care who you are or who you know. I wouldn't care
> > even if you would claim to know of me (a claim that email scams
> > from Nigeria often make) or someone I know (ditto).
> >
> > > and thus have gained entry to your circle of
> > > people-worth-talking-with.
> >
> > Solely by what you wrote, my point exactly.
> 
> 

-- 
Robert G. Brownhttp://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525 email:[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[David Morris]

On Wed, 3 Mar 2004, Robert G. Brown wrote:

> On Tue, 2 Mar 2004, David Morris wrote:
>
> >
> > Your logic breaks over the fact that you got the message because of who
> > you both know ... the ietf.org mailing list. It was not unsolicited mail
> > from a party with which you have no relationship.
>
> But c'mon, I get plenty of mail from people I REALLY don't know and who
> AREN'T on a list I'm on.  So do lots of people.
>
> So his logic is just fine.

Well, I don't read such mail if I can avoid it ... I have never received
email of value where there was no pre-existing 'connection'. People with
business opportunities with mutual value continue to take the time to use
the telephone even though email would be a viable alternative.

I'm unfortunately coming to the conclusion that the IETF isn't likely to
be the source of mitigation or solution of the UBE problem. Too many
factions to achieve enough concensus. Likely to be a repeat of BIG UGLY
NAT with vendors responding with alternatives while the IETF finds fault
with every possiblity because it isn't perfect.

The group can't even agree that 'consent' should be every recipient's
fundamental right ... of course some of the dialog festered on about the
ability to implement 'consent'. A group of engineers should recognize that
design principles are often compromised to achieve viable implementations.
That doesn't invalidate the principle. If it was easy to achieve, it
wouldn't rank as a principle.

Dave Morris

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: David Morris <[EMAIL PROTECTED]>

> ...
> Well, I don't read such mail if I can avoid it ... I have never received
> email of value where there was no pre-existing 'connection'. People with
> business opportunities with mutual value continue to take the time to use
> the telephone even though email would be a viable alternative.
> ...

Your experience differs from mine and I think other people's.

I'm talking about entirely non-bulk, purely private, I think
unsolicited mail business proposals from strangers.  If anything
comes of the contact, telephone and face to face meetings often
occur, but email is often the cheapest (not just in money or time)
way for an initial contact.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Iljitsch van Beijnum]

On 3-mrt-04, at 1:14, Michael Thomas wrote:

   Case 2: non-consent is presumed for unauthenticated senders;

Neither of these furthers the discourse since
nothing prevents you from making white/black lists
today.
Excuse me?!

Maybe the fact that everyone can claim to be anyone in SMTP might get 
in the way of my *listing operations?

Authentication won't "solve" spam, but not having it sure makes 
spamming easier and more annoying. (Today I even got a message claiming 
to be from the email administrator for my domain. Guess who is the 
email administrator of my domain... This type of forgery is also hard 
on the spam filtering AI, usually resulting in a false negative.)

Re: Principles of Spam-abatement

[grenville armitage]

Ed Gerck wrote:
[..]
> grenville armitage wrote:
[..]
> > and thus have gained entry to your circle of
> > people-worth-talking-with.
> 
> Solely by what you wrote, my point exactly.

Actually, your point appeared to be that you'd respond to a
previously-unknown correspondent who wrote _about something you'd 
previously written_  (and I quote):

> > > If someone sends me a message asking for my comment
> > > because they read some other comment I wrote, do I really
> > > care who that someone is... or who they know?

You yourself have identified the criteria 'they read some other comment
I wrote', not just "they wrote something interesting". I observe
that the former criteria qualifies as a variant of "...who they know".

FWIW.

cheers,
gja
-- 
Grenville Armitage
http://caia.swin.edu.au
I come from a LAN downunder.

Re: Principles of Spam-abatement

[Ed Gerck]

grenville armitage wrote:
> 
> Many  moons ago Ed Gerck wrote:
> > > > If someone sends me a message asking for my comment
> > > > because they read some other comment I wrote, do I really
> > > > care who that someone is... or who they know?
> 
> You yourself have identified the criteria 'they read some other comment
> I wrote', not just "they wrote something interesting". I observe
> that the former criteria qualifies as a variant of "...who they know".

We seem to be in agreement that claiming that they know me, or that they 
know something I wrote, is indeed a variant of "who they know". My point
was that "who they know" is useless as a criterium to _block_ email. 
What should matter most, in receiving email from people with no previous 
relationship to me, is the content of such message.

Thus, "who you know" (in whatever variant) should be a bad metric to block 
email (even though it can be used well to accept email). A message should 
be of higher interest to me the less I know the person. That's one thing
we shouldn't break in email.

Re: Principles of Spam-abatement

[Dean Anderson]

Joe Abley, you should be aware that your company is using a revenge list
for spam blocking. You might want to consider using a different email
address.  But it makes an interesting end to this discussion, I think.

   - The following addresses had permanent fatal errors -
<[EMAIL PROTECTED]>
(reason: 553 Service unavailable; Client host [130.105.36.66] blocked 
using dnsbl.sorbs.net; Hijacked/Disused Netblock See:
http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=130.105.36.66)

The SORBS list falsely claims that our netblocks are hijacked.  The
falseness of this claim was communicated to Matthew Sullivan, the operator
of SORBS, last June.  Mr. Sullivan first denied responsibility for SORBS,
and then said that 'he has no assets to lose, so we should go ahead and
sue him or contribute to him'. He operated other sites that threatened
mailbombing. (Mailbombing is basically spam by anti-spammers.  
Anti-spammers don't think of what they do as spamming--they call it
mailbombing. But the recipients can't really tell the difference.).

Mr. Sullivan was then booted from XO.  Later, he found a home on ISC.  As
near as I can tell, the original source of these lies was Alan Brown, who
operated ORBS until it was shutdown. Alan Brown has lost 3 separate
lawsuits involving defamation and false statements. 2 of those lawsuits
involved him making false statements about ISPs he simply didn't like,
that is, he put them in his blacklist falsely, just like Mr. Sullivan is
doing now. Most people aren't involved in three lawsuits their entire
lives. Yet Mr. Brown has __lost__ three involving false statements. Does
that make him a pathological liar? ISC (Paul Vixie, Bill Manning) has been
aware of the abusive and defamatory nature of SORBS for some time now, but
either don't seem to mind being associated with such disreputable people,
and don't mind that their services are being used for unlawful and
defamatory sites, or share in Mr. Sullivan's and Mr. Brown's spite.

And what are we to make of Mr Sullivan's association with this, and Mr
Vixie's and Mr. Manning's assocation with Mr. Sullivan?  Shouldn't they be
judged by their association with disreputable people?

All rather interesting in light of the statements below by Vixie about
trust and rogues, I think. 

On 3 Mar 2004, Paul Vixie wrote:

> as i've said twice before on this thread in the past several days, i don't
> care who you are but i do care who you know.  if the world has its hooks
> into you -- mutual trust, bond, or some combination -- then i will probably
> consent to communication with you even if you remain anonymous behind some
> kind of trust brokerage in finland.  however, if you are completely rogue,
> i will probably not give my consent to communicate with you.

So says the person who doesn't have an AUP, doesn't accept abuse
complaints, and hosts defamatory, abusive web sites that other responsible
ISP's have booted. Without going into the causality constraints on giving
consent, it is blatently hypocritical to talk about rogue behavior yet not
act to prevent such rogue behavior in their own area of responsibility, or
worse, actively participate in such rogue behavior. Someone once said that
"slander is the revenge of an ignoble mind".

It is hypocritical to talk about "trust", when the subsribers to anti-spam
lists expect and __trust__ that those lists aren't being used for spiteful
reasons having nothing whatsoever to do with spam. They __trust__ the list
to be honest, and they generally stop using lists that are found to be
dishonest.  Yet, very few (if any) such lists are honest. Technical lists
are replete with people posting questions seeking recommendations for
"good" blacklists.

Indeed, with the exception of ISC, 100% of the SORBS users we contacted
stopped using SORBS after viewing the 130.105/16 entries or 198.3.136/21
entries.  This type of thing has also been true of other lists, including
MAPS, which was started by Vixie.  For example, MAPS lost a suit to
Exactis/Experian, after it blocked email in violation of its own criteria.
A really interesting thing about the case is the email from MAPS that
threatened Exactis not to resort to legal action, while hypocritically
claiming on it's web site to be looking for legal challenges. MAPS
actually told Exactis that if it even mentioned lawyers, MAPS would
blacklist it until the case was over regardless of whether it complied
with MAPS demands.  Apparently MAPS had not heard of "Temporary
Restraining Order" or perhaps hoped that Exactis hadn't.  Or perhaps they
believed the internet to be out of the reach of the law. MAPS lawyers were
chastised in the case.  While I've heard of many spammers losing various
cases, I've yet to hear of their lawyers being chastised for frivolous
disagreement.

One cannot have a system where "rogue" is determined by the very people
who act irresponsibly, or who act significantly at variance with social
norms and obligations such as honesty and integrity, or reg

Re: Principles of Spam-abatement

[Joe Abley]

On 10 Mar 2004, at 05:10, Dean Anderson wrote:

Joe Abley, you should be aware that your company is using a revenge 
list
for spam blocking. You might want to consider using a different email
address.  But it makes an interesting end to this discussion, I think.
If you ever really need to get hold of me, Google will give you 
alternate e-mail addresses. I'm really not that hard to find.

And no, for the record, I don't actually find it interesting at all 
(although some of the wild accusations in that particular message are 
mildly amusing). I've hit delete on messages in this thread more often 
than I've hit delete on spam in the last seven days (and even if I 
haven't, it *feels* like I have).

Joe

Re: Principles of Spam-abatement

[Nathaniel Borenstein]

On Mar 10, 2004, at 5:10 AM, Dean Anderson wrote:

Joe Abley, you should be aware that your company is using a revenge 
list
for spam blocking. You might want to consider using a different email
address.  But it makes an interesting end to this discussion, I think.
Without necessarily agreeing with everything else in Dean's message, 
this does indeed point to the most interesting question I see here:  
Whose job is it to enforce penalties for anti-social behavior?

Historically, one can argue that the beginning of civilization can be 
found in legal codes and mechanisms that seek to punish antisocial 
behavior in a fair and consistent manner.  Through painful experience, 
virtually every society in the world has concluded that if you want to 
punish people for bad behavior, you need clear laws and attention to 
due process and the rights of the accused.  When modern governments 
flagrantly flaunt these rules, they have a tendency to become pariah 
states over time.  (Note that I'm not saying all the processes are fair 
or *right*, but even in Iran you have to be convicted by an Islamic 
court before they punish you; a significant part of the total breakdown 
of Afghanistan was that even *that* level of due process disappeared, 
so that virtually any member of the Taliban could mete out "instant 
justice" at will.  It's not surprising that Osama found a home in 
Afghanistan, rather than Iran; Al Qaeda is the ultimate example of 
vigilante justice.)

I see only two things that are different about spam:

1.  The international nature of the antisocial act, combined with the 
general lack of law and precedent, makes it easy to be skeptical about 
timely action.

2.  In the US, at least, we have an unsual number of people, especially 
on the Internet, whose ideology or beliefs include a profound 
skepticism about the ability of governments to do *anything*.

These make the problem harder, but they really don't invalidate the 
hard-won experience of the last few thousand years of human experience. 
 When each ISP makes its own rules and metes out its own 
vigilante-style punishment, that's not civilization, it's anarchy.  And 
I find it considerably scarier than the underlying offense of spam 
itself.  -- Nathaniel

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: Nathaniel Borenstein <[EMAIL PROTECTED]>

> ...
>   When each ISP makes its own rules and metes out its own 
> vigilante-style punishment, that's not civilization, it's anarchy.  And 
> I find it considerably scarier than the underlying offense of spam 
> itself.  -- Nathaniel

Your repeated misrepresentation of the use of blacklists by one party
in a prospective SMTP transaction as vigilantism is as offensive as
it it is a familiar complaint of senders of unwanted mail, including
spammers and kooks.

Regardless of what governments or anyone else might do about spam, and
regardless of whether you and anyone else other than the targets of
your mail consider it spam, your implicit claim to a right to send is
wrong and scarier than any sort of Internet vigilante-style punishment.
Some of us are bothered a lot more by the notion that you might be
able to appeal to any third party to force the target of a prospective
communication to "shut up and eat your [mail]."

Your right to send mail stops at the border routers of your ISP.
Whether your mail gets any farther depends entirely on the sufferance,
whim, and caprice of others.  If prospective targets of your mail
reject it because your IP address is divisible by 91, that is entirely
fair, appropriate, and not for anyone but the owners of your targeted
mailboxes to judge.  Customers of ISPs that want to receive your mail
but can't for any reason, whether the use blacklists, the prime factors
of your IP address, or standard incompetence, have and should have
only one recourse, changing mail providers.

If the targets of your mail reject it because you have chosen a spam
friendly ISP or an ISP with the wrong number of letters in its domain
name, your only recourse is and should be to change mail service
providers.  The consequences of your choice in hiring an ISP that
subsidizes its rates by serving spammers are no one's concern but yours.

The incredible notion you have repeatedly, albeit indirectly advanced,
that you have a right to have your mail delivered that should be enforced
by governments or at least the IETF, would surely apply to backhoe fade,
power problems, misconfiguration, and all of other things that cause
mail to be lost or bounced.  Having governments or the IETF dictate
rights of mail senders to be be heard by their targets would be BAD!

Next you'll be telling me that if you telephone me, I can't hang up on
you.  not that I would, but I reserve the right.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[John C Klensin]

Vernon,

Much as I am reluctant to get into this debate, let me try to 
make some distinctions that might be at the root of where you 
and Nathaniel are not communicating...

* Your analogy to the phone system is exact as long as
the system is end-to-end (see below).  You have no
obligation to accept a call from Nathaniel (or anyone
else) and can be as rude as you like --within extremely
broad limits -- if someone manages to ring your phone
whom you don't want to talk with.  But your carrier is
generally required to accept a connection from
Nathaniel's carrier: except in very rare and highly
selective circumstances, neither is permitted to decide
that you and Nathaniel should not communicate.

* I run my own mail server(s) as, if I recall, do you.
What I choose to accept or reject at that server is my
business and my problem only.  As you suggest, I don't
believe that anyone has the right to tell me what I must
accept, or how I am permitted to make those decisions.
I also pay my ISP extra (relative to their cheapest
accounts that offer essentially the same bandwidth,
etc.) so that they don't get in the way of my servers or
filter my incoming or outgoing traffic (at either the IP
or applications level).  I resent paying extra,
especially since I am painfully aware that their base
operating costs are lower for the kind of
static-address, no-filters service I am buying than they
are for various "protect the users" or "drive up the
price" arrangements, but, until someone comes along with
a better deal, that is how it goes.

* But, when the victim^H^H^H^H^H^H consumer is
essentially faced with a monopoly --buy the ISP's
service with whatever conditions it comes with or be
stuck with dialup-- and is not permitted to run mail
servers, has no real control over whatever filters the
ISP decides to install, etc., the situation is a lot
closer to the classic "middlebox with no control by
either endpoint" one (and produces variations on the
same arguments).  At least in the US, at bandwidth
levels lower than a fractional-T1, there is typically
very little choice of providers (or at least of terms
and conditions).  In the Boston area, as far as I know,
there are a number of consumer aDSL providers, but none
of them provide fixed addresses and most prohibit
servers of any sort, etc., without "upgrading" to much
more costly "business services".  Few, if any, will
permit outgoing mail except through their servers, so,
if they get blocked, all of their customers get blocked
... and have little choice in the matter.  For SDSL,
several ISPs offer the product but, as far as I can
tell, they all do it through the same last-mile
provider.  And cable... well, not a lot of choices
there, at least choices that don't require changing
one's residence, either. Go 100 miles north of here, and
the options get even fewer -- buy the cable modem
service (if it is even available) at whatever terms and
conditions (and incompetence) the cable provider wants
to offer, or put in a DS0 or above at (last I checked)
$6 / air mile/ month, for 30 or 50 miles above and
beyond whatever the ISP charges.  "Switch carriers" is a
possibility, but only a theoretical one.
Where the disagreement you and Nathaniel are having leads, I 
think inevitably except for timing, is into the state that you 
assume Nathaniel is assuming: sufficient governmental 
intervention to turn anyone who operates a mail relay into a 
common carrier, without the "right" to filter mail except in 
response to government-approved rituals.  For many reasons, I 
hope we never get there, regardless of its potential advantages 
for controlling spam and various other sorts of bad behavior. 
But we don't have a free market here, with consumer choice 
options among ISPs who filter and ISPs who don't, at least with 
reasonable price differentials.

 regards,
john
--On Friday, 12 March, 2004 07:22 -0700 Vernon Schryver 
<[EMAIL PROTECTED]> wrote:

From: Nathaniel Borenstein <[EMAIL PROTECTED]>

...
  When each ISP makes its own rules and metes out its own
vigilante-style punishment, that's not civilization, it's
anarchy.  And  I find it considerably scarier than the
underlying offense of spam  itself.  -- Nathaniel
Your repeated misrepresentation of the use of blacklists by
one party in a prospective SMTP transaction as vigilantism is
as offensive as it it is a familiar complaint of senders of
unwanted mail, including spammers and kooks.
Regardless of what governments or anyone else might do about
spam, and regardless of wheth

Re: Principles of Spam-abatement

[John Stracke]

John C Klensin wrote:

In the Boston area, as far as I know,
there are a number of consumer aDSL providers, but none
of them provide fixed addresses and most prohibit
servers of any sort, etc., without "upgrading" to much
more costly "business services".
Check out Speakeasy; they don't filter.  Their basic package is dynamic 
IP, but you can get multiple static IPs, without going to SDSL.

--
/=\
|John Stracke  |[EMAIL PROTECTED]  |
|Principal Engineer|http://www.centive.com|
|Centive   |My opinions are my own.   |
|=|
|"I'm off to wander the streets aimlessly. I'll be taking my usual|
|route." -- Lillith, _Cheers_ |
\=/

Re: Principles of Spam-abatement

[Nathaniel Borenstein]

On Mar 12, 2004, at 9:22 AM, Vernon Schryver wrote:
Your repeated misrepresentation of the use of blacklists by one party
in a prospective SMTP transaction as vigilantism is as offensive as
it it is a familiar complaint of senders of unwanted mail, including
spammers and kooks.
I'm not talking about any party to the real end-to-end email 
transaction.  I'm talking about intermediaries.  I have no problem at 
all with user-controlled filters that do whatever they want.  It's when 
an ISP starts doing these things on behalf of a user who doesn't 
understand or want them that the problems arise.

Regardless of what governments or anyone else might do about spam, and
regardless of whether you and anyone else other than the targets of
your mail consider it spam, your implicit claim to a right to send is
wrong and scarier than any sort of Internet vigilante-style punishment.
I don't claim any such right to send.  In fact, I agree with you about 
your right to block.  But that right belongs to the you as the 
recipient of the communication, not to a third party intermediary that 
is not acting with the explicit approval of the recipient.  Just as you 
have the right to choose only "opt in" email, I have the right to 
choose "opt out" email blocking.  We need to preserve BOTH of those 
rights.  Eliminating the latter right is simply not the best way to fix 
the problems with the former right.

Your right to send mail stops at the border routers of your ISP.
Bzzt.  Not in most Western countries it doesn't.  In telephony, equal 
access regulations have long ensured that telephone companies are 
required to interconnect their systems and NOT make third party 
decisions to block calls.  But that doesn't stop you personally from 
using caller-id information to filter my calls, or even from buying a 
box that subscribes to a private blacklisting service.  It's your 
decision, not your ISP's.

Whether your mail gets any farther depends entirely on the sufferance,
whim, and caprice of others.
Read your history.  This is more or less what the 19th century phone 
companies argued, and it's what governmental regulation of 
communication in a democracy is *for*.  The ISP's like to claim "common 
carrier" status when it's in their interest, but they should bear the 
same responsibilities as well.

If prospective targets of your mail
reject it because your IP address is divisible by 91, that is entirely
fair, appropriate, and not for anyone but the owners of your targeted
mailboxes to judge.
That is certainly one opinion, but the history of telecommunications 
policy in the US and elsewhere is based on a rather different opinion.

Customers of ISPs that want to receive your mail
but can't for any reason, whether the use blacklists, the prime factors
of your IP address, or standard incompetence, have and should have
only one recourse, changing mail providers.
This is precisely where your argument falls apart:  ISP's are 
consolidating and becoming more and more like common carriers.  Fork 
example, at my home in a modern American city, I have precisely two 
reasonably priced options if I want broadband:  Cable and DSL.  
Ultimately it is becoming a duopoly, and while that's better than a 
monopoly, it just doesn't leave enough options for a fully 
laissez-faire position to be realistic.

Next you'll be telling me that if you telephone me, I can't hang up on
you.  not that I would, but I reserve the right.
You have that right, and also the right not to answer the phone when my 
name comes up on caller-id.  But your phone company doesn't have the 
right to make the decision, on  your behalf and without your consent, 
to not cause your phone to ring.  And no, acceptable use policies 
aren't an adequate answer because the decreasing number of 
consumer-level alternatives means I'm likely to be stuck with a AUP 
that I find unacceptable.

I don't see any difference between this situation and the situation 
where, say, China uses its governmental/monopolistic powers to block 
all email from Taiwan.  It's an abridgement of a fundamental human 
right to communicate, which I think trumps the rights of monopolistic 
ISP's to cut their spam-related expenses.  -- Nathaniel

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: John C Klensin <[EMAIL PROTECTED]>

>   * But, when the victim^H^H^H^H^H^H consumer is
>   essentially faced with a monopoly --buy the ISP's
>   service with whatever conditions it comes with or be
>   stuck with dialup-- and is not permitted to run mail
>   servers, has no real control over whatever filters the
>   ISP decides to install, etc., the situation is a lot
>   closer to the classic "middlebox with no control by
>   either endpoint" one (and produces variations on the
>   same arguments). ...

The major error with potentially catastrophic consequences in that
that thinking is the notion of ISPs as monopolies.  No ISP in the world
has a monopoly on real Internet service, with the exception the bad
situation in totalitarin states.


>   servers of any sort, etc., without "upgrading" to much
>   more costly "business services".  Few, if any, will

That many so called ISPs are not selling Internet access is as irrelevant
as the fact that many grocery stores don't sell alcohol.  The lies
customers of those services providers are told and tell themselves
about what they are buying and using are also irrelevant.  The services
those providers offer are some kind of limited data services that
happens to use TCP/IP and portions of the Internet.  I'd like to see
those providers forced to label their services honestly, but that has
nothing to do with monopolies, "natural" or otherwise, except that
monopolies seem more likely to violate truth in labelling.

That there are parts of the world where you cannot buy Internet access
from local providers may disappoint you and me, but it implies nothing
about monopolies on Internet access.  There may be monopolies on those
limited data services, but that is as irrelevant as monopolies on plain
old telephone service.  People whose only available data services are
those non-Internet access services or POTS can always use those data
services or telephones to reach a real Internet service provider.  Whether
or not they could afford real Internet service is also irrelevant here.


> Where the disagreement you and Nathaniel are having leads, I 
> think inevitably except for timing, is into the state that you 
> assume Nathaniel is assuming: sufficient governmental 
> intervention to turn anyone who operates a mail relay into a 
> common carrier, without the "right" to filter mail except in 
> response to government-approved rituals.  For many reasons, I 
> hope we never get there, regardless of its potential advantages 
> for controlling spam and various other sorts of bad behavior. 
> But we don't have a free market here, with consumer choice 
> options among ISPs who filter and ISPs who don't, at least with 
> reasonable price differentials.

NO!  In fact we do have a fairly free market.  That many service
providers choose to not provide Internet service is evidence that the
market is free and that no monopolies for Internet Access prevail.
That those service providers charge less than providers that do provide
real Internet service is interesting is more evidence that monopolies
do not exist.

Perhaps governments should crack down the dishonesty of providers that
mislabel their non-Internet access services, but that has nothing to
do with monopolies.

No one should have any sympathy for savvy technicians who choose
to pay for a service that is not Internet access, don't get Internet
access, and then complain about terrorist and vigilantes who keep
them from getting services they've not paid for.

That Internet service no longer costs several $1000/month is great
but irrelevant.  That it costs more than $30/month is also irrelevant.

I think it's too bad that Internet access is not cheaper than it is,
but just now I'd rather worry about the costs of food and water for
most people on Earth.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: Nathaniel Borenstein <[EMAIL PROTECTED]>

> ...
> I'm not talking about any party to the real end-to-end email 
> transaction.  I'm talking about intermediaries.  I have no problem at 
> all with user-controlled filters that do whatever they want.  It's when 
> an ISP starts doing these things on behalf of a user who doesn't 
> understand or want them that the problems arise.

That would be relevant to your situation if you had any contract
with those intermediaries, or if you had deigned to buy real Internet
access instead of some sort of data service that happens to use
TCP/IP and parts of the Internet.

Your trouble is that you are unwilling or unable to buy real Internet
access.  The fact that what you get for $30/month is not Internet
access has nothing to do with evil intermediaries.

> ...
> I don't claim any such right to send.  In fact, I agree with you about 
> your right to block.  But that right belongs to the you as the 
> recipient of the communication, not to a third party intermediary that 
> is not acting with the explicit approval of the recipient.  Just as you 
> have the right to choose only "opt in" email, I have the right to 
> choose "opt out" email blocking.  We need to preserve BOTH of those 
> rights.  Eliminating the latter right is simply not the best way to fix 
> the problems with the former right.

That is a straw man.  Other than some governments, no third parties
are interferring with your mail.  There are ISPs acting in accordance
with contracts with their customers to block your mail.  You are
demanding that ISPs violate their agreements with their customers
and pass your mail.

Whether the customers of those ISPs know what they are buying in
terms of DNS blacklists is irrelevant.  It is also irrelevant whether
those customers are getting reasonable SLAs, floride in their water,
and honest government.


> > Your right to send mail stops at the border routers of your ISP.
>
> Bzzt.  Not in most Western countries it doesn't.  In telephony, equal 
> access regulations have long ensured that telephone companies are 
> required to interconnect their systems and NOT make third party 
> decisions to block calls.  But that doesn't stop you personally from 
> using caller-id information to filter my calls, or even from buying a 
> box that subscribes to a private blacklisting service.  It's your 
> decision, not your ISP's.

While PTTs do regulate telephone service, Internet service is not
regulated that way in for most citizens of Western countries.  Besides,
equivalents of the filtering you are complaining about is available
from telephone companies.  Qwest sells various kinds of call blocking.
By your reasoning, it is ok for Qwest to block telemarketing calls
with inevitiably grossly inaccurate CID filters but not for Qwest to
block email with much more accurate mechanisms.


> > Whether your mail gets any farther depends entirely on the sufferance,
> > whim, and caprice of others.
>
> Read your history.  This is more or less what the 19th century phone 
> companies argued, and it's what governmental regulation of 
> communication in a democracy is *for*.

Yes, please do read your history, but not just the fairy tails of
early 20th Century equivalents of Microsoft and their pet government
regulators.  The Communications Act of 1933 is widely seen outside
PTT marketing departments and naive socialists as a marketing coup
by the consortium that was AT&T and unrelated to real problems.


> The ISP's like to claim "common 
> carrier" status when it's in their interest, but they should bear the 
> same responsibilities as well.

In fact almost all service providers do not claim "common carrier"
status.  The few that do are not offering real Internet access.


> > If prospective targets of your mail
> > reject it because your IP address is divisible by 91, that is entirely
> > fair, appropriate, and not for anyone but the owners of your targeted
> > mailboxes to judge.
>
> That is certainly one opinion, but the history of telecommunications 
> policy in the US and elsewhere is based on a rather different opinion.

Your claim would be right if you limited it to telephone and telegraph
services.  The last 30 years of data services are differ.  For example,
the PTTs often escaped government regulation by claiming their data
services differed from telephone services.



> This is precisely where your argument falls apart:  ISP's are 
> consolidating and becoming more and more like common carriers.  Fork 
> example, at my home in a modern American city, I have precisely two 
> reasonably priced options if I want broadband:  Cable and DSL.  
> Ultimately it is becoming a duopoly, and while that's better than a 
> monopoly, it just doesn't leave enough options for a fully 
> laissez-faire position to be realistic.

You are misrepresenting the services you from your local providers
as Internet access.  It is not.
You are also misrepresenting DS

Re: Principles of Spam-abatement

[Nathaniel Borenstein]

On Mar 12, 2004, at 1:07 PM, Vernon Schryver wrote:

That would be relevant to your situation if you had any contract
with those intermediaries, or if you had deigned to buy real Internet
access instead of some sort of data service that happens to use
TCP/IP and parts of the Internet.
I don't care to argue over terminology, but when I say "Internet" I am 
explicitly including the consumer-level services that are what 99.99% 
of human beings think of as the Internet.
That is a straw man.  Other than some governments, no third parties
are interferring with your mail.  There are ISPs acting in accordance
with contracts with their customers to block your mail.  You are
demanding that ISPs violate their agreements with their customers
and pass your mail.
And *that* is disingenious.  A take-it-or-leave it contract from a near 
monopoly is not a meaningful contract.

While PTTs do regulate telephone service, Internet service is not
regulated that way in for most citizens of Western countries.  Besides,
equivalents of the filtering you are complaining about is available
from telephone companies.  Qwest sells various kinds of call blocking.
By your reasoning, it is ok for Qwest to block telemarketing calls
with inevitiably grossly inaccurate CID filters but not for Qwest to
block email with much more accurate mechanisms.
If they sell it to me and I *choose* to buy it, that's one thing.  If 
I'm given no alternative it's something else.  -- Nathaniel

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: Nathaniel Borenstein <[EMAIL PROTECTED]>

> > That would be relevant to your situation if you had any contract
> > with those intermediaries, or if you had deigned to buy real Internet
> > access instead of some sort of data service that happens to use
> > TCP/IP and parts of the Internet.
>
> I don't care to argue over terminology, but when I say "Internet" I am 
> explicitly including the consumer-level services that are what 99.99% 
> of human beings think of as the Internet.

I think you're numbers are wrong, but that's irrelevant.  The label
used by 500,000,000 users don't change the nature things.  That
400,000,000 point point to a monitor and talk about "the computer"
doesn't change difference between a CRT and a CPU.  What you are calling
Internet access is not.  It differs from the real thing by both price
and features.


> > That is a straw man.  Other than some governments, no third parties
> > are interferring with your mail.  There are ISPs acting in accordance
> > with contracts with their customers to block your mail.  You are
> > demanding that ISPs violate their agreements with their customers
> > and pass your mail.
>
> And *that* is disingenious.  A take-it-or-leave it contract from a near 
> monopoly is not a meaningful contract.

You are equating $30/month whatever-you-call-it with Internet access.
Then you claim that since the real Internet access available to you
costs more than $30/month, it is not available.  I think that is not
just disingenious but dishonest.


> > from telephone companies.  Qwest sells various kinds of call blocking.
> > By your reasoning, it is ok for Qwest to block telemarketing calls
> > with inevitiably grossly inaccurate CID filters but not for Qwest to
> > block email with much more accurate mechanisms.
>
> If they sell it to me and I *choose* to buy it, that's one thing.  If 
> I'm given no alternative it's something else.  -- Nathaniel

You are misrepresenting your situation when claim that you have no
alternative.  You do have a choice, but it it is not only between
nothing and $30/month not-Internet-access.  You could buy real Internet
access, although it would cost as much as $400/month.

You compound your misrepresentations by implicitly claiming that the
same outfits that sell you $30/month not-Internet-access won't sell
you real Internet access.   Some of them won't, but many will.  If you
can get DSL, then you can get real Internet access.  That 200 kbit/sec
or more of Internet access generally costs more than $100/month does
not justify your complaints about whatever you get for $30/month.

I don't owe you the subsidies for your Internet access that are
demanding.  You want me to subsidize your access with my money and in
my spam loads.  If you were willing to pay what broadband Internet
access reall costs, your ISP could afford real abuse instead of just
letting the spam flow from your fellow $30/month lusers, and it could
afford to give you spam filtering than the worst DNS blacklists.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Alan Barrett]

On Fri, 12 Mar 2004, Nathaniel Borenstein wrote:
> I'm not talking about any party to the real end-to-end email 
> transaction.  I'm talking about intermediaries.  I have no problem at 
> all with user-controlled filters that do whatever they want.  It's when 
> an ISP starts doing these things on behalf of a user who doesn't 
> understand or want them that the problems arise.

Your remedy should be truth-in-advertising enforcement, as Vernon said.
Entities that filter in the way that you don't like are not providing
real Internet access, and should not pretend to.

--apb (Alan Barrett)

Re: Principles of Spam-abatement

[Paul Vixie]

ah, intermediaries.  while at MAPS i often heard complaints (from people
who wanted to send e-mail that some other people didn't want to receive)
that subscribing to a blackhole list overreached an ISP's rights and
responsibilities -- that customers should have to "opt into" such a service
on a case by case basis.

(which was amusing at the time since these same complainants were arguing
at the same time that recipients of e-mail should have to "opt out of" the
email they didn't want to receive.  but i digress.)

ultimately it was found that no law or regulation required carriage, and
that an ISP (whether in the US, Canada, or EU) could subscribe to any
blackhole list they wanted, and the only recourse any of their customers
had was whatever was explicitly spelled out in their contracts.  so, while
we could argue about whether there ought to be a law or regulation, and
then we could argue about which countries this law would have force within
and whether an international treaty would be required (or possible), there
is no sense in arguing whether a network owner has or does not have the
right to refuse to carry any traffic they choose or fail to choose, for
any reason or no reason.  "it just ain't so."

-

ah, monopolies.  many times while at MAPS i heard complaints from end users
whose e-mail was getting rejected "by association", to the effect that they
had no choice of ISP, there was only one ISP in their region, or whatever,
and that adding that ISP to a blackhole list constituted an impossible
mandate on the unwitting bystanders who happened to share that address space.

well, i guess you all know how this turned out, too, right?  about half of
the nontechnical community of internet users now has a plethora of "e-mail"
accounts, often free, often web-delivered.  no misdeed on the part of your
DSL or cablemodem provider prevents you from being a full internet citizen
with all rights and privileges pursuant thereunto.

of course, technical users just buy a 1U server and pay $50/month to have
it colo'd somewhere, and they use their home DSL or cablemodem service for
the only thing it's actually good for -- tunnelling to someplace whose abuse
policies are enforced.



nathaniel, john, i have a lot of respect for you but from reading this thread
it's clear that you have only been studying this issue for a couple of years.
please give it a decade, and read what's been written on the topic of digital
rights, before you go head to head with vjs (who has been studying these
issues as long as i, and who has definitely done his homework.)

the fact that continued universal connectivity requires conservative behaviour
by universal subset standards is a strength of the internet economy, not a
weakness.  it's the only fence we have, and "good fences make good neighbors."
the "rule of law" would not be nearly as fine grained or as relevant or as
successful in this community.  unless you think that CANSPAM is going to stop
people in china or taiwan from sending you e-mail you have no fonts for about
products you'd have no use for, that is.
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Yakov Shafranovich]

Paul Vixie wrote:
nathaniel, john, i have a lot of respect for you but from reading this thread
it's clear that you have only been studying this issue for a couple of years.
please give it a decade, and read what's been written on the topic of digital
rights, before you go head to head with vjs (who has been studying these
issues as long as i, and who has definitely done his homework.)
Since the IETF is a standards organization, can both you and vsj tell us 
 in your opinion, if there is anything the IETF should or should not be 
doing in the spam arena (changing existing standards, making new 
standards, etc.)?

Yakov

Re: Principles of Spam-abatement

[Nathaniel Borenstein]

Paul -- With respect, I think this argument is going nowhere because 
some of us want to discuss it in terms of property rights, and others 
of us want to discuss it in terms of human rights.  I believe that 
communication should be viewed as a human right, and that property 
rights can and should be limited where necessary to ensure those 
rights.  It seems to me that our disagreement stems from this basic 
difference of beliefs, rather than from logical flaws in one of our 
arguments, which makes for a fundamentally unproductive debate, so I'm 
going to *try* to shut up.  :-)  I will concede that if I started from 
a belief that the issue was one of property rights, rather than human 
rights, then I would probably agree with you and Vernon.  -- Nathaniel

On Mar 12, 2004, at 2:16 PM, Paul Vixie wrote:

ah, intermediaries.  while at MAPS i often heard complaints (from 
people
who wanted to send e-mail that some other people didn't want to 
receive)
that subscribing to a blackhole list overreached an ISP's rights and
responsibilities -- that customers should have to "opt into" such a 
service
on a case by case basis.

(which was amusing at the time since these same complainants were 
arguing
at the same time that recipients of e-mail should have to "opt out of" 
the
email they didn't want to receive.  but i digress.)

ultimately it was found that no law or regulation required carriage, 
and
that an ISP (whether in the US, Canada, or EU) could subscribe to any
blackhole list they wanted, and the only recourse any of their 
customers
had was whatever was explicitly spelled out in their contracts.  so, 
while
we could argue about whether there ought to be a law or regulation, and
then we could argue about which countries this law would have force 
within
and whether an international treaty would be required (or possible), 
there
is no sense in arguing whether a network owner has or does not have the
right to refuse to carry any traffic they choose or fail to choose, for
any reason or no reason.  "it just ain't so."

-

ah, monopolies.  many times while at MAPS i heard complaints from end 
users
whose e-mail was getting rejected "by association", to the effect that 
they
had no choice of ISP, there was only one ISP in their region, or 
whatever,
and that adding that ISP to a blackhole list constituted an impossible
mandate on the unwitting bystanders who happened to share that address 
space.

well, i guess you all know how this turned out, too, right?  about 
half of
the nontechnical community of internet users now has a plethora of 
"e-mail"
accounts, often free, often web-delivered.  no misdeed on the part of 
your
DSL or cablemodem provider prevents you from being a full internet 
citizen
with all rights and privileges pursuant thereunto.

of course, technical users just buy a 1U server and pay $50/month to 
have
it colo'd somewhere, and they use their home DSL or cablemodem service 
for
the only thing it's actually good for -- tunnelling to someplace whose 
abuse
policies are enforced.



nathaniel, john, i have a lot of respect for you but from reading this 
thread
it's clear that you have only been studying this issue for a couple of 
years.
please give it a decade, and read what's been written on the topic of 
digital
rights, before you go head to head with vjs (who has been studying 
these
issues as long as i, and who has definitely done his homework.)

the fact that continued universal connectivity requires conservative 
behaviour
by universal subset standards is a strength of the internet economy, 
not a
weakness.  it's the only fence we have, and "good fences make good 
neighbors."
the "rule of law" would not be nearly as fine grained or as relevant 
or as
successful in this community.  unless you think that CANSPAM is going 
to stop
people in china or taiwan from sending you e-mail you have no fonts 
for about
products you'd have no use for, that is.
--
Paul Vixie

Re: Principles of Spam-abatement

[Vernon Schryver]

> From: Yakov Shafranovich <[EMAIL PROTECTED]>

> Since the IETF is a standards organization, can both you and vsj tell us 
>   in your opinion, if there is anything the IETF should or should not be 
> doing in the spam arena (changing existing standards, making new 
> standards, etc.)?

draft-crocker-spam-techconsider-02.txt listed some opportunities for
IETF documents.  I vaguely recall they included:
  - codifying common sense for blacklist operators
  I thought ASRG time working on such a BCP, but it seems to have
  gone underground.
   - improved forms and formats for DSNs.
   - improved mechanisms, forms, and formats for logging mail rejections.
   - mechanisms for sharing white- and blacklists among MX servers
  for a domain.

On the other hand, it would be distructive to let the IETF seriously
consider supporting claims of the unfettered right to send mail
regardless of the desires of mail targets and their duly appointed
agents including ISPs or of entitlements to real Internet access
at less than $50/month.  That would further the ambitions of many
to convert the Internet into what PTTs and governments said we might
be allowed 20 years ago.

That the spam problem involves TCP/IP does not necessarily imply that
the IETF has a major role in dealing with the problem, any more than
the fact that guns contain metal implies that the American Society for
Testing and Materials (ASTM) has a major role in the search for world
peace.  Regardless of the ambitions of individuals to "make a difference"
or become famous, the IETF should strive first and foremost to do no
harm outside its charter in primarily non-technical arenas such as the
fight against spam.


Vernon Schryver[EMAIL PROTECTED]

Re: Principles of Spam-abatement

[Dean Anderson]

Perhaps you should ask this question of someone who actually _has_ studied
the problem for a number of years, and has reviewed the numerous legal
cases and the full text of their legal decisions, and sometimes even the
motions and briefs in the case, and has reveiwed the congressional
reports, and even the congressional testimony on the record.

And I've been interested and involved in the legal and human aspect of
various digital rights for over a dozen years. And as President of the
League for Programming Freedom, have organized over a hundred very
prominent computer scientists (luminaries like Don Knuth, John McCarthy,
Gerald Sussman, etc,etc,etc) on the issue of User Interface Copyrights,
and supervised legal briefs up to the Supreme Court.

I note that Mr. Vixie has declined to participate in any of these other
issues, other than to tell me that he _supports_ the notion of software
patents, when I asked him to join the LPF some years ago.  (Most technical
people are opposed to software patents) The LPF has been fighting software
patents and won on the issue of User Interface Copyrights in the Lotus V.
Borland.

--Dean


On Fri, 12 Mar 2004, Yakov Shafranovich wrote:

> Paul Vixie wrote:
> > nathaniel, john, i have a lot of respect for you but from reading this thread
> > it's clear that you have only been studying this issue for a couple of years.
> > please give it a decade, and read what's been written on the topic of digital
> > rights, before you go head to head with vjs (who has been studying these
> > issues as long as i, and who has definitely done his homework.)
> > 
> 
> Since the IETF is a standards organization, can both you and vsj tell us 
>   in your opinion, if there is anything the IETF should or should not be 
> doing in the spam arena (changing existing standards, making new 
> standards, etc.)?
> 
> Yakov
> 
> 

Re: Principles of Spam-abatement

[Paul Vixie]

[EMAIL PROTECTED] (Yakov Shafranovich) writes:

> Since the IETF is a standards organization, can both you and vsj tell us
> in your opinion, if there is anything the IETF should or should not be
> doing in the spam arena (changing existing standards, making new
> standards, etc.)?

yes there is, but vern says it won't work, so i won't go into it again, yet.
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Dave Crocker]

Vernon,

VS> On the other hand, it would be distructive to let the IETF seriously
VS> consider supporting claims of the unfettered right to send mail
VS> regardless of the desires of mail targets and their duly appointed
VS> agents including ISPs or of entitlements to real Internet access
VS> at less than $50/month.


I'll probably regret pursuing this, but...

I have not seen any inclination of the IETF community to support such
claims, but from your statement, I fear it may have happened and I
missed it.

What are you referring to?

d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Dave Crocker]

Nathaniel,

NB> some of us want to discuss it in terms of property rights, and others
NB> of us want to discuss it in terms of human rights.


Unfortunately, the IETF mailing list is not a very good venue for either
topic, because most of the folks on the IETF mailing list have no
qualifications or special insight into these difficult issues.

Opinions, sure

But none of the essential insight required for making any meaningful
progress in such a discussion.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: Principles of Spam-abatement

[Paul Vixie]

[EMAIL PROTECTED] (Nathaniel Borenstein) writes:

> Paul -- With respect, I think this argument is going nowhere because 
> some of us want to discuss it in terms of property rights, and others 
> of us want to discuss it in terms of human rights.  I believe that 
> communication should be viewed as a human right, and that property 
> rights can and should be limited where necessary to ensure those 
> rights.

Since the E in "ietf" does not stand for "Human", I am concerned about
the direction this thread is taking us, and I feel sure that Harald is
shortly going to tell us to take it elsewhere.  However, in the meantime,
I think we should find out if we have a point of agreement and then a
departure, or if we just have no common ground at all.

Property is something that humans have -- it does not exist apart from
a property-holder and the only property-holders recognized at this time
are humans.  Therefore (and, tautologically) property rights ARE human
rights, or at least, rights that only humans have.  When you seek to
separate them you seem to postulate that some rights-of-humans are more
human (or more humane) than others, where property rights are not among
the most fundamental.  If this is your view, then I disagree.

The writings of John Locke (1632-1704) convinced me ~2.5 decades ago that
property rights, and specifically self-ownership was the foundational right
on which all other rights depended.  Without it humans are just live meat.
If you wish to attribute to two parties the right to communicate, then you
must (by definition) strip any and all intermediaries of their right to
use and/or dispose of their property as they see fit.

> It seems to me that our disagreement stems from this basic difference of
> beliefs, rather than from logical flaws in one of our arguments, which
> makes for a fundamentally unproductive debate, so I'm going to *try* to
> shut up.  :-) I will concede that if I started from a belief that the
> issue was one of property rights, rather than human rights, then I would
> probably agree with you and Vernon.  -- Nathaniel

If you wish to balance the rights of some humans against the rights of other
humans, you can do so either by degrees or by exclusion.  "One man's right
to swing his fist ends at the tip of another man's nose" would be an example
of the latter.  "The state can lawfully deprive you of some share of your
property in order to ensure the welfare of others who have less" would be
an example of the former.  Are you hoping that the Internet becomes some
kind of welfare state?  Do you long for communications socialism?  If so
then you will find potent forces arrayed against you -- not the least of
which is that the nature of the Internet medium prevents anything like a
police force from existing.  An intermediary who withdraws their consent
can do so absolutely and your only recourse is to find a different 
intermediary -- which you can do absolutely, so long as you have their
willingness to participate.

In my way of looking at things, this is the best possible system to ensure
that humans' rights are respected.  And because the history of nations on
our little blue marble is such that they will never be able to agree on a
treaty that would overcome the Internet's essential communications freedom,
I think we'll forever live in an e-world where only private actions matter.
-- 
Paul Vixie

Re: Principles of Spam-abatement

[Dr. Jeffrey Race]

On Fri, 12 Mar 2004 16:06:04 -0500, Nathaniel Borenstein wrote:
>With respect, I think this argument is going nowhere because 
>some of us want to discuss it in terms of property rights, and others 
>of us want to discuss it in terms of human rights.  I believe that 
>communication should be viewed as a human right, and that property 
>rights can and should be limited where necessary to ensure those rights. 

I propose we recenter this discussion on our mission, which is
enhancing communication.   With that in mind we can ask ourselves whether
--on the evidence--hypothetically protective measures like blacklisting
are useful or not for enhancing communication (not just for one person
but for the entire community of users).   Property rights and human rights
issues are not irrelevant but they are not central to this discussion.   

At the moment the Internet is lawless.   We are discussing among ourselves
what measures the community can take until law comes, and enforcement comes. 
Issues like abuses by (hypothetical) monopolies are peripheral.   I don't
have all the answers (though I have formulated one which I think is a good
one, see URL below) but I believe "will it enhance communication" is the only
way to approach the problem in the current state of lawlessness.

Jeffrey Race

Re: Principles of Spam-abatement

[Iljitsch van Beijnum]

On 13-mrt-04, at 3:48, Paul Vixie wrote:

An intermediary who withdraws their consent
can do so absolutely and your only recourse is to find a different
intermediary -- which you can do absolutely, so long as you have their
willingness to participate.
I'm sorry, but this is nonsense. Now traditionally in IP networks we 
get away with lots of stuff, but do you think that something like this 
would hold up in the voice business? And like it or not, IP networks 
are becoming more and more like phone networks. If you don't mind 
dialing in you still get to choose between lots of ISPs (but what if 
your phone company decides to "withdraw their willingness to 
participate" in phone calls to ISPs they don't own?) but the same isn't 
true for broadband IP access. With great power (= wires, frequencies or 
just plain market share) comes great responsibility.

(Things are slightly different for mail but not fundamentally so, 
especially as some ISPs are forcing their customers to use their 
relays.)

Re: Principles of Spam-abatement

[Paul Vixie]

> Now traditionally in IP networks we get away with lots of stuff, but
> do you think that something like this would hold up in the voice
> business?

voice is dominated by large players including some governments, and
international interconnection seems to be regulated by the itu.  if
voice were full of mom&pop's the way IP is, then i daresay i would
not be interrupted at my dinner hour by telemarketers nearly as often,
simply because there would be no path from them to me.

> (Things are slightly different for mail but not fundamentally so,
> especially as some ISPs are forcing their customers to use their
> relays.)

until the day a cable/dsl provider decides to block "vpn access", none
of that will matter.  and since users of same working remotely with vpn
access back to "the office" are a large part of the subscriber base, and
are not a source of abuse, i do not expect them to block vpn's.  with
vpn's comes the freedom to do your business elsewhere (where it's safe)
and use the cable/dsl line for access (as it seems to be intended) rather
than for "real internet" (for which it seems ill suited.)

Re: Principles of Spam-abatement

[Yakov Shafranovich]

I posted my original message to the IETF list for a reason instead of 
replying to Paul and Vernon privately. My question is really directed to 
all of you:

This is the IETF - an organization that sets some of the standards for 
the Internet. What should the IETF be doing and NOT doing be in the 
fight against spam.

Yakov

P.S. For the record, I am one of the ASRG chairs.

Dean Anderson wrote:
Perhaps you should ask this question of someone who actually _has_ studied
the problem for a number of years, and has reviewed the numerous legal
cases and the full text of their legal decisions, and sometimes even the
motions and briefs in the case, and has reveiwed the congressional
reports, and even the congressional testimony on the record.

Re: Principles of Spam-abatement

[Dean Anderson]

On 12 Mar 2004, Paul Vixie wrote:
> ultimately it was found that no law or regulation required carriage, and
> that an ISP (whether in the US, Canada, or EU) could subscribe to any
> blackhole list they wanted, and the only recourse any of their customers
> had was whatever was explicitly spelled out in their contracts.  

No such thing was ever found. And just the opposite was proved to you in
Exactis V.  MAPS.  That lawsuit was settled out of court, and MAPS
proponents like to pretend it didn't happen. However, before it was
settled, there were some preliminary decisions made regarding the case.
MAPS tried to have it dismissed on the grounds that MAPS had a first
admendment right to say whatever they want. That argument was rejected,
and is significant to continued claims by radicals of some First Amendment
right to say whatever they want.

Indeed, MAPS didn't contest any of the facts asserted. Those facts
justified a Temporary Restraining Order. As a matter of legal procedure, a
Temporary Restraining Order can only be granted if, after assuming all the
facts asserted to be true, the case can succeed. A TRO is an important
test of the merits of the case.  The rest of a case is then a dispute over
the facts and the defenses to them.  Two legal teams (one for Vixie, one
for MAPS) could only find a frivolous First Amendment defense, which was
rejected.  MAPS choice was clearly to settle or lose. MAPS attorney was
chastised for the frivolousness of the dispute.  This is a message to the
attorney's of other blacklists, and was reported in many legal journals.

I include a quote from one of the the Exactis V. MAPS briefs below, which 
is illuminating of anti-trust law.

Besides antitrust law, there are state electronic communications privacy
laws that apply. State laws broadly prohibit any interference with
communciations, which is broad enough to include the blacklist.  There are
also a number of torts that can be brought, but I won't go in them here.  
Exactis V. MAPS is clearly a reference for blacklist cases.  Of course,
MAPS isn't an ISP, and while ISPs are also subject to anti-trust law
either by contracting with blacklists or by becoming a member of the
group, there are some differences in what laws apply to ISPs, and thus the
legal constraints that ISPs operate under.  Pretty much everything(torts,
anti-trust, state law) that applies to a blacklist also applies to an ISP,
and there are some more things that apply to ISPs.  You can fairly say
that if a blacklist can't win on this issue, an ISP doesn't have even a
prayer---even God would chastise an ISP's lawyer for being frivolous. :-)

The federal Electronic Communications Privacy Act (ECPA) applies to ISPs.  
There are number of cases in which claims were made under the ECPA. The
closest case to ISP email issues is Konop V. Hawaiian Airlines.  In Konop
V. Hawaiian Airlines it was held that a password, giving access to a
website obtained in violation of an agreement not to give anyone else
access, did not represent the necessary authorization to access stored
communications.

Similarly, an ISP has passwords to mailservers and routers, and the
authorization from customers to do certain things, but not to do other
things. Merely having the root password does not mean that you have
authorization to do whatever you please.


On Fri, 12 Mar 2004, Vernon Schryver wrote:
> Your right to send mail stops at the border routers of your ISP.

No, your right to send mail stops at the recipient's ISP and not before,
and then only to the extent the recipient has granted some permission to
the ISP.

The Congress writes reports representing the intent of Congress and
explaining complicated legislation. In the absence of specific case law
binding the court, such reports are used to guide the court as to the
intent of Congress when resolving any ambiguities on how to apply
statutory language to specific sets of facts.  House Report 99-647
reported on the Electronic Communications Privacy Act. There is also
Senate Report 99-541.

Radicals often try to mislead people into thinking that no laws apply to
email or the internet.  That is totally false. Regarding your privacy
rights from House Report 99-647 says at page 33;

"Similarly, where a user has interconnected its own equipment into
a private network, communications carried on the network are fully
entitled to the provisions of Section 2511".

The intent of Congress is pretty much dead on to the question of whether
an ISP can do whatever it pleases.  Your ISP has also connected its
equipment to other private networks, which are subject to 2511, and so on.

Email is frequently mentioned in both the House and Senate Reports.  The 
following quote is from "Statement of [Senator] Patrick Leahy on the 
Introduction of the Electronic Communications Act of 1985', September 
19th, 1985" (the law was not passed until 1986)

"At this moment phones are ringing, and when they are answered, 
the message that comes o

Re: Principles of Spam-abatement

[Dean Anderson]

On 12 Mar 2004, Paul Vixie wrote:
> ultimately it was found that no law or regulation required carriage, and
> that an ISP (whether in the US, Canada, or EU) could subscribe to any
> blackhole list they wanted, and the only recourse any of their customers
> had was whatever was explicitly spelled out in their contracts.  

No such thing was ever found. And just the opposite was proved to you in
Exactis V.  MAPS.  That lawsuit was settled out of court, and MAPS
proponents like to pretend it didn't happen. However, before it was
settled, there were some preliminary decisions made regarding the case.
MAPS tried to have it dismissed on the grounds that MAPS had a first
admendment right to say whatever they want. That argument was rejected,
and is significant to continued claims by radicals of some First Amendment
right to say whatever they want.

Indeed, MAPS didn't contest any of the facts asserted. Those facts
justified a Temporary Restraining Order. As a matter of legal procedure, a
Temporary Restraining Order can only be granted if, after assuming all the
facts asserted to be true, the case can succeed. A TRO is an important
test of the merits of the case.  The rest of a case is then a dispute over
the facts and the defenses to them.  Two legal teams (one for Vixie, one
for MAPS) could only find a frivolous First Amendment defense, which was
rejected.  MAPS choice was clearly to settle or lose. MAPS attorney was
chastised for the frivolousness of the dispute.  This is a message to the
attorney's of other blacklists, and was reported in many legal journals.

I include a quote from one of the the Exactis V. MAPS briefs below, which 
is illuminating of anti-trust law.

Besides antitrust law, there are state electronic communications privacy
laws that apply. State laws broadly prohibit any interference with
communciations, which is broad enough to include the blacklist.  There are
also a number of torts that can be brought, but I won't go in them here.  
Exactis V. MAPS is clearly a reference for blacklist cases.  Of course,
MAPS isn't an ISP, and while ISPs are also subject to anti-trust law
either by contracting with blacklists or by becoming a member of the
group, there are some differences in what laws apply to ISPs, and thus the
legal constraints that ISPs operate under.  Pretty much everything(torts,
anti-trust, state law) that applies to a blacklist also applies to an ISP,
and there are some more things that apply to ISPs.  You can fairly say
that if a blacklist can't win on this issue, an ISP doesn't have even a
prayer---even God would chastise an ISP's lawyer for being frivolous. :-)

The federal Electronic Communications Privacy Act (ECPA) applies to ISPs.  
There are number of cases in which claims were made under the ECPA. The
closest case to ISP email issues is Konop V. Hawaiian Airlines.  In Konop
V. Hawaiian Airlines it was held that a password, giving access to a
website obtained in violation of an agreement not to give anyone else
access, did not represent the necessary authorization to access stored
communications.

Similarly, an ISP has passwords to mailservers and routers, and the
authorization from customers to do certain things, but not to do other
things. Merely having the root password does not mean that you have
authorization to do whatever you please.


On Fri, 12 Mar 2004, Vernon Schryver wrote:
> Your right to send mail stops at the border routers of your ISP.

No, your right to send mail stops at the recipient's ISP and not before,
and then only to the extent the recipient has granted some permission to
the ISP.

The Congress writes reports representing the intent of Congress and
explaining complicated legislation. In the absence of specific case law
binding the court, such reports are used to guide the court as to the
intent of Congress when resolving any ambiguities on how to apply
statutory language to specific sets of facts.  House Report 99-647
reported on the Electronic Communications Privacy Act. There is also
Senate Report 99-541.

Radicals often try to mislead people into thinking that no laws apply to
email or the internet.  That is totally false. Regarding your privacy
rights from House Report 99-647 says at page 33;

"Similarly, where a user has interconnected its own equipment into
a private network, communications carried on the network are fully
entitled to the provisions of Section 2511".

The intent of Congress is pretty much dead on to the question of whether
an ISP can do whatever it pleases.  Your ISP has also connected its
equipment to other private networks, which are subject to 2511, and so on.

Email is frequently mentioned in both the House and Senate Reports.  The 
following quote is from "Statement of [Senator] Patrick Leahy on the 
Introduction of the Electronic Communications Act of 1985', September 
19th, 1985" (the law was not passed until 1986)

"At this moment phones are ringing, and when they are answered, 
the message that comes ou

Re: Principles of Spam-abatement

[Yakov Shafranovich]

Vernon Schryver wrote:
From: Yakov Shafranovich <[EMAIL PROTECTED]>

Since the IETF is a standards organization, can both you and vsj tell us 
 in your opinion, if there is anything the IETF should or should not be 
doing in the spam arena (changing existing standards, making new 
standards, etc.)?

I have the lucky or unlucky task of being one of the two chairs of the 
ASRG (together with John Levine). We also tried to reduce many of the 
problems the original ASRG had including the large signal/noise ration, 
etc. All of this got me thinking about the larger question of what the 
IETF should be doing about fighting spam, which is why I am asking the 
question here.

draft-crocker-spam-techconsider-02.txt listed some opportunities for
IETF documents.  I vaguely recall they included:
  - codifying common sense for blacklist operators
  I thought ASRG time working on such a BCP, but it seems to have
  gone underground.
The two folks working on that ran out of free cycles and stopped their 
work. Nobody else has been willing to pick up the slack and none of the 
blacklist operators that I have spoken to were interested either 
(perhaps I just don't know enough of them). There was also talk about 
documenting the existing lookup protocol for blacklists as an 
informational RFC, and perhaps work on extensions to this protocol. The 
BCP work in the ASRG has migrated to a closed subgroup but hasn't seen 
enough interested parties willing to actually do some work.

   - improved forms and formats for DSNs.
   - improved mechanisms, forms, and formats for logging mail rejections.
   - mechanisms for sharing white- and blacklists among MX servers
  for a domain.
Some of the other things that have been proposed outside the draft are 
standards for abuse reporting, BCPs for handling hijacked machines and 
blocking port 25/allowing SUBMIT, standards for exchanging filtering 
information and decisions between MUAs and MTAs, standards for creating 
a "web of reputation" for MTAs, etc.

It is interesting to note that many of these efforts are solely focused 
on areas where standards can make some difference as opposed to seeking 
the "silver bullet" for solving the spam problem.

That the spam problem involves TCP/IP does not necessarily imply that
the IETF has a major role in dealing with the problem, any more than
the fact that guns contain metal implies that the American Society for
Testing and Materials (ASTM) has a major role in the search for world
peace.  Regardless of the ambitions of individuals to "make a difference"
or become famous, the IETF should strive first and foremost to do no
harm outside its charter in primarily non-technical arenas such as the
fight against spam.
It is interesting to note that the current version of the IETF mission 
statement states something similar along these lines 
(http://www.ietf.org/u/ietfchair/ietf-mission.html):

"It is important that this is "For the Internet," and does not include 
everything that happens to use IP. IP is being used in a myriad of 
real-world applications, such as controlling street lights, but the IETF 
does not standardize those applications."

The problem is that many parties see the IETF as the caretaker for email 
standards and accuse these standards as one of the root problems for 
causing spam. Obviously the problem has way too many aspects to be 
purely technical and has not real technical solution (FUSSP or "silver 
bullet"). Another aspect of that is that many of the technical solutions 
to some aspects of the problem such as filters are not even relevant to 
the IETF's goal as a standards organization except where standardization 
is needed (Sieve for example). Yet the media and some of the industry 
players have accused the IETF of foot dragging and not addressing the 
problem, when this is clearly out of scope for the IETF.

This discussion got me thinking about the need to state clearly that the 
IETF's goal is not to solve the spam problem. I begun writing a draft on 
this 
(http://www.shaftek.org/asrg/draft-irtf-asrg-ietf-role-in-fighting-spam-00.txt).

Yakov

Re: Principles of Spam-abatement

[Iljitsch van Beijnum]

On 12-mrt-04, at 21:45, Yakov Shafranovich wrote:

if there is anything the IETF should or should not be doing in the 
spam arena (changing existing standards, making new standards, etc.)?
How about this:

As time goes on, an email address gets on more and more spam lists. One 
way to avoid this is to use an email address for some time, and then 
discard it. However, this has the unpleasant side effect that people 
who only know the old address can no longer send email. What could help 
here is a standardized mechanism that allows someone to take an old 
email address and from that discover a pointer to where the new address 
can be found.

This could be done in (at least) two ways:

1. A standard transformation:
   [EMAIL PROTECTED] -> http://xyz.muada.com/iljitsch
2. An SMTP response code:
   522 DOES NOT ACCEPT MAIL SEE 

Re: "Principles" of "Spam-abatement"

[Dave Crocker]

Paul,

PV> but i'll bet my bank has ways of trusting your bank.
...
PV> if your bond is only $30/year then i probably wouldn't trust you no matter
PV> what my bank told me about your insurance company or what your insurance


It depends upon what is being trusted and what the incentives are for
violating the trust.

Some trust does require a large, enforceable penalty for violations.
Other trust can work quite well based only on history.

A bank might give out small, unsecured loans based on that history, but
might require a big loan to be secured.

I might be willing to take a first-first email from someone who has a
history of not-spamming, without requiring that they suffer a penalty
(other than my reporting them to the third-party trust agency) if they
violate that.

d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA 

Re: "Principles" of "Spam-abatement"

[Paul Vixie]

> I might be willing to take a first-first email from someone who has a
> history of not-spamming, without requiring that they suffer a penalty
> (other than my reporting them to the third-party trust agency) if they
> violate that.

no, you would not.

dave, you're not thinking of this as information warfare.  you have to.
every time you consider a plan, ask yourself "where are the loopholes?"
or "how can it be abused?"  (and, "what if 6 billion people did this?")

identities without history will be a dime a dozen, or cheaper.  spammers
with no history could trample your privacy all day long if you allowed it.

accepting incoming communication from someone the world has no hooks into
is off the table.  allowing the world to have its hooks in someone whose
identity you don't know (and could never find out) has to continue to work,
but anonymity and homelessness are not the same thing.

Re: "Principles" of "Spam-abatement"

[Vernon Schryver]

> From: Paul Vixie 

> ...
> identities without history will be a dime a dozen, or cheaper.  spammers
> with no history could trample your privacy all day long if you allowed it.
>
> accepting incoming communication from someone the world has no hooks into
> is off the table.  allowing the world to have its hooks in someone whose
> identity you don't know (and could never find out) has to continue to work,
> but anonymity and homelessness are not the same thing.

Stated that way, but perhaps with an unintended interpretation, I agree.
Every mail sender is "hooked" by an entity that the mail receiver knows
and that has its own reputation that can be checked today.  The ISPs
that own the IP addresses in every IP packet that Ralsky sends "have
their hooks" in Ralsky.   You can decide whether the implicit no-spam
guarantee from that "hooking" agency is sufficient by checking your own
blacklist or the blacklists of others via DNS or BGP.

All of the possible good and bad aspects of any possible "trust" or
"reputation" system are already present in the current system.  

  - If you say that you can't trust ISPs to check that a new customer
 is not Al Ralsky in disguise or one of his proxies, then you must
 say the same about any other organization.

  - If you say that ISPs cannot check the reputation of new customers
 for a $30/month account, then you must say the same about any other
 organization.

  - If you say that you cannot trust ISPs to terminate the accounts of
 spammers, then you must say that you cannot trust any other outfit
 to revoke the PKI cert or other assurance for spammers. 

  - If you trust some of those other outfits to revoke their virtual
 letters of introduction and recommendation, than you must be
 willing to trust some ISPs to do the same and terminate accounts.

  - If you say that third party organization could assure you that a
 mail sender is not a spammer, then you must agree that an ISP
 could check with that organization before adding a password to a
 RADIUS server or or turn on a DSLAM, and that an ISP could terminate
 an account when that third party revokes is assurance.

  - You can be anonymous on the Internet only if your ISP protects you.
 No one is homeless on the Internet.  The SYN-ACK for your SYN to
 port 25 must get back to your source IP address home at your ISP.

The connection between you, the spam or mail target, and the ISP that
has its hooks in the mail sender is better than any PKI or crypto
related system could possibly be.  It is not only much cheaper than
anything Microsoft/Yahoo/AOL/Verisign would sell, but technically more
reliable.  IP address spoofing was practically impossible for spam
even before RFC 1948 and related defenses, because it was too hard and
unreliable if you need to make 10,000,000 successfully spoofed ISN
predicted TCP connections per day.  On the other hand, we all knew
even before the bogus "Microsoft Corporation" certs or the discovery
that those bogus certs could not be revoked that commercial PKI is eyewash.

If you believe that "reputation" or "trust" systems might help the
spam problem, then the only room for improvement is in the trust query
protocol.  DNS is a screw driver being used as a hammer in DNS blacklists.
However, this is merely a matter of optimization or elegance.


Vernon Schryver[EMAIL PROTECTED]

Re: "Principles" of "Spam-abatement"

[Eric A. Hall]

On 3/17/2004 9:33 AM, Paul Vixie wrote:

> identities without history will be a dime a dozen, or cheaper.
> spammers with no history could trample your privacy all day long if you
> allowed it.
> 
> accepting incoming communication from someone the world has no hooks
> into is off the table.

Not applicable to sales@ or emergency@ type mailboxes.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/