Re: [Asrg] Do we need to do anything?

[Jim Youll <jim@media.mit.edu>]

At 0:22 -0500 3/7/03, Kee Hinckley wrote:
> At 5:18 PM -0500 3/6/03, Jim Youll wrote:
> > As a server operator for several domains, I don't know that life 
> > would be made
> I said ISP.  Not domain operator.  For some ISPs bounces are already 
> such a big problem that they are interfering with normal email 
> processing.
I've also run an ISP. Same. Our life as an ISP would not be made hell 
by addition of additional e-mail addresses that we halt at TO:... if 
anything, if we could shift the traffic from procmail to that early 
step, the servers would be happier.

Beyond that I'm not going to debate it with you. These techniques are 
in use at various places already, I've requested statistics and hope 
to get some soon... It is an effective technique for some people in 
some settings.

These need not be used everywhere to create a noticeable effect on 
inbound spam for normal people like my grandmothers and niece and 
nephew, who are more like "typical" internet users than anyone 
reading this message is.

A diversity of techniques is appropriate. This is one of them.

> > "hell" by it. Spammers can send a finite number of messages, there 
> > IS a point of economic breakdown. As things stand now it seems to 
> > matter little whether
> What is that point?  I know the necessary numbers were presented at 
> the MIT Spam Conference but I didn't note them.  Anyone care to 
> estimate at what point the return becomes so small that spammers 
> lose money?  Obviously it depends on what you're selling.  The 
> Nigerian schemes can afford to send messages for a very long time, 
> given that their return is sometimes in the millions of dollars.
The numbers for the Nigerians were estimated in the last few weeks at 
about one million dollars, total, for all instances of the scam 
worldwide, ever. If they could afford to send continuously, they 
would, but they cannot. There is a cost, however small, first a 
matter of efficiency, second a simple matter that if too much mail is 
bouncing from somewhere, we next cut off that somewhere and that's 
the end of it.

> > Finally, if the same care is taken with these addresses as with the 
> > addresses we use now (I think I must be reachable by at least 15-30 
> > addresses right now), then the rate of turnover need not be 
> > excruciatingly high... further, a
> You talk about turnover as though it were acceptable.  Do you move 
> your house every year?  Do you change your name?  What is the 
> acceptable rate of turnover for the address "kee@hinckley.com"?  How 
> about "support@example.com"?  Do you want every user to have to go 
> the website of every company they do business with every time in 
> order to find out what the current support address is?  What about 
> this mailing list?
Please, don't be so fast to jump. I've already said several times 
that this does not work for all users in all circumstances. But 
nothing really does at this point. Nope, support@ and help@ and 
sales@ are going to be screwed for a long time, and they need other 
solutions.

There are many times that I use an e-mail address that can very well 
be transient, and in those cases, it is preferable to use a throwaway 
rather than my main address. For example, posting an online 
classified ad, posting to a newsgroup... i definitely should use an 
only-for-there transient address when joining a mailing list such as 
this due to the wide dissemination, and I'd use it just for this 
list. So, there are many instances of communications that are 
_expected_ to be short-lived and i see nothing wrong with using a 
short-lived e-mail address for them. In fact I already do that. If 
all the parties behave themselves, no future communication will ever 
come toward me just to be bounced back. If they don't, then there is 
a pretty good chance the offender will remove me (because it's not 
spam but a badly behaved merchant), and finally, sometimes, but not 
always, the address may have been leaked, and in that case I don't 
receive spam.

I've also said that this process would have to be automated to be 
really useful. If someone writes to me out of band and we begin 
talking at length, yeah, that person needs a separate address to 
write me with since the other may go away someday. So clearly, the 
best use of these is 1:whatever messaging where the scope of the 
messaging does not change. I can think of many cases that fit this 
rule. Not all. Many.

The technique could be used to immunize certain settings, in 
particular public forums that permit out-of-band member-to-member 
communications, from address harvesting.

I have asked for some stats from the people who run craigslist.org, 
which places an anonymous, transient, FORWARDED (talk about 
"expensive") e-mail address on every posting. I have never received a 
spam due to an address that was harvested from there. Why? Because 
nobody harvests addresses from there, since they are all for the most 
part invalid from one to thirty days afterward. No value.

> > 1:1 mapping that allows tracking of a leaked address to its source 
> > introduces the possibility of enforcement of all manner of 
> > penalties against the transgressor... so I don't think this 
> > approach would lead to an explosion of inbound spam, not at all.
> And how do you determine the transgressor for the address you posted 
> to the web or put on your business card or that was forwarded from 
> your mother's address book by a virus?  We're back to authentication 
> again.  And if you have authentication, you don't need disposal 
> email addresses.
Obviously it was my mother or her computer. I give her a new address 
for writing to me, I turn off the old one, and we continue to 
correspond. I note that this is not necessary until a problem occurs. 
Most instances of mail-forwarding-viruses do not lead to spamming so 
it is certainly not a given that the turnover rate would be high at 
all.

- jim
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg