Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam

[Seth Breidbart <sethb at panix.com>]

"David Wall" <d.wall at computer.org> wrote:

>> Not the ones being forged that set up SPF (or whatever).
>> Not the ones the spam is sent to that check SPF (or whatever).
>
> And what if only a few major ISPs implement this and most everyone else
> fails to?  

More than "a few major ISPs" have already implemented SPF.

> It's a solution that may not be implementable since it seems to
> solve so little in reality.

Whether or not it's implementable has nothing to do with what it
solves, only with the difficulty in implementing it (which is actually
quite small).

>> Good.  Then the complaints can come right back at the spam-emitter and
>> his ISP, and he can be persuaded by whatever means necessary to stop
>> emitting spam.
>
> But he said those were zombies, not spammer systems.  So the system hurt is
> the person who is already a victim, and the ISP of the victim also suffers.

The system hurt is the one that is emitting spam at me.  When it is
fixed, so it stops emitting spam, then it stops being hurt.  The ISP
hurt is the one that allowed its luser to spew spam at me.  I refuse
to feel sorry for them.

>> And there are millions of oldly infected machines on the net right
>> now.  Making zombies useless in hours rather than months or years is a
>> big win for the good guys.
>
> It doesn't make them useless, it just increases the pain a victim
> has.

It makes them useless for spamming, because they get cut off (and
maybe disinfected).

> Today, their computer processing and bandwidth is used, but with the
> bounces, they'll get more processing and bandwidth wasted dealing with the
> forged bounces.

That bandwidth will then be unavailable for the emission of spam; I
consider that good.

>  The "from" will just be the zombie's machine so everything
> will look okay to SPF,

Wrong.  SPF need not allow every luser dialup to send mail from a
domain; rather, it will specify _only_ the outgoing mailservers (if
set up correctly).

> assuming that the domain has even adopted SPF, which is a poor
> assumption (how many people are really updating their DNS to support
> SPF for the millions of domains out there?).

Huh?  Each domain sets up SPF for itself.  It's easy, just put a few
records in your DNS.  I set up SPF for 7 domains (all that I own), I
don't have to do anything for anybody else's.

>> I fail to see how getting faster at whacking them can possibly be a
>> bad thing.  It might not be good _enough_ all by itself, but that
>> doesn't make it bad.
>
> It's bad the way the war on terror is bad.

Stop with the bogus analogies.

>  It becomes an arms race and you can only hope to win by spending
> more than the other guys and suffering the pain during the entire
> struggle.

I think AOL would be willing to spend more than all the spammers in
the world put together if that would stop spam; it would save AOL
money.

But it doesn't take spending more money to win, anyway.

>> It would eliminate a large fraction of the spam I currently get.
> No, like blacklists and the like, it will just cause spam to arrive another
> way.

A lot of the spam I get is bounceback from spam with my address forged
as the sender.  That would be stopped.

>  After all, if I setup an SMTP and send out millions of spams, I can
> just move later.  I can switch ISPs.  I can switch domains and
> switch hosting companies.  The changes will just occur faster and
> faster and there will be no end to figuring out what is legit and
> what is spam.

So why oppose a technique that makes it easier in some cases?

> Spam itself is already illegal.  Why not prosecute spammers?

Who said we shouldn't?  (I prefer Orson Swindle's method, myself,
though.)

>  It's as if the solution you figure for burglary is everyone should
> have cameras positioned on their daily lives and all people should
> have tracking devices that cameras can use to identify people in
> view.

More bogus analogies.

Anyway, some places _do_ put up cameras, to cut down on burglaries.
It hasn't totally eliminated burglary, of course, but clearly the
places that do it think they benefit.

>  Assume all households contain burglars, so we need to id them all.
> Assume all homes will be victims, so check everyone approaching.
> That's a bad policy.

I have the right to identify people seeking to enter my home, and deny
entrance to those who fail to identify themselves to my satisfaction.
The same holds true for my mailserver.

>> Who are those "numerous legitimate users" who desire to forge the
>> email they send?
> Well, just about every employee who has a work email address but
> cannot send out email when at home or on the road.

You mean, the ones whose companies have misconfigured mailservers that
don't accept "submission"?

>  Most ISPs only let you use the email address they assigned, and
> more and more are blocking direct access to port 25 to reach
> external SMTP servers.

That's why the Submit protocol doesn't use port 25.

> I don't think it's that odd for people to have numerous email
> addresses that represent their various identities, including those
> that are considered illicit by some, like people who want to have
> political arguments without fear of reprisals from their governments

I don't either.

But I can access my gmail account, and send email from it (emanating
from gmail) from just about anywhere I can run a browser.

I can emanate email from my Panix account on Panix anywhere I can run
ssh.

So what's the problem if I'm vising a friend and getting raw Internet
access through her ISP?  I can still send email from my accounts.

>> Nobody said it _solves_ the problem.  It _helps_.
> But it won't.  It will just change the nature of the beast and spam
>won't be reduced.

The blowback spam I get will be reduced.

>> True rubbish, though.
> Untrue rubbish.  You will live and see.

Yes, we will.

For some reason, I'm more inclined to respect the opinions of people
in charge of 50% or so of all the legitimate email on the net than of
others whining about their proposals.

>  Just like Bush will learn that you can't invade a country with
> 100,000 troops and you can't beat Islamic hatred with a big stick.

Stop with the bogus analogies already.

>> He said that something would *reduce spam*.  It will.  You're whining
>> that it won't "solve the spam problem".  Nobody said it would.  That
>> doesn't make it "rubbish".
> First, good spam filters already can reduce a lot of bad email.

Fine.  Nobody is arguing against them.

>  With more intelligent filters, we will be able to not only filter
> out unwanted spam, but perhaps allow desirable spam (some people do
> want the products being sold after all),

Yeah, and some people want millions of dollars from Nigeria, too.

> but we can filter out the noise of newsgroups like this

This is a mailing list.  Don't you know the difference?

> It is really sad when I send a message to AOL and it never arrives
> because their filters deemed my message to be spam when it was not.

So why do you oppose something that will make legitimate email seem
less like spam?

>  When corporations decide what's allowed to be received
> instead of the recipient, we have a real problem.

Run your own mailserver and make your own rules.

Or pay for an ISP that will allow you to make your own rules.

You don't get to require someone else to use the business model you
prefer, you only get to choose whether or not to be their customer.

>> Since you don't believe in SPF or similar sender-verification methods,
>> how are you going to distinguish between the HTML mail from a phisher
>> who claims to be eBay and HTML mail from eBay?  They look a lot alike.
>
> This is actually a great point.  One interesting aside, whenever
> eBay adds a new email server, it had better remember to update its
> SPF records a few days before it goes online lest all email sent by
> that server be rejected as invalid.

Not really; a few hours will suffice (and setting out an entire /24
even if some of it is currently unused isn't a problem, either).

>  DNS caches and such will mean that you cannot count on immediate
> changes to SPF,

Negative responses are not cached for very long, if at all.

> and what will happen when someone goes "oops, I forgot to update the
> TXT DNS record" and thousands of emails were rejected and lost
> forever?

Rejected email isn't "lost forever".  It can be resent.

And when people make mistakes, bad things happen.  But isn't it better
to have less valid email lost over the course of a year, even if
there's more lost for a few hours when somebody goofed?

> But back on point, why is eBay using free email to conduct sensitive
> business?

What do you mean "free email"?  eBay pays for its network.

>  This is where spam originated, and the crybabies like AOL are
> pathetic since they are the root cause of spam

What did they have to do with C&S, or jj?

>  Do you suppose rogue employees will update DNS with false TXT
> records since most people wouldn't notice an addition to SPF that
> allowed another IP address to send out?

Somebody will, and then the rogue employee will be arrested.

>  How much would have I have to pay some schmuck at AOL
> to do it -- they already will sell me their customer list.

I bet the price just went way up, what with the felony prosecutions
and all.

> eBay should grow up and stop relying on free email for important
> business communications.  This is why spam arose.  They don't slip
> notes under our door, or talk to me over walkie talkies or CB
> radios.  They should use secure systems that have all of the
> identity and such built-in to protect their interest.

If you have a better business model, why do they have a $58 Billion
market cap and you're worth how much?  (And they earn around $600
Million/year, so it isn't just bubble stock pricing.)

>  Just like they pay for regular mail, they should pay for
> specialized email.

Why?  How much should they spend to make you happy?  Are you worth
that much to them?

> All this big businesses have hijacked our

What made it "ours" in the first place?

> open, free and unemcumbered email,

When was it that?  (Do you know how restricted the ARPANET originally
was?)

>  It's time businesses stopped using a lowest common denominator
> solution that works great for casual conversations for business
> communications.

If you can build a better business that way, you should outcompete the
existing ones in the marketplace.  I won't invest.

>  If eBay stopped using email to communicate with its customers and
> used one of the secure alternatives,

instead of making $600 Million it would make maybe $6 because it
wouldn't have any customers.

> nobody who used eBay would be
> tricked by an email that looks like it came from eBay.

Yes, they would.

>> Tell us about those "*LOT* of legitimate users" who desire to forge
>> email again.
> Aside from those with multiple email addresses (like all employees),

I have multiple email addresses, and I don't have to forge.

> there are newslists like this one that send out messages on behalf
> of others.

Mailinglists already mung headers, there's no reason the list headers
can't be checked by SPF.

> Well, this breaks down when SPF goes into play.

It needn't.

>  Same goes for PayPal that
> sends out emails on behalf of its customers,

That email comes from PayPal, and says it does.  (I just got one,
about 10 minutes ago.  It says it came from PayPal, and told me what
transaction I did with whom.)

> as do groupware applications, among others.

So far, I've successfully avoided this "groupware" stuff.

>> Maybe the ISP won't allow dialup lusers to send email on its behalf,
>> but only authorize (per SPF) its own mailservers.  Then the zombie
>> can't send anything directly, and sending through the ISP's servers is
>> subject to filtering, rate-limiting, and other methods of reducing
>> emitted spam.
>
> I'm glad that you like the idea that companies who carry our email
> get to filter our content and decide what we get and what we don't
> get, what we can send and what we can't send.

Their servers, their rules.  (That's one reason I own a box in a colo
center: my server, my rules.)

Anyway, I suspect most will only scan for viruses and record volume.

>> No, it isn't.  It just needs to mung the headers appropriately.
> But that assumes everyone joins the club right away.  Those who
> decide that they don't want others to tell them get screwed

You mean, those that don't want to cooperate are marked as not
cooperating, and then it's up to the recipient how to deal with
non-cooperators.

> and we end up with island in
> which one group can't communicate with another,

I _want_ the spammers unable to communicate with me.

> breaking the very benefit that the Internet provided.

I don't consider their ability to do so a benefit.

Seth

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg