Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam

["George Ou" <george_ou at netzero.com>]

----- Original Message ----- 
From: "Markus Stumpf" <maex-lists-spam-ietf-asrg at Space.Net>
To: "George Ou" <george_ou at netzero.com>
Cc: "Markus Stumpf" <maex-lists-spam-ietf-asrg at Space.Net>; <asrg at ietf.org>
Sent: Monday, June 28, 2004 3:23 PM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam


> And about collateral damage: this will lead to a cleanup. "colocators"
> with a rented PIII and 100 virtual domains with dumping prices and no
> monitoring or caring or abuse handling will die and leave room for
> responsible people with servers closely maintained and monitored.
> Problem solved.

Well, it just doesn't work that way since there will always be a need for a
small shop to collocate at a cheap price.  So long as there is a demand for
that, that will not change.

> Moving a "legal" domain will be a pain, as you would have to update your
> SPF records to have the new IP address listed. Changing ISPs even with
> 100 domains will become a nightmare for resellers.

Ah c'mon, that is a totally bogus argument.  Moving a "legal" domain to a
different ISP already entails changing the authoritative DNS server, all the
"A" records such as www, MX records, and a whole bunch of other things in
DNS.  So what if you have to change the SenderID records too while you're at
it.

> No they don't. They open a wide new field for post Sender ID and Domain
> Key systems that are needed to accredit the information in the SPF
> records or you will be vulnerable to "throwaway domains". 1000 domains
> for USD 5000 (or even cheaper) leaves a lot of room. Short-TTL *valid*
> SPF records pointing to a network of 150000 abused DSL hosts
>     http://www.wired.com/news/business/0,1367,60747,00.html
>     http://www.circleid.com/article/162_0_1_0_C/
> that is highly adaptable. For that SPF, Caller-ID, DomainKeys et all
> will not change a thing without additional accreditation services.

I think we already went through this many times on this group.  Those throw
away domains can potentially be blacklisted in near real time just like a
unique piece of spam is blocked based on it's pseudo-hash by DCC.  However,
using DCC to black list a domain is far more reaching than black listing a
single message based on it's hash.  Currently, DCC cannot be used to
blacklist domains because the sender domain can be spoofed.  The fact of the
matter is, you can already block 99.9% of spam with almost zero false
positives just using spam assassin and DCC (or some expensive appliance that
essentially does the same thing).  SenderID would just make DCC that much
more effective.

If that isn't effective enough, then some form of accreditation service
would be needed.  Two possible mechanisms for achieving this is some form of
"bonded sender" or tying the owner's biometrics to the domain.

In the "bonded sender" case (which was proposed before domain authentication
was widely known but would have been useless then), you put up say $1000 per
domain in a bond that you promise not to abuse email with your domain.  You
loose the $1000 if you do.

In the second example, if I didn't want to put up the $1000 bond then I
could digitally certify my photo and finger prints (encrypted so only law
enforcement to open) with my domain name.  This would make it very easy to
track me down if I break any spam laws.  This second option would probably
work better in a post Domain Keys world because every message I send is
digitally signed by my domain's outbound SMTP server.  Any piece of spam
that I send would have my digital finger print on it.



George


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg