Re: Motion for a new POST NSF AUP

[John Curran <jcurran () bbnplanet com>]

Tim,
 
  Presume that we've all met, decided a policy, figured out who it takes
  to "officially" make it an Internet policy, and made it happen.  Simply
  amazing progress has occurred, and it's still morning on the Internet...

  Now, let's talk about the hard part:  enforcement.

  Since the sender of a bulk, unsolicited advertisement may not even be 
  affiliated with the beneficiary of such mail, how do you intend catch
  the culprit?   There is nothing in an email message that provides hard
  proof of identity, and there is nothing to stop me from sending all of
  my advertising as "Tim Bass".  Since any host connected to the Internet
  can forge email with very little trail, relying on the purported sender 
  of the message is clearly not possible for enforcement.

  Of course, one could always look towards the beneficiary of the message
  (i.e. the firm which gains the business as the result of this "misuse")
  but that's actually no better than relying on the sender.   It doesn't
  matter whether the enforcement method is loss of Internet service or
  large fines, it will be very difficult for anyone to actually safely 
  invoke such methods without incurring immense liability.  Since anyone
  can send a bulk, unsolicited advertisement with "The Silk Road Group" 
  as the beneficiary, you've now created the ultimate denial of service
  attack.  Don't like a firm?  Send out a massive forged advertisement for
  their latest product and watch them get disconnected from the net... :-)

  Despite postings to the contrary, this is an extremely difficult problem 
  to solve in the absence of authentication.  While the current ad-hoc methods
  of managing such bulk advertising are not perfect, they may be far better 
  than the quick fixes being proposed.

/John

---

At 10:54 AM 10/15/95, Tim Bass wrote:
> Ladies and Gentlemen......
>
> A couple of interesting points have developed as a result of the latest
> 'spam event'.  The first one is debatable, but I would like to comment,
> that my mailbox received 'one spam message' (which I deleted in a few
> milliseconds) that generated hundereds of 'anti-spam messages'.  Causal
> to the 'spam' I would like to refer to the anti-spam messages as
> 'son-of-spam' :-)  
>
> Second, it is somewhat clear that as long as we have 'spam' we will have
> a causal event 'son-of-spam' .  Neither 'spam' nor 'son-of-spam' are welcome
> e-mail in most in-boxes, and I assume by the responses, many people find 
> 'son-of-spam' just as annoying as 'spam'.  Given that both sides of the
> coin are correct (in their own perception space) as we have seen, 
> I would like to put this on the table to the network:
>
> Should we define an new 'postNSF AUP' that addresses what types of messages
> are Acceptable Use of the Internet?  Should transit and end user providers
> require customers to agree to 'the new "agreed upon someday" commercial AUP'?
>
> Could we even agree on what a new AUP would look like?  Most everyone
> agrees that spam and son-on-spam are a waste of precious bandwidth, time,
> and energy; and unacceptable messages detract everyone from more important 
> daily issues and ideas.  
>
> I motion we create a working group to develop a draft POST NSF AUP.
> ------------------------------------------------------------------
>
> We all agree we need to manage what type of messages are acceptable use of
> the net..... Can we make POST NSF AUP a reality?
>
> Any seconds to the motion?
>
> Tim
>
> -- 
> +--------------------------------------------------------------------------+
> | Tim Bass                           | #include<campfire.h>                | 
> | Principal Network Systems Engineer |       for(beer=100;beer>1;beer++){  |
> | The Silk Road Group, Ltd.          |           take_one_down();          |
> |                                    |           pass_it_around();         |
> | http://www.silkroad.com/           |       }                             |
> |                                    |  back_to_work(); /*never reached */ | 
> +--------------------------------------------------------------------------+