IP: well worth reading. spam and forced email servers.....

[David Farber <dfarber () earthlink net>]

-----Original Message-----
From: "Mike O'Dell" <mo () ccr org>
Date: Wed, 13 Mar 2002 09:11:01 
To: dave () farber net
Subject: spam and forced email servers.....


people don't like spam

service providers don't like spam either - trust me on this
anyone who believes a network operator makes money 
on spam is simply out of their mind - covering a headcount
of 50-odd people in a large abuse department is expensive

holding people responsible requires some degree of tracability

the Internet email protocols don't provide any support for this

what to do??
it depends on how much you think is required by the various
spam-fighting extortionist vigilantes

(1) force sending via SMTP servers through a connection which
requires presentation of credentials of some kind - this allows
the prevention of "unauthorized relays" while still allowing
mobile users to send via those SMTP servers

problem: this doesn't prevent a paying user from sending spam
with forged source addresses, thereby still provoking the
vigilantes

so (2) force outgoing email to use traceable FROM addresses.
that way outright forgeries are filtered and miscreants can
be traced

new problem: people with existing domains get hosed

so (3) provide exception lists in the forwarding path to
allow certain domains to get through as authorized

new problems: complex machinery - database to maintain
              forwarding performance in mail servers
              who gets to put domains in the database?
              how do you know they are allowed to do it?
              how do you deal with the inevitable screwups?


Folks, this is a really hard problem.  And it's hard in the
real world in a fundamental way. The problem being posed
here requires identifying the intent of an action *as would
be interpreted by the reciever* BEFORE IT HAPPENS.

THIS IS NONSENSE.

It's hard for another reason - a strong notion of "identity"
is very squishy in the real world, and expecting electronic
surrogates to make good value judgements about these matters
is just silly.  PEOPLE have trouble doing this.

For example - Dave, prove to me that you are indeed the Dave Farber
that i have in mind.  It's very hard.  In fact, when the Government
needs to establish who you really are, they take MONTHS to determine
that you are indeed who you claim to be.  

I submit that nobody would stand for a TS/SCI background investigation
just to get an Internet account somewhere.  However, people assume
that service providers can have the visibility into a customer's
affairs that even government agencies can't always get right with
people who have *agreed* to a regular colonoscopic exam.  The can't
and if you think about it, you don't want them to.

Bad behavior cannot be prevented.  If you know how to do this,
why are you worried about spam and not murder??  This is not
a hyperbole - the ability to foretell intent is required in
both cases.  The instrumentality to commit spam is the same
as required to send perfectly valid email.  the only difference
is the intent of the sender.

TECHNOLOGY CANNOT DETERMINE THIS.

I'm sorry if this is bad news, and i'm certain i'll get yelled at
as some kind of "friend of the spammers".  Anyone who knows how
much of my time i've spent on the problem knows othewise.

But there are limits to how much can be done.

I'm sorry.

Remember Heiden's First Law:

        When you want it bad,
        You get it bad,
        And most people want it in the worst way.


So everyone get a grip here.  The service providers do not
have a magic bullet and most of the actions are being taken
directly in response to what people have demanded.

        cheers,
        -mo

        Mike O'Dell
        Ex-Chief Scientist
        UUNET Technologies



For archives see:
http://www.interesting-people.org/archives/interesting-people/