So now the FTC is in on the act

[David Farber <dave () farber net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Begin forwarded message:

From: Phil Karn <karn () ka9q net>
Date: May 24, 2005 9:39:31 PM EDT
To: David Farber <dave () farber net>
Subject: So now the FTC is in on the act


(For IP if you want...)


So now the FTC has lent the bully pulpit of the federal government  
toward those advocating ill-advised "anti-spam" practices like port  
25 blocking.

Double sigh.

No doubt the FTC's staff members *think* they're doing the right  
thing. They're probably well-meaning but totally non-technical people  
who only know what a few especially rabid, scorched-earth anti-spam  
zealots have told them. So they simply don't know any better. That's  
apparent from their nonsensical remark that users who need to run  
their own mail servers could use authenticated access to port 587.

So how do we clue them into the fact that there are better ways?

If the FTC wants to do some good, they could start with a vigorous  
legal action against the software vendor whose incompetence,  
arrogance and utter recklessness is directly responsible for the  
hundreds of thousands of spam zombies that we all agree are causing a  
serious problem. I find it inexplicable that they're still unscathed  
by all the damage they have caused and continue to cause. I guess  
most people (including those in government) simply don't know that  
there are better alternatives, and that personal computer software  
simply doesn't *have* to be this wretched.

And when it comes to technical countermeasures, the FTC (and those  
who seem to have its ear) have it totally wrong.

Their first mistake is the belief that it should be an ISP's job to  
police their customer's email for viruses and spam. This raises some  
very serious and fundamental security, privacy and due-process  
issues. These issues are not raised -- or are far less serious --  
when an ISP's abuse department is triggered only by complaints from  
users on the receiving end of malicious traffic.

But even if we were to agree that it's an ISP's job to monitor its  
customers' mail, exactly why does that imply blocking port 25 and  
forcing all outbound mail through an application level gateway? Why  
is it necessary to do so much violence to the Internet end-to-end  
model? Let the users talk directly to port 25 if they want. Just set  
up an automatic packet monitor and passively watch for the  
characteristic signs of massive spamming or a virus infection. When  
it trips, investigate the situation and, if necessary, cut off the  
user's service or limit his connectivity to sites distributing  
patches and anti-virus tools.

Such packet monitoring systems already exist. They're called  
intrusion detection systems, and they're in widespread use. Not only  
can they catch infected hosts using port 25, they can catch viruses  
that spread by other means -- something forced mail relaying won't stop.

I am totally baffled by the fact that so many people (and apparently  
now the FTC) believe that forcing email through an application level  
relay is some sort of magic bullet against spam and viruses. If it  
was that easy to configure a mail relay to block spam and viruses,  
then we'd already be running those very same mechanisms on our own  
incoming mail servers. Oh wait -- we are. To the extent that they  
actually work, of course.

And since all these spam and virus detection mechanisms have their  
problems, I'd much rather give the recipients of an email -- those  
who are most directly affected by blocking and filtering decisions --  
direct policy control over those mechanisms and the appropriate trade  
offs between false positives and false negatives. It is simply wrong  
to put those mechanisms back at the sender's ISP whose staff  
generally couldn't care less if a few (or even a lot) of legitimate  
email is blocked as long as their phone and pagers don't ring as much.

- --Phil




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iQEVAwUBQpRE5Zvsr0LEqlnXAQJaiAf7B4rjXiqeTeWZB6wkURLdfPuXTflp3CWN
cIVQIYPxSc4sJO3M0izGWrrhBMqurWOrbFIboIYvqquSEEHcKe91Yl9IgEcxPHcF
2PQCsNR+0yMMGA/GZxqK5fvWPYMgRmGrIQfT7fgQM1VoLhZ46X+1t+hDpqzONNJe
6v7Oy81SNYnZZoDgkovYpSrT8a3EuisDx66UAMZVrmUdHfyWqAMqeUObZhNUtvkS
F9fEAtM7S9KKGYfVYek1d3HzMaVqbPnMkH+BMnMrhM3svTHw0x98xpJrx79z0XAG
xx1cEtou68VyOTegQ5P/uciTZbPgCxEV98PQ8EpEJ6a1W1X9JD51Eg==
=TRIq
-----END PGP SIGNATURE-----

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/