Re: SPAM, IEMMC, and Caller ID

[Brian Moore <bem () cmc net>]

> If you can positively identify the individual, you can say you don't want 
> to accept mail from that person, regardless of where the account is.  If
> the system I described were in place, you could decide to accept mail based
> on criteria that the certifying authority places on those whose 
> certificates it signed, and you would never have to know the individuals
> or their ISPs ahead of time.  For example, you could say you only wanted
> to accept mail from either people you specifically wanted (your white
> list), or from any unknown people that were certified by having a
> notarized copy of their driver's license (or whatever), which would then
> allow you to specifically exclude particular people you didn't want to
> receive mail from. 

Okay, suppose I bought into this.  CMC.NET is now stamping a PGP-signed
X-Authenticated-User: line on mail.  We'd have to distribute keys for us
somehow.  I guess the obvious solution is to add a resource type to DNS.

Now, suppose you've never gotten mail from CMC.NET.  How would you know just
what our requirements for an account are?  (For the record, we do require a
personally signed contract and current state-issued ID or drivers license.)

We'd have to have yet another signatory to stamp our record as meeting that
qualification and they would have to verify it.

Basically, we'd be moving to a 'virtual' white list, scattered about like DNS
with various authorities overseeing the validity of records.  Who would define
those authorities.  How would they be monitored?  Who watches the Watchmen?

I'll believe such a system will work when something like DNS is more reliable.

Never mind the huge difficulty in getting a 'new improved' standard to be
accepted.  Heck, SMTP sucks in implementation quite often (as I write this, I'm
being deluged with piles of mail from a broken Lotus Notes gateway, and odds
are so are others posting to this list).  It's highly difficult in the chaos
that is the Internet to make new protocols work unless you're the first or
damned lucky.  Again, note how long it's taken IMAP to be noticed by vendors
and how just now they're realizing it's a pretty nifty protocol.

[List owner... please shoot the person on this gateway:
Received: from merit.edu by uprr-internet.notes.up.com
  (PostalUnion/SMTP(tm) v2.1.9c for Windows NT(tm))
  id AA-1997Oct29.204929.1155.1272450; Wed, 29 Oct 1997 20:49:29 -0500]

> In an ideal world we wouldn't have to worry about this, we could just all
> be open and friendly and accept mail from whoever.  However, it is no
> longer that way on the Internet and will never be again.  I agree that
> implementing a scheme digitally signing mail is a vast undertaking that
> would never be entirely complete.  However, I see no alternative in the long
> run.  Your suggestion will always require a large amount of manual effort

What suggestion?  Unplugging spammers is my suggestion.  Do not harbor them, do
not encourage them, do not sell to them.  Cheap and easy.  It has been Mr.
Lawlor's suggestion in the past to just use tcp wrappers or sendmail rules to
deny spammers, but then kept moving around netblocks and refusing to tell
people where their spammers were.  I've only done it because it was effective
in stopping some of their spew.

If you believe Mr. Lawlor, his own system hasn't been effective, since I've
gotten "hundred or thousands" of pieces of spam despite it.

> and you will always be playing catchup with the spammers.  Using schemes
> such as Vixie's blacklist is difficult for an ISP as it presupposes what
> individual customers will want -- some of them certainly do not want to lose
> connectivity to a portion of the Internet, even if it means exposing them to
> spam.  After all, we can all certainly be free of spam by simply unplugging
> the wire, but the cost is obviously too high.

Why is it too high?  It's quite simple to deny service to those that can't be
responsible.  Doing so is quite effective.  A couple examples:

kiki9 () ix netcom com was told to quite spamming "her" website ads or she'd lose
her hosted site.  She'd been spamming from disposable accounts for MONTHS.  The
spam has since stopped from her.

Although Cyberpromo and Pals have been booted from AGIS, they could easily go
get a 28.8k disposable account somewhere and continue their spew.  But they
haven't managed to do that and have been blissfully quiet.  Why?  No
autoresponders.  No web sites.

Mr. Lawlor was right in one point: Spammers do it to make money.  Take away
their ability to make money and the problem ceases.  It -is- something network
operators of various sizes can and do daily, whether it is a dialup customer or
a DS3 connected site.  It has been done for YEARS going back to the days of
people complaining about MUD and IRC traffic on the NSF backbone not being
'eductational'.

This whole talk of digitally signed mail has nothing to do with NANOG (it is an
IETF issue as I pointed out once) and will do nothing to stop spam unless one
is willing to whitelist.