Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Paul Vixie <vixie () vix com>]

> > ...and, occasionally, your ISP's "abuse desk."  If this function of
> > your ISP costs less than 1 FTE per 10,000 dialups or 1,000 T1's or 100
> > T3's, then your ISP is a slacker and probably a magnet for professional
> > spammers as well.

> Not to try to undercut the general point, but that would imply that
> Earthlink, AOL, and MSN (for examples) should have a combined abuse
> department of roughly 1500 employees.  Well, perhaps those were poor
> examples then.

as i told patrick, the numbers are round, and a survey is needed.  it's
definitely going to be the case that scale will lead to economy, and AOL
could most likely get by with only 100 full time "abuse desk" staffers
as long as the rest of their service model were optimized to make abuse
difficult to propagate.  i doubt they will comment in detail here, since
the actual numbers are likely to be some kind of internal secret.  i know
i get far less spam from AOL than i used to, and i've assumed that this
is because they decided to address the costs at the front end (in their
service model) rather than the back end (in endless cleanup.)

>  It would be wonderful if it were the case, and while it seems like
> laziness when we talk about the big guys, most middle sized providers
> just don't have the operating budgets to not slack at least a little bit.

whenever you get spammed, it's because some isp somewhere is a slacker,
and is letting you pay the price for their lack of investment in this
critical area.  (spam is not unlike route flaps in this way, i suppose.)

> But this debate (I'm not debating with *you*) keeps coming around full
> circle.  Perhaps the real social problem is convincing whatever standards
> bodies and vendors necessary that it is a technical problem.

i think it's clear that everybody wants it to be somebody else's problem.

> There seems to be far too much apathy (FUD?) rather than just designing a
> partial solution, however imperfect, and implementing it.

as the designer of several partial solutions which have been implemented, i
agree from experience.

spam's assymetric cost:benefit ratio (between a spammer and a victim)
really institutionalizes apathy.  the benefit to one spammer in being able
to outwit a defense is a measurable success in that day's events.  the
benefit to one victim in being able to erect a defense which stops one kind
of spam or spam from one source or what have you is immeasurably small
compared to the deluge of other crap that'll come over the gunwales in the
same diurnal period.

no solution which does not progressively leverage the combined small
efforts of millions of spam victims will ever be measurably effective other
than in some small locality and/or for some brief instant.  see the DCC
for an example (http://dcc.rhyolite.com/) of how to build and apply that
leverage.  (i'm not giving the reference to vipul's razor because i said
"millions.")
-- 
Paul Vixie