ietf-asrg
[Top] [All Lists]

RE: pros and cons of RMX (Re: [Asrg] Declaration to the world)

2003-03-06 19:08:14

I don't have a favorite solution yet.  I think it's too early 
for that.  I personally agree with Brad Templeton and favor 
solutions that require as few changes as necessary to the rest
of the internet infrastructure and SMTP semantics.  

The reason I've been so vocal about the RMX proposal is that
I find it to be really objectionable since it requires a lot
of effort from a lot of people for no particular gain.  It's 
just another step in an arms race that has minimal long term
benefits.

I do agree wholeheartedly with you that there will not be one 
single solution.  It will take a lot of effort from a lot of 
people.  It will take a lot of code, much of which won't work,
but which will bring us closer to understanding what _will_ 
work.  I just think that it's worth discarding certain approaches 
which don't stand up to scrutiny rather than spending a huge 
amount of resources to prove empirically that they don't work.

That's how security research works.  People propose systems.
Then everyone attacks them.  Whatever's left standing wins.
I hope that no one is taking my comments too personally, but
I don't believe in sugar coating technical arguments.  If
something's weak, I believe that everyone should at least be
aware of the weakness.

                                                Jonathan

-----Original Message-----
From: Hallam-Baker, Phillip [mailto:pbaker(_at_)verisign(_dot_)com] 
Sent: Thursday, March 06, 2003 5:26 PM
To: Jonathan Wilkins; Hallam-Baker, Phillip; Chris Lewis; ietf anti-spam
research group

No it's not rhetoric.  It's a statement of fact.  DNS alone
doesn't solve this problem.  If you want RMX to work, you need
to do one of the following:
1. patch the DNS protocol
2. patch DNS servers to keep track of multiple bogus responses 
   and inform the SMTP server
   (what you're going to do when this happens is unclear.  Since
   they're UDP and spoofable, surely you're not proposing that 
   all data from that IP be dropped)
   See any IDS list for details on the hazards of automated
   filtering.
3. Add a NIDS that watches for lots of unasked for DNS replies
   and communicates with your SMTP server.

If you're doing this much to compensate for a broken protocol, 
you ought to re-evaluate the cost-benefit equation.

Perhaps we might get further if you just told us all your pet 
theory rather than making us all wait till you have attacked
everything else.

You might find that we don't consider your pet theory to be
incompatible or in competition.


You appear to have the same problem Bruce Schneier had with security
before he wrote secrets and lies. The perfect is the enemy of the 
good. Security is risk control, not risk elimination.

Spam is an infestation, we are not going to find a magic bullet.
We are going to have to fight a long war on many fronts. We shall
fight them with filters, we shall fight them with authenticated
mail, we shall fight them in the legislatures and in the court 
room. We shall never surrender but if the Internet shall last a 
thousand years it shall be said of us that this was our finnest
hour.

                Phill

        Phill 


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>