Hello Valdis,
Tuesday, March 11, 2003, 6:26:26 PM, you wrote:
VKve> On Tue, 11 Mar 2003 18:03:21 -0300, "Alejandro G. Belluscio"
<baldusi(_at_)uol(_dot_)com(_dot_)ar> said:
Yes. Because the the SMTP manager is the one who has to deal with the
spammer. If he doesn't he'll have his certificate revocated. A
spamhause won't get a certificate, or get revoked quite quickly.
That's also in part why we send the the Spam Claim to the signer of
the certificate.
VKve> Of course, if the SMTP manager is on the payroll of the spammer,
VKve> and is the signer of the certificate, they can just drop the Spam
VKve> Claim on the floor.
The signer should be a backbone provider. If we can't count on them for
stopping spam, then we will need a huge different an quite more
complicated solution. Anyway, loosing the possibility of offering SMTP
for a backbone provider and of signing its the certs of its ISP
customers is a huge economical detterrent. Unless a backbone provider is
dedicated entirely to spam. In which case chould be easy to block :-)
VKve> "A spamhaus won't get a certificate or get revoked quite quickly".
VKve> Why is there a spam problem, when spamming is against the official
VKve> AUP at most ISPs? After all - nobody would sell bandwidth to a
VKve> spammer, or if they did, they'd revoke it quickly, right?
That's why this is a multitiered architecture. With backbone providers
having their a very strong business incentive not to let it's own
certificate get revocated. Besides, even though is against AUP most of
the administrators are too lazy or unskilled to handle the spam problem.
Just watch how man MS SQL got owned monthes after the patch was issued.
Or how many unpatched Apaches are out there.
You have to admit that you have to change the incentive of the ISP so
the actually block spam. This is a way.
VKve> So let's see - there exist shady ISPs that will sell bandwidth to
VKve> spammers, even though other sites may blackhole their entire AS
VKve> (remember - the MAPS RBL is available as a BGP feed, and used at
VKve> some sites). But you don't expect there to be any shady
VKve> certificate issuers that will issue certs to spammers, even though
VKve> other sites may refuse to honor anything signed by them.
MAPS its not a semicompulsory standard. I stated very clearly that this
system needs to be implemented "pervasivly" to be truly useful. Besides,
remember that there are at least three signers plus the SMTP user. And
it gets up to the RIRs. So if you have a shady RIR that goes along with
spammers... then you have a different set of problems since I hardly
believe there's a solution that doesn't depends on some authority doing
its job well enough.
VKve> All you're doing is changing the problem from whack-a-mole
VKve> bandwidth to whack-a-mole certs. And that's even worse - the telco
VKve> can take weeks to deliver a DSL or T-1 to a new base of
VKve> operations, but a new cert can be delivered in minutes. Of course,
VKve> the really serious spammers are either not worried because they've
VKve> paid off the ISP, or they've already got replacement
VKve> lines/certs/whatever already in process for the next spamming
VKve> run....
If this system is universal (a big if, I've admited), then paying off
it's not so easy. Specially because if some ISP gets shady they get
revoked. So the should base their whole business on spamming. If you
make some compulsory rules to backbone providers to be able to provide
ISPs service, like giving a 30 day certificate for the first six months
and watching very carfully if they accept spam, then making a new ISP
each time they get whacked is real expensive. I know, you'll say that
backbone providers will be bought off. Let the competence accuse them
and have its cert revoked. I don't think any backbone provider will want
that. And we are depending on the greed of the competition to tip them
off. So the more cutthroat competition between backbone providers, the
better.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg