From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>
Okay. Let me try and say this in less words.
A junk fax or junk pre-recorded phone message can be traced, using
information provided by a clueless user, in half an hour.
Have you never received a junk fax with a bogus banner, without
a knowable source telephone number, and advertising a web page?
I have. How would I trace the junk faxer?
How do I trace a junk pre-recorded phone message that asks me to
record my number or push some touch tone keys to be called back?
I received many of those before July, 2002.
A junk email message can be traced, using information provided in a
timely fashion by a clueful user, over a period of anywhere from half
an hour to several days, possibly using throwaway email addresses,
credit cards and court orders.
Accounts of those who have become "clueful" in tracing junk faxes say
they often use the same tactics to get evidence against the big junk
faxers.
Spam that does not carry an IP address of someone complicit in the
crime cannot exist. You can always identify the IP address of the
SMTP client. If it's not overseas, you can launch lawyers. If it's
foreign, you can at least firewal it.
...
Nor did I claim otherwise. I'm simply taking issue with your claim
that it is easy to identify who is sending most spam.
I should not claim that it is easy in an absolute sense to identify
spammers. Instead, I'm trying to say
- it is easy as to identify spammers as is to identify junk faxers
and pre-recorded phone callers
- it is sufficiently easy for those who are motiviated to spend
more than half an hour pointing and clicking on the web.
- it cannot be improved.
...
I agree, it is not usefully identifiable to people who are not motivated
by something more than a single $500-$1500 fee.
For the simple reason that it takes more than $500 to $1500 to track
down the sender with a sufficient level of proof to receive the
payment.
Exactly.
And no matter what is done in the IETF, legislatures, or anywhere,
spammers will use defenses that cost more than $500 to $1500 to
penetrate. However, those defenses are readily penetrated by anyone
who really cares. Moreover, because at least in the U.S. ISPs don't
have PTT protections, you can always go after the owner of the IP
address of the STMP client that sent the spam to your SMTP server.
...
In theory yes. In practice that does not seem to be the case. None
of the cases I've reported to the FCC showed any indication of using
fake caller-id or somehow hiding the 800 numbers they provided. I
don't have a large enough data sample of phone and fax violations,
but I strongly suspect that majority are not hidden, whereas the
majority of spam *does* attempt to hide where it comes from.
Oh, whoops. I just realized where that argument was going. Okay,
forget it. I forgot that you disagree with that.
There is an unsubtle difference between "forged headers" and "using
your main home mail address so the net-nazi anti-comerze net-cop
flamers can get your account terminated."
...
Unfortunately most of my complaints have been for unsolicited
pre-recorded calls. Which means manually describing the things.
(Unless you can point me at a place where I can submit an audio file!)
How do you trace them? Most that I've received are far less traceable
than any spam, since all spam has an IP address but I often have no
phone number for pre-recorded calls. How should I trace a pre-recorded
that tells me to stay on the line to record my name and phone number
so that I can be called back? Still, those who really care do drag
those guys into court.
...
Do they really? Don't some 1-900 phone system outfits shield their real
customers?
Perhaps. I've never seen/heard junk faxes/calls with 900 numbers.
It's all been traceable 800 numbers.
If you're in the U.S., you surely saw 21st Century's "polls" in which
you were supposed to dial one of a pair of 1-900 numbers to "vote."
No one technical (in the TCP/IP or SMTP sense) is needed to follow a
credit card number. On the other hand, the identification in the 21st
Century junk faxes consisted of a 1-900 phone number. Could you have
done anything with that? I couldn't.
No. But I can give the FCC a 900 number and they can do it.
There is nothing I can give the FCC from a spam message that provides
a similar level of traceability. At a minimum it means following the
links in the spam and actually entering a credit card number.
No, the FCC can only identify the telephone equivalent of an ISP, or
the outfit that runs the 1-900 or 1-800 phone banks for the junk faxer.
That's like taking the IP address or mail address from spam and
identifying the ISP. To get past that outfit, the FCC must issue
subpoenas or "follow the money."
What
consumer is going to do that? And if they don't, what are the odds
that the site will still be there by the time the FCC looks at it.
Never mind the effort and time required to do it, whether done by the
consumer of the FCC.
The same applies (or not) to 1-800 and 1-900 phone numbers. You can
rent a 1-900 or 1-800 phone number and disappear into the night when
you think it's time, with little few more traces than renting hosting.
Note also that plenty of spam contains 1-800 numbers.
See http://groups.google.com/groups?as_epq=1+800&as_ugroup=*abuse*
...
So does spam. Your grandmother could print the whole spam with
headers and treat it as I treated 21st Century's junk faxes.
See all of the above comments. And add to it that spam reports from
non-techies seldom have the full headers.
How is that relevant? Is it more relevant than the fact that many
junk faxes that I sent to the FCC did not have the TCPA required
banner, because the junk faxers voilate the law and use forged values.
...
There's another lesson in the TCPA and junk faxes that is waiting to
be learned by those who are not stuck on peddling authentication snake
I'd appreciate it if you'd back off from your vendetta against
authentication for a second and address the issue at hand. "Is spam
identifiable?" I claim that it is not identifiable at anywhere near
the level of fax and phone spam, and therefore the laws that work for
junk faxes (namely, bounties) are not likely to work for spam. You
claim otherwise.
That is not my claim. Please go back and read my words about the
problems with the TCPA and notice that I have not advocated a TCPA
equivalent for spam. Instead I claim:
1. laws like the TCPA would reduce the spam problem a little, but
only a little, and would certainly not solve it.
2. spammers are already as well identified as junk faxers. In both
cases, it often costs more than $500 to find the home of the perp.
3. contrary to the authentication snake oil, all spam is more identifiable
than many pre-recorded phone calls, because pre-recordeds often lack
all ID data but all spam contains an IP address and usually contains
a phone number, domain name, or other contact information. All spam
is more identifiable than many junk faxes, because you always have
an IP address but many junk faxes lack the sending fax machine.
4. It makes no sense to say the contact information in spam, whether
URL, telephone number, email address, or postal address, is
untraceable, but the same is traceable in a junk fax. If fact,
junk faxes and spam have similarly traceable contact info.
5. contrary to the authentication snake oil, no laws, protocols,
terms of service or anything else will force spammers to be more
identifiable than junk faxers. Every mechanism that lets TCPA
violators cost more than $500 to find works on email.
6. not withstanding #4-#5, if you are motiviated, you can identify
spammers and TCPA violators. There are people in anti-spam
circles who have built large reputations on their skills in
finding the names, home addresses, birth dates, and anything else
you might care to know about a given spammer.
My vendetta against authentication snake oil is my main point. People
have always had the delusion that authentication can somehow solve
the spam problem. By pointing to the TCPA and junk faxes and
pre-recordeds, I'm trying to prove by example that more authentication
is as good a spam solution as HGH is an elixir of youth.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg