From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>
Have you never received a junk fax with a bogus banner, without
a knowable source telephone number, and advertising a web page?
I have. How would I trace the junk faxer?
How do I trace a junk pre-recorded phone message that asks me to
record my number or push some touch tone keys to be called back?
I received many of those before July, 2002.
No to both. So we're back to an ascertainable fact that neither of
have access to.
I hope you're not saying I'm lying about having received such faxes
or pre-recorded phone calls, but I don't understand what else you mean.
What's the percentage of those compared to the
percentage of equivalent obfuscations in email. Oh well.
Only a small minority of faxes sent to me flogged URLs and not phone
numbers. I found them noteworthy for obvious reasons.
About 50% of the telemarketing calls to my phone numbers in 2002 were
pre-recorded and wanted touch tones or to record a voice message
instead of offering a contact address. I suspect someone was selling
nasty PC software to idiot business owners along the Front Range.
Generally the businesses identified themselves by name, but were not
in phone books. Joe The Idiot's Loan Service tends to be missed by
the directories whether it is advertising by spam or pre-recordeds.
...
3. contrary to the authentication snake oil, all spam is more identifiable
than many pre-recorded phone calls, because pre-recordeds often lack
all ID data but all spam contains an IP address and usually contains
I'm going to assert that most pre-recorded calls contain address
information that allows you to track them down. After all, they want
the user to contact them. Why would they obscure that information?
Does that argument sound familiar?
Now I'm going to take it back, and state that while I believe that, I
have no evidence other than the phone spam I've received to back it
up.
I don't understand the point you're making. I agree many pre-recorded
phone calls contain addresses. Political ads are the most consistent
exception.
4. It makes no sense to say the contact information in spam, whether
URL, telephone number, email address, or postal address, is
untraceable, but the same is traceable in a junk fax. If fact,
junk faxes and spam have similarly traceable contact info.
It does if you assume that it is far easier to create untraceable
transactions online than it is over the phone. That is what I am
assuming. ...
Again, in a sense there is no such thing as untraceable spam. You
always have the IP address of the SMTP client and you can always go
after its owner, even if the owner is a retail ISP and its clue-free
customer using a proxy. I agree that for a given amount of effort,
it is easier to make network advertisements harder to trace than
telephone ads. However, for practical purposes for the vast majority
of people, junk faxes, email spam, and pre-recorded telephone ads are
similarly traceable.
pre-recorded calls--I've been involved in that business. I don't
know what services are available within the States to make that
untraceable. I seriously doubt there are too many services doing
that from outside the States, because of the costs of international
calls. However, I don't know. I could be wrong. Without sufficient
evidence I'm not going to argue the point. Suffice to say that I'm
not making a nonsensical argument.
I don't understand the thrust of your argument. If you are saying
that ordinary telephone customers can trace most junk faxes and
pre-recorded phone ads, then you are wrong. You're also wrong if
you're saying that motivated people cannot trace any given spammer.
I agree if you're saying that experts can trace phone abuse and that
most users cannot trace spam with the least obfuscation.
If your point is something about the relative costs of tracing phone
and email abuse, then it would help if you could quantify it. I think
that both cost nothing when there is no obfuscation and otherwise
generally more than $500 but usually less than $5000.
.................
] From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
] > Versign demonstrated the low value of affordable authentication when
] > it sold the identity "Microsoft Corporation" for about $350 to to an
] > individual who fraudulently claimed to be a Microsoft employee.
]
] The mistake was discovered by VeriSign and the certificate revoked.
] It has never been used. The procedures have since been changed.
All of which is irrelevant or unverifiable, and slightly wrong.
I doubt the cert was used, but how can anyone know other than by
believing statements from the people in San Diego that the certs were
never used? According to Verisign and Microsoft, they are liers.
The error is seen by some people as the biggest the scandal.
The certs could not be revoked without installing patched versions
of Microsoft software on all computers in the net. See
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
and especially the following:
VeriSign has revoked the certificates, and they are listed in
VeriSign?s current Certificate Revocation List (CRL). However,
because VeriSign?s code-signing certificates do not specify a
CRL Distribution Point (CDP), it is not possible for any
browser?s CRL-checking mechanism to locate and use the VeriSign
CRL. Microsoft has developed an update that rectifies this
problem. The update package includes a CRL containing the two
certificates, and an installable revocation handler that
consults the CRL on the local machine, rather than attempting to
use the CDP mechanism.
] ...
] > As Phillip Hallam-Baker knows, I have never said "80% of spam comes
] > from free email providers," because we both know that is not true.
] > We both know that rate limiting by free providers is irrelevant.
]
] Your web site states that blocking mail from those addresses cuts out 80%
] of all spam.
Why do you continue to repeat that obviously false statement?
http://www.rhyolite.com/anti-spam/ says rejecting "spam CLAIMING to
be from" my list of free providers "currently seems to be effective
against 90% of spam." It's been perhaps a year since I counted, so
that 90% could be wrong today. Spam *CLAIMING* to be from the free
providers is not *FROM* the free providers. It is silly to say anything
like "80% of spam comes from free providers." I may be crazy, but
I'm not that stupid.
] > If certs were required for mail, then free providers would issue certs
] > along with usernames and passwords, and for the same price and with
] > the same due diligence in checking that the applicant is not really
] > Alan Ralsky that they now excerise.
]
] You have the end-to-end principle on the brain here. No there is no
] point in issuing client certs to such people. Authenticate the
] hosting service, the fact of interest is that they implement velocity
] limits.
Ever SMTP message has always arrived with a practically unforgable
certificate that is owned and useable only by the hosting service of
the immediate source of the spam. It makes no sense to look for a
commercial certificate saying that mail from a UUNET, Sprint, or
hosting service is from that hosting service, because your SMTP server
already knows that.
Anyone who wants that sort of certs already has them. You need only
set your STMP server to accept mail from only the certs that are in
your local list of good guys. You can even configure your routers to
reject mail from outfits without certs that you consider valid.
If you want to hire a commercial service to decide which hosting
services are good and maintain your list of good-guy certs, you can
contact MAPS. They sell a real-time service listing trustworthy certs.
Of course, that rub in all of that is that no one cares about a UUNet
cert, because a large fraction of spam comes from UUNet (by virtue of
UUNet's size if nothing else.) Certs from hosting services are too
broad. You want certs for individual users, but that gets you back
to Hotmail issuing certs along with usernames and passwords.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg