ietf-asrg
[Top] [All Lists]

Re: [Asrg] RE:ASGR 8a Use of certificates

2003-04-08 19:26:09
From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>

..
No, not at all.  My apologies.  What I meant was that this comes down 
to a question of whether faxes and calls like that are common or 
rare, and we don't have the necessary information to make that 
decision.  ...

I don't see the importance of deciding whether they are common.  They
were common until recently in my experience, but I'm not claiming my
experience proves more than that they happen.

My claims are elsewhere.  Those faxes and calls are in practice (not
withstanding theoretical telco logs) as obfuscated as the spam of the
shiest spammer, but their perpetrators have felt the sting of the
TCPA.  That shows that the claim that authentication is required to
identify spammers is snake oil.

The TCPA requires all faxes to have a banner identifying and authenticating
the sender.  It outlaws pre-recorded junk calls.  Modern fax machines
can filter on those banners and phones can filter on caller-ID.  Still,
the TCPA helped but did not end those problems.  It has been effective
only as a deterrent, and against major bad guys only when Washington
DC launched major court efforts.  Caller-ID and fax banner filtering
is like per-mail-sender authenticaion.  That filtering can be used by
individuals who don't want to hear from strangers, but they're useless
for people or businesses that need to hear from strangers.


...
Sorry.  Same point as above, except with the added irony that I'm 
basically making the same claim about faxes that you've been making 
about email--that most people don't hide their contact information. 
You think it's equally true of both, I think it's more true of faxes. 
But without information we're pretty much stuck there.

I won't guess which obfuscation is more common, and I don't care. 
I claim only that fax/telemarking obfuscation is sufficiently common
to illuminate the truth (or its lack) in claims about spam obfuscation
and authentication.


...
Again, in a sense there is no such thing as untraceable spam.  You
always have the IP address of the SMTP client and you can always go
after its owner, even if the owner is a retail ISP and its clue-free
customer using a proxy.  I agree that for a given amount of effort,

Am I missing something?  I didn't think there was a traceable 
original IP in open-proxy spam. ...

I meant that you can always go after the owner of the open proxy.

Everyone must be held accountable for every IP packet that comes out
of their networks.  It does not matter whether a packet is part of
legitimate web surfing, good mail, spam, or a DoS attack.  It also
does not matter whether an arbitrary open proxy operator is paid by
Ralsky as long ago Spamford paid his "Bandwidth Partners" for relaying
spam.  It doesn't matter whether the proxy is operated as a charity
to help the Chinese tunnel through the Great Wall or out of ignorance.
The proxy operator is responsible.

When imposing penalties, someone who ignorantly installed an open
proxy should not be punished like Ralsky or Spamford, but that does
not change the responsibility or the need to communicate with the real
threat of punishment to even the most naive and nominally innocent user.

A network operator must be responsible for closing the open proxies
of its customers just as it is responsible for shutting down "owned"
machines used in a denial of service attack.  Failure to do either
should make the operator vulnerable to criminal penalties related to
those imposed on the originator of the attack.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg