ietf-asrg
[Top] [All Lists]

Re: [Asrg] seeking comments on new RMX article

2003-05-05 13:27:17
From: "Alan DeKok" <aland(_at_)freeradius(_dot_)org>

...
  It's really a mind-set issue.  I want to have the ability to use all
of the tools at my disposal to fight spam.  Some people want to
prevent me from using certain tools, because they don't find those
tools useful.  Why that happens is question for psychology, and is
outside of the scope of this group.

If you really think RMX (or anything else) is worthwhile, then you
should already have written and deployed some code.   So please say
how it's working.

In fact, no one is preventing you from using RMX or any other tactic
you like (subject to the terms of service of your ISP).  What you are
not getting are accolades for the silver bullet and volunteers to do
all of the work and then present it on a silver platter.

I think there are some early implementations of RMX, but that they
are not working is not the result of efforts of the "legacy internet
engineers" who prevented the spread of IPv8 and suppressed the discovery
of how to encode more than 4,294,967,296 addresses in 32 bit.

 ......



] From: "Eric D. Williams" <eric(_at_)infobro(_dot_)com>

] ...
] I think the premise is that RMX is about finding a method to give 
] accountability.

] ...
] Part of the 'spam' problem lies in accountability.  ...

How so?  Why do you care who Alan Ralsky is, since you surely won't
be sending him bomb threats or signing him up for junk postal mail.

Who cares who "Bill Zhang" of "Sunshine" in China really is, besides
his ISPs and people who fight spammers instead of spam?  As long as his
ISPs connect his computers and those of his customers, what anti-spam
accountability does RMX or any mail sender tagging scheme give?  If RMX
or some other tagging scheme were universal, and if you could keep "Bill
Zhang" from signing up for as many RMX tags as he has domains, one might
argue that it could have some effect.  (He seems to make create several
new domains/day.  Why don't the ICANN rules against his obviously bogus
WHOS data make him "accountable" or stop him?)  It's trivial to recognize
mail from "Bill Zhang" by checking the whois data on the domain names
in his messages.  What is the difference between using port 53 or port
43 for "accountability" for his large volumes of spam?

What accountability is lacking but would be provided by RMX for the
unsolicited bulk email from Verisign, American Express, Roving Software,
Topica, and the rest of the Fortune 50,000 that would be our topic if
the "Bill Zhangs" were not so productive?  The Fortune 50,000 send
with unforged headers that point directly at themselves.

The immediate purpose of RMX bits is to let SMTP servers compare IP
addresses to sender domain names and so stop what some people call
forgery.  However, the RMX bits for commonly "forged" domains including
Yahoo, AOL, and Microsoft would say "all IP addresses can send from
our domain", because they have significant numbers of users who use
other sending ISPs.

Does SMTP-TLS enforce a valuable anti-spam accountablity?  SMTP-TLS
has been available for years for free in the popular SMTP implementations,
so why it used by less than 1%, not to mention more than 80% of the
net?  Every organization with web pages that can be fetched by HTTPS
has certificates that could be used with SMTP-TLS.  Most of those
certificates are signed by major commercial PKI vendors.  Why isn't
that "accountability" useful?  If it is useful against spam, why isn't
it being used?  Why is the RMX accountability useful but the SMTP-TLS
accountability useless?

The underlying problem is that people who advocate RMX, TOES,
authentication, or content tagging hope that some magic technology
will finger spammers.  They don't want to be bothered with the standard
work of collaring bad guys.  They don't care that counting coup on
spammers by saying "I know who you are" never stops any spam.  Those
who are serious about fighing spammers instead of fighting spam don't
need RMX or any of the other superficial quick fixes.  That's demonstrated
in web pages such as http://www.spamhaus.org/rokso/


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg