On Monday, May 05, 2003 3:40 PM, Vernon Schryver
[SMTP:vjs(_at_)calcite(_dot_)rhyolite(_dot_)com] wrote:
8<...>8
] From: "Eric D. Williams" <eric(_at_)infobro(_dot_)com>
] ...
] I think the premise is that RMX is about finding a method to give
] accountability.
] ...
] Part of the 'spam' problem lies in accountability. ...
How so? Why do you care who Alan Ralsky is, since you surely won't
be sending him bomb threats or signing him up for junk postal mail.
It is my prerogative to act as I stipulate in policy, or not, relative to
information I can gather. The point is that appropriate policy can be defined
at a policy boundary associated with an RMX result (whatever that is) and
applied to my liking.
Who cares who "Bill Zhang" of "Sunshine" in China really is, besides
his ISPs and people who fight spammers instead of spam?
There is a flaw in this statement. It pre-supposes what policy I will apply to
an RMX result. It remains a sysadmins responsibility (typically) to establish
controls at the policy boundary. That of course could be anything in the
universe of options available to the sysadmin including rejecting, accepting,
redirecting, forwarding, etc.
As long as his
ISPs connect his computers and those of his customers, what anti-spam
accountability does RMX or any mail sender tagging scheme give?
I am not sure why you think of RMX as a tagging scheme, do you consider DNS a
tagging scheme or a naming scheme? Do you consider tagging and naming as
merely a semantic distinction? In any event my read is that RMX does not make
a 'sender' accountable it allows the recipient system/administrator to make
policy judgements based on objective information and if used by a spammer
exposes the 'so-called' true authorized origination point for a domain (that's
accountability).
If RMX
or some other tagging scheme were universal, and if you could keep "Bill
Zhang" from signing up for as many RMX tags as he has domains, one might
argue that it could have some effect. (He seems to make create several
new domains/day. Why don't the ICANN rules against his obviously bogus
WHOS data make him "accountable" or stop him?) It's trivial to recognize
mail from "Bill Zhang" by checking the whois data on the domain names
in his messages. What is the difference between using port 53 or port
43 for "accountability" for his large volumes of spam?
To answer your question which I think is 'what's the difference with using DNS
vs. WHOIS?' I don't believe there is a difference for domains that are listed
in "From:" and "Received by:" headers that is accurate however, I think that
RMX endeavors to address the problem of inaccurate information in that data
set. If I can know, for the purpose of establishing policy, that an IP address
and domain do not match header information (in the context of the SMTP
transaction) I consider that valuable information, even if it is only for
post-hoc filter implementation. As far as ICANN rules, the RMX proposal does
not address that.
What accountability is lacking but would be provided by RMX for the
unsolicited bulk email from Verisign, American Express, Roving Software,
Topica, and the rest of the Fortune 50,000 that would be our topic if
the "Bill Zhangs" were not so productive? The Fortune 50,000 send
with unforged headers that point directly at themselves.
I don't think RMX is in effect either a legitimizer or eliminator of spam. I
do think that RMX provides a scalable, 'adoption-worthy', un-encumbered,
The immediate purpose of RMX bits is to let SMTP servers compare IP
addresses to sender domain names and so stop what some people call
forgery. However, the RMX bits for commonly "forged" domains including
Yahoo, AOL, and Microsoft would say "all IP addresses can send from
our domain", because they have significant numbers of users who use
other sending ISPs.
I don't agree. I think there are other means to establish domain/IP
associations. Specifically, modifications or extensions to DHCP or other
dynamic configuration protocols may be valuable work to look into for this
group. In any event the introduction of any proposal, including RMX, does not
eliminate the viability of other mechanisms e.g. SMTP-AUTH, SMTP-TLS, etc.
Does SMTP-TLS enforce a valuable anti-spam accountablity? SMTP-TLS
has been available for years for free in the popular SMTP implementations,
so why it used by less than 1%, not to mention more than 80% of the
net? Every organization with web pages that can be fetched by HTTPS
has certificates that could be used with SMTP-TLS. Most of those
certificates are signed by major commercial PKI vendors. Why isn't
that "accountability" useful? If it is useful against spam, why isn't
it being used? Why is the RMX accountability useful but the SMTP-TLS
accountability useless?
I don't think measurement of adoption is a viable metric at this point unless
it is associated with a failed concept or some that don't meet our minimum
requirements. Perhaps SMTP-TLS was not 'what the people wanted'. Any proposal
that can demonstrably show 'what the people want' does not necessarily have to
be 'what the people need' or 'what the people asked for'. Accountability is
not tied to any specific proposal. Accountability should, IMHO, be reviewed in
any proposal as a requirement or goal.
The underlying problem is that people who advocate RMX, TOES,
authentication, or content tagging hope that some magic technology
will finger spammers. They don't want to be bothered with the standard
work of collaring bad guys. They don't care that counting coup on
spammers by saying "I know who you are" never stops any spam.
I don't agree. I think the problem is that we have not truly reviewed any
approach that is the 'silver bullet' and probably won't ever see one. As I
said accountability is an important concept for formulating and establishing
appropriate policy boundaries, knowing who someone is vs. who they purport to
be is a valuable bit of information no matter where it comes from.
Establishing an appropriate policy boundary and effective (by some measure)
enforcement controls is I think a consensus goal. It is the method and means
of doing that where we are focusing in this group.
Those
who are serious about fighing spammers instead of fighting spam don't
need RMX or any of the other superficial quick fixes. That's demonstrated
in web pages such as http://www.spamhaus.org/rokso/
I understand your point, however I think with work RMX can be evolved into a
more effective accountability mechanism, I am will to participate in that
endeavor. I don't understand what your premise is for the statement "Those who
are serious". I am serious about researching this issue to help formulate a
set of solutions and approaches that CAN work. I can not predict adoption or
non-adoption and I do not attempt to evaluate the motives, resolve or agendas
of the other participants in this group. I would like to evaluate proposal
using objective technical measures.
-e
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg