Re: [Asrg] 'GIEIS' - The Extended Overview Released

Why not just use a VPN - point to point - and I can reject any 
connection that I don't like! This seems to not require a centralized 
anything.  Am I missing something here?
Chuck Wegrzyn


Mark McCarron wrote:

> GIEIS - Global ISP Email Identity System - The Ultimate Anti-Spam System
> a.k.a. - The Digital Reaper
>
> Copyright, including intellectual copyright, Mark McCarron 2003.
>
>
> Introduction
>
> 'GIEIS' has a global range in its application and is a hybrid 
> consent/force model for prevention of fraudulent email.  'GIEIS' deals 
> with both sender and recipient and acts as a 'gate-keeper' to the 
> networks under its protection.  'GIEIS' is not just a method of 
> eliminating spam but also, virus transmission, worm transmission, 
> trojan transmission, chain-mail, email hoaxes and all non-compliant 
> mail.  The 'GIEIS' system is designed in such a manner that bypassing 
> the system is impossible.
>
> Architecture Overview
>
> 'GIEIS' is a new architecture for email.  It extends the SMTP protocol 
> currently in use and requires the establishment of a centralised 
> structure for email verification.  'GIEIS' utilises the common point 
> in all email transmission from any source, the ISP.  The proposed 
> system will route all email from an ISP's customer base through a 
> special server known as an 'Email Authentication Server' (EAS).  At 
> this point, special encrypted codes are appended to the header that 
> identify the account, the 'EAS' server, and the  ISP from which the 
> email was sent.  A random encrypted ID code is also appended and these 
> details are stored to the 'EAS''s database.  From here, the email is 
> then distributed to the recipients 'EAS'.  The recipient's 'EAS' then 
> contacts the 'GIEIS' central servers and 'GIEIS' confirms the special 
> encrypted codes held in the header of the email.  'GIEIS' achieves 
> this by communicating with the sender's 'EAS', confirming the database 
> entry against codes received, deleting the database entry (or marking 
> confirmed), and relaying the results via encrypted transmission to the 
> recipient's 'EAS'.  This will result in one of two possible actions; 
> either the email is sent to the recipient's email inbox or is deleted.
>
> Encryption
>
> This would most likely be a modified form of OpenPGP.  It would be 
> based on a combination of ciphers rather than just one.  Ciphers being 
> considered are TripleDES, CAST and Twofish.  RSA encryption has been 
> deemed to weak for this purpose.  Codes and encryption passphrases 
> will be changed frequently automatically.  Updates to 'EAS' will also 
> be automated.
>
> Abuse of Domestic Accounts
>
> To prevent such abuses of these accounts several measures will be put 
> in place.  A limit on the amount of recipient's will be imposed per 
> email, any email which exceeds the limit will be automatically spanned 
> as separate emails by the clients software.  The 'EAS' will refuse any 
> non-compliant email.  A limit will be imposed on the amount of emails 
> that may be sent daily from any account.
> There are currently several proposals to limit the rate at which 
> emails can be sent.  The first proposal is to have the sender validate 
> each email by entering text based on a downloaded graphic.  This 
> suggestion has limitations in respect to the visually impaired and 
> blind members of the Internet.  This could be replaced by a simple 
> puzzle, such as a question, for example how many days are there in a 
> week?  This would be very difficult to automate.
> A second proposal, that may include the first proposal, is that a 
> delay of 5 to 10 seconds be imposed for each email sent.  The 'EAS' 
> would control the rate, not the client software.
> The third proposal, which we believe to be the most acceptable, is an 
> incrementing delay based on the volume of emails sent.  Every 3 emails 
> queued would result in an additional one second delay added.  For 
> example, if 33 emails were queued, the first batch of 3 would be sent 
> and a then pause of one second.  The next 3 emails would then be sent 
> and a pause of 2 seconds would occur.  By the time we get to 30 emails 
> there would be a 10 second delay before the next batch of 3 emails 
> were sent.  As you can see this delay would continue to grow in 
> respect to the amount of emails queued.  This would force spammers to 
> have a large amount of accounts and the machines to connect to them.  
> The time of opening new accounts manually and the cost (machines and 
> time) would be prohibitive.
>
> Business Accounts
>
> There has been some concern over how 'GIEIS' will handle business 
> email and large volume traffic.  All businesses will have to register 
> with their ISP and provide company registration details.  These 
> details are then passed to the 'GIEIS' centre where a business code 
> will be issued.  The business' email will then be routed through the 
> ISP's 'EAS'.  The process of sending bulk email will be transparent.  
> The software will compile a list of domains that it will require 
> access bulk access to and the amount of emails to be sent.  This list 
> will be transmitted to the ISP's 'EAS'.  The ISP's 'EAS' will then 
> contact the 'GIEIS' central servers transmitting the encrypted 
> business code and the list of domains. 'GIEIS' will then contact the 
> domains on the list an authorize a bulk reception from the 
> transmitting domain and the amount of emails to be received, again via 
> encrypted message. 'GIEIS' waits until it receives an acknowledgement 
> from each domain and then transmits a ready signal to the ISP's 'EAS' 
> (may also include a list of down servers).  The ISP's 'EAS' then 
> contacts the business' email software and requests a begin of 
> transmission.  Any errors are relayed back to the business.
>
> Mailing Lists and Discussion Groups
>
> Mailing lists must contact 'GIEIS' directly for setup and must be 
> associated with a bonafide website domain.  This domain will be 
> checked by 'GIEIS' representative and the hosting company contacted 
> for further information.  A credit card will be required and a $1 (£1, 
> 1 euro) charge will be made to it.  The card details must match those 
> to which the domain is registered.  Also, a mailing address and 
> telephone contact information would be required.  They will receive a 
> written copy of the 'Terms of Service' which they must sign and send 
> back to 'GIEIS'.  Upon reception 'GIEIS' will implement the account 
> with their ISP.
> The emails then sent by the mailing list will be analyzed by 
> heuristics.  Each message will also be parsed for HTML code, such as 
> IMAGE tags and jpg, bmp images.  As the majority of mailing systems 
> use either ASCII or UNICODE text only, spam can be detected, blocked 
> and the offender's credit card billed with a fine, or the offender 
> prosecuted.  Heuristic analysis will not be a permanent feature, it 
> will most likely be a feature that will only be in place for the first 
> 6 months of any new mailing list request.  On successful completion of 
> this 6 month 'trial period', the account will be deemed 'secure', 
> heuristics will be stopped and the system will then use end-user 
> reports only.
> Technically, the account will operate in a similar manner to business 
> accounts and allow for bulk transmission.
>
> Virus/Worm/Trojan Protection
>
> As 'GIEIS' can trace email sending directly to account level.  Any 
> form of attack launched on remote machines can be minimised and the 
> perpetrator tracked immediately.  Each 'EAS' system will have built-in 
> anti-virus scanning software that will scan all outbound email 
> attachments.  Any infected file will be bounced back to sending system 
> with information of the virus.  This will prevent spread of 'address 
> book' virus' that have become common place within the last few years.  
> The senders 'EAS' will inform the user when their daily limit has been 
> reached, it will also inform them that if they have not sent this 
> volume that their machine may be infected or have been hacked.  There 
> will be information on to take steps to resolve the problem.
> A further extension, under consideration, is the flagging of 
> executable attachments and their spread.  This would assist in rapidly 
> identifying new virus'/worms/trojans and 'GIEIS', upon confirmation of 
> a new infection, would be able to seal those accounts until updated 
> anti-virus patterns were installed to all 'EAS's.
> A further suggestion, is linking a reporting service from 'GIEIS' 
> directly to the computer fraud departments of Police forces globally.  
> This would assist in taking immediate action against offenders.
>
> Period of Introduction
>
> Until a sufficient amount of ISPs are 'GIEIS Compliant' the 'GIEIS' 
> system will be in a test mode.  This will most likely be a period of 6 
> months, to 1 year.  A specific date will be chosen from when the 
> system will become fully operational.  After that date, only 'GIEIS' 
> compliant systems would be able to send email to those domains 
> protected under 'GIEIS'.  This would force a global update, or many 
> would find their customer base rapidly shrinking.
> In order to speed the process.  'GIEIS' would be setup in partnership 
> with the world's largest providers of ISP and email services.  No 
> company could afford to be excluded from their domains and adoption 
> would become rapid.  These companies have the legal right to take all 
> steps necessary to protect their networks and customer base.
>
> Account and Domain Blocking
>
> The 'GIEIS' system will have the ability to suspend email service at 
> account level and domain level.  Any blockage will be in accordance 
> with the 'Terms of Service Agreement'.
>
> Terms of Service Agreement, Guidelines and Dispute mechanisms
>
> These will be determined by the members of the IRTF and IETF and 
> conform to International law.
>
> Charges and Fines
>
> Setup fees will be charged for business users.  Fines can be imposed, 
> as per the 'Terms of Service Agreement' and services restricted until 
> fines are paid in full.
>
> 'GIEIS' Centre's Legal Status
>
> The 'GIEIS' centre will be a non-profit organization.  Its dispute 
> mechanism and complaints procedure will be completely transparent and 
> all disputes will be posted to the centre's website.  There will be no 
> closed door policy.  The 'GIEIS' system will not be accessible by any 
> company and will be completely independent.  It will also not be a 
> government agency of any form, it will be a public body.
>
> Privacy Concerns
>
> 'GIEIS' does not and will not analyze the majority of email 
> transmission, unless specifically requested to do so, or when breaches 
> of the 'Terms of Service Agreement' have been made.  Also, government 
> agencies already have the ability, and the funding, to analyze emails 
> on a global basis.  'GIEIS' would not be able to compare to the 
> supercomputers used by the NSA/CIA (US) and the GCHQ (UK).  'GIEIS' 
> will have a legally binding 'privacy agreement' and will never 
> distribute, share, or sell any personal information.
>
> Opposition to the Proposal
>
> The opposition to this proposal falls into two main categories.  Those 
> who are paranoid about a centralised agency analyzing email 
> transmissions, and software companies that are either based or have 
> products based on 'anti-spam' techniques.  'GIEIS' would make these 
> products and companies completely redundant on a global basis.
> Copyright, including intellectual copyright Mark McCarron, 2003.
>
> _________________________________________________________________
> It's fast, it's easy and it's free. Get MSN Messenger today! 
> http://www.msn.co.uk/messenger
>
> _______________________________________________
> Asrg mailing list
> Asrg(_at_)ietf(_dot_)org
> https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg