ietf-asrg
[Top] [All Lists]

Re: [Asrg] 0.General - News Article - NYT Reports Porn Spam Hijacking Network

2003-07-11 15:34:46
At 05:44 PM 7/11/2003 -0400, Barry Shein wrote:

Well, there ya go, the NY Times is technologically ahead of ASRG in
recognizing what the real source of the spam problem is.

Barry, leaving the sarcasm aside, there are problems with looking at the spam problem from this angle. There are specific problems with dealing with the security issue which I mentioned in a prior post: 1. It is easier to deal with the problem on the edge of the network than at the core. "Fixing" the core can take decades. In the short and medium term we would be looking at "edge" solutions. In the long term perhaps a "core" solution might work but would require a very long time to implement. 2. This is something that must be dealt on the infrastructure level of the Internet - it is a general issue of security akin to other things that zombies are used for (DDOS, hosting porn sites, worms, etc.). These are issues that must be looked at as an Internet-wide problem not limited to spam. Once again, this problem stems from the fact that the Internet as a network inherently trusts its users and servers. Unless you will convert the Net into a closed system where every single server and user must have authorization, it will not solve the problem.

If this is a general "security" problem, than we cannot hope to solve the "spam" specifics without solving the general security problem. Thus, it might require a new group to be focused specifically on security issues of the Net. We are dealing with spam only.

I would also like to make another suggestion. It seems that you and Eric Brunner in particular have been advocating this approach. Why don't you two get together and write up a document outlining the spam problem from this point of view, and providing an evaluation checklist for solutions (also see section 3.2 of the "Technical Considerations" document (http://www.ietf.org/internet-drafts/draft-crocker-spam-techconsider-02.txt)). This can provide a concrete framework and a checklist for the group to consider various proposals falling under this angle of things such as replacing SMTP, detecting hijacked computers, DRIP, etc.

Another suggestion which I mentioned before would be setting up an "Email Standards Project" akin to the "Web Standards Project". Get a group of people together and setup a site that will list recommended configurations for popular MTAs and MUAs that can protect user' computers from being hijacked and reduce spam. Things like shutting off open relaying, disabling ActiveX and JavaScript inside mail clients, perhaps disabling HTML email on send, etc. can be documented. User education is very important and something that can be very useful in the long run.

Yakov


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg