On Wed, Dec 17, 2003 at 12:43:58PM -0500, Alan DeKok wrote:
You do. Without the existence of MTAMark or LMAP, there is no way
for a recipient of traffic from your network to determine that both
you and your users are accepting responsibility.
And even with the existance of MTAMark or LMAP this is impossible.
So I go ahead and set the "I am responsible" flag (even simpler with
LMAP) and go ahead and spam you to ashes.
I lied ... oh my god, so what? You're in Canada (I assume from the whois
for ox.org) and I am in Germany. What do I care.
And what do courts care? There are no laws that say you have to publish
that information and that you may not lie about that information. And
then there is the standard excuse that currently works for everything
related to computers: I am sorry, it was not on purpose, it was a
misconfiguration.
I own the domain "magazin.de" and about 3-4 years ago I was flooded
with 100 of bounces because of a mailing with a sender address
meingeld(_at_)magazin(_dot_)de
I was told this was an "accident" done by a temporary employee of the
owner of the domain
meingeld-magazin.de
and when I tried to sue him all I got were fits of laughter, because
the accountable damage caused where some 10 bucks (btw I get spam to
the address meingeld(_at_)magazin(_dot_)de since then).
Ok, this could have been prevented by LMAP. But is also shows there is
no big willingness from the side of the jurisdiction if it can be
explained as a mistake.
So what did you win? Nothing. You will start to add blocks like "trust
the information provided by x and don't trust the information provided by y".
Big deal and big difference to current practise.
The good guys that publish the correct information are still good guys
that don't spam and the bad guys that publish that information are still
bad guys that lie and spam. And you will still only know after looking
at the message.
LMAP and MTAmark will prevent that ressources under my control (hosts,
ip addresses, domains) will be as easily abused by others as it is
possible know, as I have the chance to say "don't accept that" but it
also has the advantage that the receiver may decide what to do.
With a block on port 25 set by a transport agency (ISP) the receiver has
lost the possibility to decide.
To repeat what I've said multiple times already: To the recipient,
your users are indistinguishable from spammers, unless they accept
responsibility for their actions in ways that spammers do not.
e.g. MTAmark, or LMAP.
And even with MTAmark or LMAP it doesn't change a thing. I did write the
MTAmark draft. You cannot trust a MTA=yes. It still may be a lie and it
will if it comes handy to the one sitting at that IP to lie at you.
The only real advantage is a MTA=no as it will make it harder for virus
writers or crackers to (ab)use that host to directly send to you.
That's all.
And my arguments in this thread weren't against LMAP oder MTAmark but
against blocks on port 25 outgoing.
If you published MTAMark or LMAP information *before* the attack
occured, then I could *automate* my blocking of the spam attack, and
*automate* my notification to your contact address. You get the
notifications more quickly, and I spend a lot less time dealing with
the problem. It's that easy. Everyone wins.
That was my point when I wrote the MTAmark draft.
And customers that abuse our AUP or have 0wned hosts not only get
port 25 blocked but they get pulled the plug.
To repeat again and again: How do I know? Making those statements in
a mailing list is useless. You need to make them in a way that MTA's
can discover and use. That's my entire reason for having this
discussion.
To publish that kind of information needs a lot more than LMAP or MTAmark.
It would require a system like P3P (http://www.w3c.org/P3P/). And still
there is the problem about trust and responsibility.
If spammers need to lie and abuse this information they will.
"But you promised ..."
"I know ..."
"But you promised!!"
"So what? go away"."
Just like if bad guys lie at you with P3P they can do.
A quote I saved a long time ago expresses this very good:
|> ... Is this legal? ...
It is not "legal", but the network police will not read you
your rights and drag you away. It will work fine, as long as ...
In the real world, people are forced to accept responsibility
*before* bad things happen. People are forced to change their
behaviour, and to restrict their actions, to *prevent* bad things from
happening. That's life, and I don't see why it's so hard to apply
that attitude towards the net.
Exactly, they are /forced/, because it will not work on a voluntary basis.
An ISP /starting/ to block port 25 outgoing will have a lot more costs
maintaining the ACLs and will have less contracts as people will go to
one that doesn't have them. Blocking port 25 outgoing is not restricting
others from sending in, but your customers from sending out. So they
gain nothing, but in /their feeling/ they get their freedom restricted.
In a world were customers decide which ISP to use on basis of the
difference of cents in flatrates you will be a good ISP for some weeks
and then you will be a dead ISP.
Would /you/ change your ISP and pay more money because the new one is
a noble one that is caring for the net and is blocking port 25 outgoing,
while you current cheaper ISP is not? Would you?
How many would change to another ISP that is not blocking port 25 outgoing
and that may be cheaper because of this?
Would blocking port 25 outgoing be a criteria for choosing one ISP over
the other for a CEO? If the fees are identically? Would it be a
criteria pro or contra the blocking ISP?
We've terminated contracts with customers because of spamming and with
the last one we've lost a value of about a monthly salary of one employee.
For an ISP with about 50 employees that's a lot of money. Now we can
feel really noble. And our ex-customer is now with a competitor that
gives a shit and is happily spamming on. As the competitor is fairly
large we can't block the mailserver as other emails in the B2B area
would also be affected. Court decision in Germany is that commercial
email (even unsolicited) to commercial email addresses has to be
tolerated in general. The only way to stop it is that each of our
customers is telling the spammer to stop sending them email.
It's easy to demand such useless actions (in terms of the overall result)
from the outside, but it may be your economical death if you're too noble.
Sometimes, at night, before sleep, it makes me wonder if nobleness isn't
only good for stupid idiots and unacceptable if you have to run a business.
It's not a MUA to MTA protocol. So why would people not block
ougoing port 25 from dial-up networks, where no MTA's can exist? The
only MTA those users should be connecting to is yours, right?
No.
How about field staff using SMTP AUTH to connect to their company's
mailserver from dialins? Their MUA will talk SMTP and use port 25
outgoing. Hundreds of small companies sit behind ADSL/SDSL lines.
They use DYNDNS and they run well configured and maintained MTAs.
I don't know if you'll call this a "dial-up network" but typically on
the same network there also live home users with on demand DSL
connections that are not running their computer 7x24.
Typical dialin customers use the ISPs MTA as a relay anyway, as they pay
per timeframe and trying to deliver email directly is cost intensive
and in case of temporarily unreachable destination MTAs it is highly
ineffective. But nevertheless there are MTAs behind dialin connections
retrieving messages via authenticated ETRN and spooling messages they
received from the otherwise unconnected small company intranet they act
as a gateway for. Probably not exactly the kind of MTA you were thinking
of, but nevertheless legal, existing and useful MTAs.
And SMTP is without any doubt an end-to-end mechanism for most SMTP servers
Nonsense. The "end to end" principle is about users, not servers.
Nonsense. The "end to end" principle is about end-to-end. Whether the
end is a user depends on the protocol you apply the principle to.
and without any doubt a large number of companies and organizations that
are customers of ISPs, run their own SMTP speaking MTA in an end-to-end way.
And that is what you want to abolish.
WTF? Are you on crack? That's nonsense.
Thanks for that last sentence. You've made it perfectly clear to
mea that you can't understand what I'm saying, and that I'm wasting my
time trying to explain my position to you.
I think I understand pretty well what you are saying - most of the time.
But I think your position is rather short sighted and limited.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg