On April 19, 2004 at 19:28 research(_at_)solidmatrix(_dot_)com (Yakov
Shafranovich) wrote:
My single concern with e-postage is that in the real world bulk mailers
do not break into post offices and dump their mail in, nor do they bribe
people to go to the post office and put mail in for them. Because the
Weaknesses such as these do not necessarily suggest an alternative
solution, other than perhaps doing nothing because nothing was
perfect.
Internet serves as a pervasive communications medium, it is very easy to
steal or assume someone else's identity - much easier than any phone or
real world postal system. Of course stolen phone and credit cards have
always been an issue, but there are laws in place and sufficient
disincentive exists to discourage it. That is not true in the digital
world - stealing accounts is very easy because everyone is connected and
many people don't know how to secure their computers.
I think one result would be that this sort of thing would become a
commercial crime with actual, measurable value, like toll fraud,
rather than the vagaries of time wasted or hassle/embarrassment/etc.
A widely deployed e-postage system would begin to create an economics
around spam fighting, something it sorely lacks now.
I am refering to the issue of hijacked computers. With an e-postage
system nothing stops a spammer from stealing Aunt Mary's computer via a
virus and sending out spam with her e-postage account. Who is going to
pay in that case? The usual response to that example is that her
e-postage account will run out. This is basically the same as rate
limiting and can be done today without resorting to e-postage. But rate
limiting is not always possible such as when an ISP rents out the
underlying connectivity from a third party. There was also a suggestion
in one of the subgroups to write up a BCP describing how to do rate
limiting.
Similar answer. Right now if a spammer hijacks Aunt Mary's computer
and uses it to spew spam well, that's too bad, but so what (as far as
Ms Mary is concerned)? Other than some embarrassment etc.
Obviously one would hope that ISPs et al, someone in the loop, would
help and help forgive particularly in the beginning.
But as time goes on perhaps, finally, Aunt Mary will cease to find not
securing her computer just a source of funny stories to tell at work
about how some jerk used it to send 1M spams over the weekend until
she figured out what was the problem.
Yes, you have to assert some sort of appropriate value and tangible
loss, trying to be humane, in order for the public to take it
seriously, which may well be software vendors and ISPs taking it
seriously first (``sorry, we sense your system is not at a sufficient
patch level to send email safely, please contact our customer
support...'')
Who makes things right if Aunt Mary leaves her keys in the ignition of
her car and takes it out for a joy ride?
Well, insurance cos etc a little, but the cost and hassle is
sufficient that, unlike getting your computer hijacked, she's probably
pretty careful with her keys wherever this is even a small
possibility.
Anyhow, my point is, it's push/pull.
If we keep saying it has to be free and painless to be a victim then
interest in avoiding being a victim will be limited accordingly.
In any case, while I am not a big fan of e-postage, there are people
including some group members (David Nicol, etc.) who are working on
e-postage systems. If there is a sufficient interest in the industry and
the community at large, and workable systems exist that require
interoperability, the IETF can step in and set standards for that.
Otherwise, I do not see what the ASRG or the IETF can do for or against
e-postage - it is simply not within the scope of standards at this point.
Eventually there has to be some agreement on what the most tenable
solution is, or admission of failure to find anything worth anyone's
time pursuing.
--
-Barry Shein
Software Tool & Die | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg