ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Usefulness of wholesale blocking of attachments for SMTP?

2004-04-21 18:42:35
from [mathew] [Permanent Link] 
On Apr 19, 2004, at 19:28, Yakov Shafranovich wrote:
My single concern with e-postage is that in the real world bulk mailers do not break into post offices and dump their mail in, nor do they bribe people to go to the post office and put mail in for them.
They would, if screwing with the USPS wasn't a felony that gets you jail time.
You'll notice that casual phone phreaking dropped off real fast once Kevin Mitnick and a bunch of other hackers were sent to federal prison.
- stealing accounts is very easy because everyone is connected and many people don't know how to secure their computers.
If it started costing them a few hundred dollars a month to remain ignorant, I bet they'd learn real fast or get off the net. And frankly, I don't care which, because the buffoons we're talking about are the ones bombarding me with megabytes of spam and viruses.
I am refering to the issue of hijacked computers. With an e-postage system nothing stops a spammer from stealing Aunt Mary's computer via a virus and sending out spam with her e-postage account. Who is going to pay in that case? The usual response to that example is that her e-postage account will run out. This is basically the same as rate limiting and can be done today without resorting to e-postage. But rate limiting is not always possible such as when an ISP rents out the underlying connectivity from a third party. There was also a suggestion in one of the subgroups to write up a BCP describing how to do rate limiting.
Your logic here seems to be "having a limited supply of funds to be used for e-postage is a bit like rate limiting, and rate limiting is sometimes difficult, hence limiting e-postage funds is difficult". Needless to say, that doesn't follow at all. A dolphin is a bit like a fish, and fish can't breathe air, therefore dolphins can't breathe air.
People do this kind of money-based spending limiting all the time. They set up debit accounts they can use on the net with minimal balances, so that if the account gets hacked the thief can only steal a small amount. They buy Starbucks cards and phone cards with $20 of coffee or telephone calls in, so if a thief steals the easily-stolen and anonymous card, they're only out $20. They get the credit card company to lower their credit lines.
Hell, if theft via computer hijacking without the user noticing really turns out to be that much of a problem, we can sell e-postage on $10 plastic cards at the corner store, and computers could be fitted with a $20 card reader. No need to have an associated account that can be drained. If you swipe the card and the postage all vanishes, you know you've been 0wN3d and call the cops. The technology is cheap and easy.
Otherwise, I do not see what the ASRG or the IETF can do for or against e-postage - it is simply not within the scope of standards at this point.
Well, it might be useful to set out some requirements. Or is that not within the IETF's remit? (Serious question.)
Another issue is convincing people to switch - the unlimited/free pricing scheme has been embedded into the psyche of Internet users to such extend, that it will very hard to convince people to switch.
That's why I think one important requirement is that the receiver be allowed to waive or refund the postage fee at his discretion.
Basically, what I want to see is that if you want to mail me, you have to put offer me a nickel as a show of good faith that your mail isn't spam. Obviously if your mail isn't spam, I don't have to take the nickel; and if I'm an ass and take it anyway, you're only out a nickel.
ISPs also have to be convinced to spend money on supporting and participating in the e-postage infrastructure. 

There are several options here.
One is that we could let them swipe a fraction of the e-postage; or rather, add it on to the top. So if I charge 5 cents and my ISP charges 1 cent, you have to risk 6 cents, and will typically have to pay 1 cent--unless you're a spammer, in which case you lose the entire 6 cents.
Sure, some ISPs will price-gouge. The result will be that they'll lose customers, because nobody will want to e-mail their customers. Competition should do the rest.
Another option is that the ISP could take a fraction of the cash that would otherwise be credited to each user's account at the end of the month. So if a month's worth of e-mail would result in my getting $10 from commercial junk mailers and spending $4 on sending mail myself, the net would be $6 in my favor, and the ISP would get (say) 5% of that. Again, market forces would punish ISPs who attempted to gouge. The end result would work almost exactly like the Amazon tip jar or eBay, both of which seem to be doing just fine.
And that's without even considering the potential savings from not having huge quantities of spam flowing through their servers.
As soon as there's an e-postage system like I discuss above (*) running in parallel with the current e-mail system, I for one will use it and encourage all my friends to do so. I'll also tell people who have trouble getting past my spam filters to use it, and if they refuse and get bitten by the filter, that's their problem and it has a <5 cent solution.
And after a while I'd probably whitelist all my family and friends, and tell everyone else to use the e-postage system.
So while I share some of Barry's skepticism about people being willing to go for e-postage, and about the vitriol and lies we'll hear from the press about it, ultimately I'm not sure that matters. If it works, it'll spread virally.
Would it be viable for all of the parties interested in e-postage to get together and start working together including addressing the issues raised and testing code, instead of just discussing the idea?
Well, I'd be happy to make suggestions, test stuff, and maybe even help with documentation, but I only intermittently have spare time. Still, if there's a list I can join, I'm willing to pull out the outliner and come up with a first cut at what *I* think some of the requirements need to be.
Of course Microsoft is interested in it as per Bill Gates's speech but they are also a software provider, so their interest may have a different motivation.
I don't think Microsoft is interested in e-postage as we discuss it; I think they're interested in a system where Microsoft gets a couple of cents every time you send an e-mail to or from a Windows system. I'll go without e-mail before I'll pay a penny to Microsoft, and I believe there are enough like-minded people that a pay-Microsoft-for-email system would fail as badly as Microsoft Passport has failed. 


mathew
[ (*) In particular, with the "refund" functionality. ]

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: E-postage, Barry Shein
Next by Date:  Re: [Asrg] Re: the e-postage argument, Seth Breidbart
Previous by Thread:  Re: [Asrg] Usefulness of wholesale blocking of attachments for SMTP?, der Mouse
Next by Thread:  Re: [Asrg] Usefulness of wholesale blocking of attachments for SMTP?, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]