Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com> wrote:
On April 22, 2004 at 16:05 tthomson(_at_)neosinteractive(_dot_)com (Tom
Thomson)
wrote:
First, we still see junk mail on paper. Something like 65% of my paper
mail
is junk. So the charge for paper mail hasn't eliminated spam.
So you're saying unless it's zero then it's useless? I think this is
called "making the best the enemy of the good".
No, I'm saying that 65% is far too high. I receive as much email in a day
as I receive paper mail in a month, and that higher volume burden of
tripling the mail volume with junk mail is much greater. Currently I don't
see the proportion of spam in (free) email as being much different from the
proportion of spam in (paid, stamped) paper mail so it's not obvious that
switching to a paid, stamped system will improve things. Other people will
have different experience, for example Alan De Kok seems to see a vastly
higher proportion of spam, whereas some of my colleagues (those who don't
post to ietf lists which publish email addresses of correspondents on a
public web page, for example) see a much lower proportion of spam.
So I would call it "making my self the enemy of something that will cause a
lot of pain and will probably have no useful effect on the problem".
Second, who pays the charge? If a spammer "owns" a bunch of zombie
machines
scattered round the world, they pay the email charge - he doesn't. So
it's
not much of a deterrent to him. Of course it may encourage people to
secure
their machines so that they don't end up paying, but I'm not certain
that
That's all, you just answered your own question.
No I didn't. I made the point that the effect of people securing machines
will be marginal at best (unless thr providers of Unix and Windows systems
get their acts in order - and I'm not holding my breath for that).
that will produce a big reduction in volume - look at the number of
critical
security problems published in the last year (by reliable bodies like
CERT)
for *NIX systems, or the rather smaller number for Windows systems - and
look at the delays in availability of fixes. There's plenty of window
for
the attackers even if people are sufficiently clued up to keep their
machines "secure". Of course it's possible to build very secure systems
and
to use multiple layers of firewalls, but the average guy is not going to
do
that because it's both extremely difficult with current platforms and
very
expensive.
So I assume you have a foolproof, perfect solution to spam?
No. If I had I would publish it. At the moment the best approaches I can see
are (a) Seth Breidbarts's proposal for expensive 1 day certificates with
free renewals for non-spammers, (b) a means of source verification combined
with anti-spam legislation and enforcement of it, (c) getting ISPs to do
outgoing spam filtering in their smart-hosts (to eliminate a lot of zombie
spam), (d) getting ISPs to check stuff at their borders (the envelope From
address for something passing out should be inside the boundary), and (e)
getting ISPs to check that the From addresses in mail pushed through their
servers match the dial-up or ADSL connection it arrived on. Of these, (c),
(d), and (e) have been proposed quite regularly for over a decade, but most
ISPs don't want to know because it solves someone else's problem not theirs,
so I'm not expecting any of those to happen quickly.
Or you're just determined to wait until one comes along and let the
status quo be?
No. I want to see things like LDAP and Seth's proposal embodied in RFCs
(some of which will eventuially become standards track RFCs) and things like
items (C), (d), and (e) on my list embedded in BCPs for mail server
operators. I would also like to see more solutions proposed and debated in
groups like this, so that we can get more proposals onto the standards
track. Of course I#d also like to see secure bersions of %NIX and Windows,
to kill off zombie spam and zombie relays, but as I said I'm not holding my
breath on that one (thirtyfive years ago we knew how to build secure systems
and how to write operating systems in high level languages to avoid the sort
of flaws which we see so often today; then came C and C++ and operating
systems written inthose languages, and we've no hope of building a secure
system).
My assertion is that if people are abusing free resources in a big way
then charge for them, set up a charging mechanism that deters the
abusers w/o discouraging the honest!
How hard is that to understand?
No, it's not hard to understand. It would be nice if we could do it. I
haven't seen a proposal that sets out a mechanism for doing it yet, though
(apart from Seth's that I proposal referred to above) - just some claims
that it's achievable by some variant of a stamp system.
Third, there's one born every minute. The spammer can recruit people as
spam-mailers, people who believe they will make money by working for him
and
won't stop sending spam on his behalf until they have lost a packet
(some
won't even stop until they've gone bankrupt). They make the losses, he
makes the profits.
So?
At least their money, or lack thereof, places an upper-bound on the
damage they can do. When they run out of money, they stop spamming,
what a wonderful result.
Just how much of the human condition are you trying to fix via this
topic?
You miss the point. I don't much care if the idiots lose money. what I
care about is that the spammer (the guy who persuades them to send out his
email for him) still makes money, so he will continue to spam. If there
were few enough idiots in the world that switching some of them off by
bankrupting them would eliminate the spammer's supply of idiots who will
fall for his scam and send his mail for him, I would be supporting your
ideas instead of opposing them. But as I said, there' one born ebery
minute - there are just too many.
I'd be more concerned about something like child porn on the net, in
general (nothing to do with spam per se), than the possibility that
someone might get conned by a spammer into sending email and lose a
few bucks on the deal. Just as a f'rinstance.
Me too. But it's completely off topic here.
Fourth, we don't know what the value (to the spammer) of spam is.
Obviously
different spams generate different returns. The gullibility and greed of
some people is so great that even with a high email price some spams
will
remain profitable - and of course this relates to the first point above.
So
we don't know how high we have to set the price to get spam down to a
"reasonable" level, and setting the price too high is as bad as the
spam -
my email is just as unusable if no-one can afford to email me as it is
if I
have to spend too much time filtering out the spam. Maybe over time we
can
find the right pricing level, if there is one, but maybe there isn't a
right
pricing level to find.
Now you're way out of anything this list could rationally deal with
(unless you're posting from some country with a centralized pricing
board.)
You're now saying that the list can't rationally deal a pricing level for
email. So are you being irrational when you say that the list should say
that that pricing level should higher than it is now? I don't think you are
being irrational, and I don't believe that you think you are either, so I
have to conclude that you made that statement without thinking about what it
meant.
You let the market decide.
The market decided about two decades ago. It decided that the marginal cost
of email should be zero, or as close to it as makes no matter. The market
has grown since then, and changed in other ways of course, but it hasn't
changed this decision.
Tom
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg