My view is that without introducing economics into the picture we're
all just hoping someone comes along and expends enormous time and
energy and resources etc to fix the problem.
If done right, it's NOT expensive or difficult. It looks that way MOSTLY
because most people are looking at stupid and ill-conceived 'solutions'.
Or they're dealing with apples and oranges, like the recent post where people
were talking about long distance telephone calls and package delivery services
as examples where billing and cost allocation schemes seem to be effective.
They're totally ignoring the fact that the costs being allocated are like
three,
four, maybe even five orders of magnitude difference in the price of what
you're
accounting for. If the cost of your accounting processes is on the order of
pennies per transaction (and credit card transactions, which are highly
automated and have been tweaked and tuned for years, are at least billed at
MUCH
more than that), that's fine for international package delivery and probably
even for phone calls, but it's hopelesly out of the ballgame for E-mail
transmissions.
In order for a paid postage system to work, ISPs would need to
block/control all mail transactions on their network. The logical way
to do this is to block port 25 and monitor and rate limit transactions
through the authorized servers.
But it seems to me that just blocking port 25 and monitoring and rate
limiting transactions through the authorized servers solves at least 90%
of the problem without charging anyone anything.
If you have 50 million zombies recruited, you can send a billion spam E-mails
daily by sending 20 E-mails per day per zombie.
If the outgoing mail
servers all had anti-virus scanning too, you'd make it very difficult to
spread viruses effectively too.
ALL worms and viruses are at their MOST prolific and MOST dangerous before they
are recognized by ANY antivirus software.
What nearly everybody is missing on the antivirus front is the simple fact that
if clueless, sweet old Aunt Gertrude suddenly starts sending E-mails containing
an ActiveX or a 180Kb .EXE file or 125Kb .PIF file, or with
Javascript-encrypted
message bodies and obscured URLs, that is SO unlike her typical and familiar
behavior that it all by itself is 'a priori' evidence that ought to raise at
least SEVERAL red flags. You don't HAVE to virus-scan the 125Kb .PIF file to
determine that it's bogus... the mere fact that it is THERE (and in an E-mail
from HER) is enough that it ought to be routed straight to the bit bucket (or
at
the VERY least to some kind of quarantine).
Now, some senders ARE legitimate programmers (me, for one) and I might actually
be EXPECTED to send executable files in E-mail, although even there there are
clients I'd be likely to send executable attachments to and other friends or
relatives where I'd be VERY unlikely to send them executables (and in any case,
I certainly wouldn't need to send them to them without warning them about it in
advance!).
So the current widespread dependence on antivirus scanning is really sort of
dumb, because you're racing to lock the doors AFTER the horses have escaped.
It
doesn't matter all that much how long they've been gone!
On the other hand, if you simply block (or quarantine, or whatever) UNEXPECTED
executable (or other 'dangerous') attachments based on a sender-recipient pair,
you can eliminate VIRTUALLY ALL virus/worm E-mail propagation, and without
requiring constant updating of virus signature files (which, even updated
DAILY,
will always lag new threats enough to allow INCREDIBLY wide malware
propagation,
to tens or hundreds of millions of machines, within a matter of minutes or
hours). Even TOTALLY NEW E-mailed viruses and worms don't get a 'free run'
before they're blocked.
Adding smtp-auth on top would make it
more difficult still.
These approaches still generally have the problem that people with personal
domains (and who are blocked from sending through their domain provider's SMTP
servers by these port-25 blocks) have problems sending mail through their
ISP-provided mail servers. Most ISPs (understandably) seem to want their
customers to send their E-mails using the E-mail addresses assigned to the
customer by the ISP. Customers, of course, have JUST as much reason to NOT
want
to tie themselves that hard to a particular ISP.
And instead of fining those that are spewing
viruses, you could just count each failed virus sent as an email attempt
and cut off their email at something like 500 messages as going over
their quota.
So dear aunt Gertrude suddenly finds she can't send legitimate E-mails anymore.
So what does she do? She either gets frustrated and confused and just gets off
the net, or else she calls her ISP and burns through cu$tomer $upport time
while
they try to help her. Neither way is a happy solution, and both cost real
money
to somebody.
That gives the users an incentive to clean up, while still
allowing the ISP a content-neutral mechanism for cutting off the bad apples.
What's wrong with it NOT being content-neutral?
What's wrong with having a filter which blocks strange/inhabitual mail sent by
Gertrude's machine, but lets her own normal E-mails through just fine? To me,
*that* is an intelligent filter... or at least, more of one.
This isn't unlike the active audio noise filter schemes that were popular in
stereo equipment some years back... (since then these have largely become
irrelevant in digital audio...) rather than a brute-force "hiss filter" which
just cuts the high end (and leaving a muddy low-fi mess), it makes more sense
to
look at what ELSE is there, opening the gates (and closing them!) dynamically
based on what you EXPECT to (maybe!) be there, while actively blocking
unexpected, random stuff which is almost certain to be only just unwanted
noise.
High frequency material is most likely to be the result of overtones of
fundamental (or other overtone) sounds one octave lower. If the accompanying
stuff isn't there, then the overtones probably shouldn't be there either.
So why aren't the advocates of email postage at least recommending this
as a first step?
Maybe because charge-per-email schemes (even with these "well, the first
'however many' will be free" (which in practice never seems to last once the
camel's nose is in the tent) are repugnant and offensive to most users, who've
been deceived by such BS too many times already?
(Just to be clear, I would only advocate mandatory port 25 blocking on
consumer-level accounts.)
Consumers have almost as much reason to want permanent, portable personal
domain
names as anybody else.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg