Re: [Asrg] How about we do something about spam?

I don't even know where to start about the mischaracterization of dkim
here, so I won't. Suffice it to say that Doug's take on dkim is nu^H^Hpretty
idiosyncratic.

Douglas Otis wrote:
> On Jan 31, 2007, at 3:32 PM, Barry Shein wrote:
>
> > On January 31, 2007 at 21:52 asrg(_at_)johnlevine(_dot_)com (John Levine) wrote:
> > > > Some confirmation from respected sources might help.
> > > Well, at this moment, I am sitting in a session at MAAWG where the 
> > > FTC's lead spam investigator is telling us about his investigation 
> > > process and he and ISP reps are going over issues like whether they 
> > > notify customers when they get a subpoena.  Also present are the 
> > > Canadian competition bureau, analogous to the FTC, and I believe I 
> > > saw some guys from DOJ.
> > Well that's of course great but some publicized thrust and focus from 
> > the IETF couldn't hurt the thinking of the policymakers who have to 
> > actually allocate budgets and other priorities.
> > Is there any disagreement that if we could just snap our fingers and 
> > make the zombie botnets disappear (or 90% disappear) that "spam" (and 
> > related) wouldn't immediately have all the emotional punch of 
> > "off-topic posting", some odd msg you get and delete?
> > Put another way, zombie botnets are the enabling technology of spam 
> > (phishing, etc.)
> Put another way, legalizing spam enables high infection rates needed 
> to support the existence of Bot-Nets.  Malware content within an email 
> message and websites (required to OPT-OUT) provide bad actors ample 
> opportunity to leverage exploits that exist in email or website 
> browsers.  The completely absurd stipulations of OPT-OUT is satisfied 
> by a link to a web site of all things.  CAN-SPAM mandates victims 
> expose themselves to two very likely modes of infection.  Browsers 
> continuously have new and complex features added, where many flaws 
> exist and can be exploited.  Bulk messaging with embedded links 
> provides a highly dangerous infection vector.
> > Easier said than done I realize, but it's inherently illegal to 
> > create and operate zombie botnets, and I don't mean just in the US, 
> > most anywhere on the planet.
> By making spam illegal, the act of transmitting a high volume of 
> unsolicited messages would then clearly serve as evidence of crime.  
> This would place accountability onto the provider.  The efforts behind 
> SPF and DKIM are aimed at passing blame to a hapless customer.  
> Thousand of domains might share an SPF authorized server which is 
> likely to have only a few IP addresses.  The identity limitations with 
> DKIM ensures providers will also control their customer's private 
> keys.  Who sent and signed the message is _designed_ to remain a 
> mystery.  Some mode of accountability.
> > The law enforcement and regulatory agencies of the planet have a lot 
> > more resources they can muster than we ever could.
> Providers must acknowledge they are primarily responsible for much of 
> the mess that exists.  Providers must be held accountable when any 
> high volume of unsolicited messaging emerges from their networks.
> > Even if we could come up with the FUSSP we'd still probably face 
> > enormous hurdles of deployment.
> The first step would be to make spam illegal.  Illegal for individuals 
> to send, and for providers to ignore.  After all, providers control 
> access.  Allow those damaged to seek relief.  Making spam illegal 
> would make networks many orders of magnitude safer.
> > Vigorous legal pursuit wouldn't preclude technical efforts in 
> > parallel unless of course spam just disappears as a result.
> Twice the technological effort is attempting to pass blame to some 
> likely hapless customer.  Make a law that requires providers sign all 
> public messages with their own keys.  There should even be laws that 
> prohibit signing with a customer's key.  Customers can reference 
> specific keys used on their behalf instead.  There should be laws 
> against the use of highly danger authorization schemes, such as 
> SPF/Sender-ID.  Poisoning or destroying DNS is easily accomplish with 
> this loathsome technology.  A technology also aimed at side stepping 
> accountability.
> > There is no other way we know of to send out on the order of one 
> > billion emails per day for a cost which even approaches the expected 
> > value of those messages and would so successfully evade already 
> > commonplace blocking and filtering methods.
> > Does anyone disagree with that?
> Enforcement must make any spam illegal AND hold providers 
> accountable.  To ensure enforcement, allow anyone damaged to seek 
> legal relief.
> > Can't we say that in some very public way? Does anyone doubt that's 
> > true?
> There are few providers that want to consider their accountability as 
> part of the cost of doing business.  No one can afford to clean up the 
> mess being made.  Just as was done to control the abuse of fax 
> machines, the same must be done with respect to email.  At least with 
> a fax machine, programs were not in jeopardy, just resources.
> > Sometimes I think the problem otherwise insightful technical people 
> > have in thinking about spam is wrapping their heads around what it 
> > takes to send out O(billion) messages a day from a handful of base 
> > sources and we keep retreating to imagining spam as being much like 
> > sending this message other than the content and intent.
> > It's not.
> Content or intent do not need to be considered.  The volume and lack 
> of solicitation provides key differences.  The lack of solicitation 
> allows for rather easy methods of enforcement.  One grows weary 
> logging trespasses that can only be considered privately as bad.  
> Those making these private assessments remain exposed to civil 
> proceeding as a result.  Spam must be illegal to stop it.  There are 
> very few legitimate businesses using spam to promote their products, 
> and yet the US Congress has legalized spam.  OPT-OUT is a dangerous, 
> impractical, and an immoral excuse.
> > It's as if I could make this message appear in 100 million mailboxes 
> > in the next few hours, despite many efforts to the contrary.
> The number of messages does not matter.  The number of unsolicited 
> messages does.
> > I couldn't. You couldn't.
> Not true.  There are some rather large mailing lists where such 
> volumes are possible.  Lists enjoying a large number of subscribers 
> are also typically well managed.
> > It takes a zombie botnet.
> There are many other techniques.  Malware provides many avenues to 
> exploit networks.  Make spam illegal to slow the spread of malware.
> > There are other issues, but I'm focusing on this one as the most 
> > egregious and, I hope, easiest to agree on in terms of contribution 
> > to the problem and legal/moral unambiguity.
> You seem to have the cart before the horse.  In addition to spam, 
> perhaps other rules could be considered regarding system scanning.  
> This again would require that providers take action to block access.  
> Vista comes equipped with what is likely an ideal command and control 
> system for controlling Bot armies.  The system must protect from the 
> spread of infection.  Prevention is worth a pound of cure.
> -Doug
>
>
>
> _______________________________________________
> Asrg mailing list
> Asrg(_at_)ietf(_dot_)org
> https://www1.ietf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg