Re: [Asrg] How about we do something about spam?
2007-02-01 10:30:26
I don't even know where to start about the mischaracterization of dkim
here, so I won't. Suffice it to say that Doug's take on dkim is nu^H^Hpretty
idiosyncratic.
Douglas Otis wrote:
On Jan 31, 2007, at 3:32 PM, Barry Shein wrote:
On January 31, 2007 at 21:52 asrg(_at_)johnlevine(_dot_)com (John Levine) wrote:
Some confirmation from respected sources might help.
Well, at this moment, I am sitting in a session at MAAWG where the
FTC's lead spam investigator is telling us about his investigation
process and he and ISP reps are going over issues like whether they
notify customers when they get a subpoena. Also present are the
Canadian competition bureau, analogous to the FTC, and I believe I
saw some guys from DOJ.
Well that's of course great but some publicized thrust and focus from
the IETF couldn't hurt the thinking of the policymakers who have to
actually allocate budgets and other priorities.
Is there any disagreement that if we could just snap our fingers and
make the zombie botnets disappear (or 90% disappear) that "spam" (and
related) wouldn't immediately have all the emotional punch of
"off-topic posting", some odd msg you get and delete?
Put another way, zombie botnets are the enabling technology of spam
(phishing, etc.)
Put another way, legalizing spam enables high infection rates needed
to support the existence of Bot-Nets. Malware content within an email
message and websites (required to OPT-OUT) provide bad actors ample
opportunity to leverage exploits that exist in email or website
browsers. The completely absurd stipulations of OPT-OUT is satisfied
by a link to a web site of all things. CAN-SPAM mandates victims
expose themselves to two very likely modes of infection. Browsers
continuously have new and complex features added, where many flaws
exist and can be exploited. Bulk messaging with embedded links
provides a highly dangerous infection vector.
Easier said than done I realize, but it's inherently illegal to
create and operate zombie botnets, and I don't mean just in the US,
most anywhere on the planet.
By making spam illegal, the act of transmitting a high volume of
unsolicited messages would then clearly serve as evidence of crime.
This would place accountability onto the provider. The efforts behind
SPF and DKIM are aimed at passing blame to a hapless customer.
Thousand of domains might share an SPF authorized server which is
likely to have only a few IP addresses. The identity limitations with
DKIM ensures providers will also control their customer's private
keys. Who sent and signed the message is _designed_ to remain a
mystery. Some mode of accountability.
The law enforcement and regulatory agencies of the planet have a lot
more resources they can muster than we ever could.
Providers must acknowledge they are primarily responsible for much of
the mess that exists. Providers must be held accountable when any
high volume of unsolicited messaging emerges from their networks.
Even if we could come up with the FUSSP we'd still probably face
enormous hurdles of deployment.
The first step would be to make spam illegal. Illegal for individuals
to send, and for providers to ignore. After all, providers control
access. Allow those damaged to seek relief. Making spam illegal
would make networks many orders of magnitude safer.
Vigorous legal pursuit wouldn't preclude technical efforts in
parallel unless of course spam just disappears as a result.
Twice the technological effort is attempting to pass blame to some
likely hapless customer. Make a law that requires providers sign all
public messages with their own keys. There should even be laws that
prohibit signing with a customer's key. Customers can reference
specific keys used on their behalf instead. There should be laws
against the use of highly danger authorization schemes, such as
SPF/Sender-ID. Poisoning or destroying DNS is easily accomplish with
this loathsome technology. A technology also aimed at side stepping
accountability.
There is no other way we know of to send out on the order of one
billion emails per day for a cost which even approaches the expected
value of those messages and would so successfully evade already
commonplace blocking and filtering methods.
Does anyone disagree with that?
Enforcement must make any spam illegal AND hold providers
accountable. To ensure enforcement, allow anyone damaged to seek
legal relief.
Can't we say that in some very public way? Does anyone doubt that's
true?
There are few providers that want to consider their accountability as
part of the cost of doing business. No one can afford to clean up the
mess being made. Just as was done to control the abuse of fax
machines, the same must be done with respect to email. At least with
a fax machine, programs were not in jeopardy, just resources.
Sometimes I think the problem otherwise insightful technical people
have in thinking about spam is wrapping their heads around what it
takes to send out O(billion) messages a day from a handful of base
sources and we keep retreating to imagining spam as being much like
sending this message other than the content and intent.
It's not.
Content or intent do not need to be considered. The volume and lack
of solicitation provides key differences. The lack of solicitation
allows for rather easy methods of enforcement. One grows weary
logging trespasses that can only be considered privately as bad.
Those making these private assessments remain exposed to civil
proceeding as a result. Spam must be illegal to stop it. There are
very few legitimate businesses using spam to promote their products,
and yet the US Congress has legalized spam. OPT-OUT is a dangerous,
impractical, and an immoral excuse.
It's as if I could make this message appear in 100 million mailboxes
in the next few hours, despite many efforts to the contrary.
The number of messages does not matter. The number of unsolicited
messages does.
I couldn't. You couldn't.
Not true. There are some rather large mailing lists where such
volumes are possible. Lists enjoying a large number of subscribers
are also typically well managed.
It takes a zombie botnet.
There are many other techniques. Malware provides many avenues to
exploit networks. Make spam illegal to slow the spread of malware.
There are other issues, but I'm focusing on this one as the most
egregious and, I hope, easiest to agree on in terms of contribution
to the problem and legal/moral unambiguity.
You seem to have the cart before the horse. In addition to spam,
perhaps other rules could be considered regarding system scanning.
This again would require that providers take action to block access.
Vista comes equipped with what is likely an ideal command and control
system for controlling Bot armies. The system must protect from the
spread of infection. Prevention is worth a pound of cure.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|