On November 17, 2008 at 13:44 asrg(_at_)johnlevine(_dot_)com (John Levine)
wrote:
If your grandmother can send mail from her PC, what's to stop the
spammer who zombied it from sending mail the same way?
Let's say that Grandma picks an ISP, let's call it World, for its
friendly personal service. Spammer hacks or phishes Grandma and sends
a bunch of spam from her PC, postage of $43.27 is now due.
Well, this is again a straw man. I suppose I'd have to answer "you're
right, that would be a really dumb way to design such a system! So
let's not do it!" (doctor it hurts when I...)
Let's go to the end here...
Who pays the postage? Grandma? She calls World (or perhaps her
teenaged granddaughter who set up her PC calls) and tells World to
forget it. The spammer? He's in Estonia. So does World pay? If so,
how can anyone afford to run an ISP? If not, it's not really
pay-to-spam, is it?
On the third hand, if we're going to wave our hands and assume that
all the mail we exchange has strong sender authentication, there's
some rather powerful sorting and filtering tools we can use that don't
require inventing payment schemes.
I haven't waved any such strong authentication hands, you just made
that up, right?
The way I conceive it there isn't any sender auth required, or not in
that sense.
Amazon buys cryptographic cookies and puts them in the email header.
These can be verified independently by a receiver (MUA, MTA, whatever,
that's policy.)
Crypto can be made pretty hard.
But since Amazon only pays for the postage it uses then, for example,
the only only real downside of a false positive at the receiver end is
you get spammed. But we've made it a lot harder.
But here's a better one: Limits, unless explicitly waived.
Grandma can send, I dunno, pick a number, 1,000 free messages a day
(receiving isn't involved), that'd slow down any spammer. If you
exceed then by default you're shut off. Maybe as an ISP I'd up you to
10,000/day free merely for asking, grandma would never ask, if you're
aware enough to ask you probably aren't that likely to be zombied.
WHATEVER, that's marketing, right?
Every ISP has limits right now so save me any faux hypotheticals.
For example, email boxes are never infinite for these $20/month
accounts. And when you exceed that limit, your mail bounces. But you
can buy more if you like. So make sure the hypothetical you're itching
to type in doesn't also apply just as well to the status quo of
mailbox size limits, or web bandwidth quotas, etc.
See, what's being missed here is what (and color me astonished) most
novices miss when they start thinking about the spam problem.
That is that spammers, in order to be any sort of nuisance at all,
have to send out STAGGERING amounts of email. On the order of a
billion (10^9) per day per each.
If they couldn't you wouldn't see very much of it and it wouldn't be
much of a problem and we could disband and leave it to the methods
already in place (spamassassin, white listing, C/R, etc.)
STAGGERING amounts! Repeat after me...stag-ger-ing...
You should watch my mail logs here. It's an odd day I don't have
SEVERAL simulataneous dictionary attacks (aaa(_at_)theworld(_dot_)com, no such
user, aab(_at_)theworld(_dot_)com, no such user), often coming from big ISPs
like
earthlink which is kinda frustrating: They shut it down and it pops up
again w/in 24 hrs and they shut it again and again and then they get
sick of shutting it down and we get sick of asking and suggest they
fix their system which raises tension etc...
All day, all night, every day, every night, day in, day out.
And that's just ONE easily log-summarized (I have script which gives
me a frequency chart of sites generating the most user unknowns) spam
form. Most of the traffic isn't that, it's just being pounded from
lists spammers have. All day, all night...
STAGGERING!
Consequently, I claim we could give grandma a free quota of 1,000
messages a day, maybe 10,000 (A DAY!) and it would still royally screw
the spammers.
Isn't that amazing? Don't ask "what if that's false", ask "what if
that's true?"
I have been running this ISP for almost 20 years, and running large
networked systems almost a decade longer (I put boston university on
the internet, I was in charge of most of their network in the 80s),
cut me a little slack that maybe I have some well-developed ideas
about all this.
I realize the mind's eye tends to scale the problem down and only
thinks of it in terms of existentiality, of that ONE message in MY
box...if grandma can send 10,000 messages doesn't that mean she can
put 10,000 messages into MY MAILBOX? What sort of progress is that?
But of course that's nonsense, that's not what goes on, not at all.
I'd probably advise something more like rate-limiting rather than
absolute quota. Not so hard.
BUT EVEN ALL THAT BEGS THE ACTUAL PROPOSAL...
See, perhaps I'm a fool to waste so much energy tearing down straw men
which mostly serve to ignore the actual intent of the idea.
The actual intent is to create an economics around bulk commercial
email...EVEN WHAT WE'D CALL "BONA FIDE" BULK EMAIL.
Because with some sort of economics, as we have seen, nothing happens.
While you (and I) were sitting here the last several years trying to
come up with some FUSSP Verizon built out a multi-billion dollar FiOS
network, Apple developed a huge iTunes content site from nothing,
Google became a powerhouse in the IT industry, etc etc etc.
And, to paraphrase the Wizard of Oz in his last scenes, what's the
difference between this effort and theirs? MONEY! ECONOMICS!
You shouldn't be so resistant and keep proposing straw man problems no
rational person would implement and declaring them disproofs.
I only see most of them as reasonable boundry conditions tho many are
in the realm of marketing.
What really is the concern of this group in terms of economic impact
of their proposals? Except to wave them as red flags crying out for
the poor ISPs et al when an idea just doesn't suit them.
Can someone give me the dollar impact of any proposal which has gone
thru here? Or any attempt to calculate it?
Back in the 1970s I worked in occupational epidemiology at the Harvard
School of Public Wealth, er, Health.
We had a full-time phd faculty-level economist on the staff whose job
it was to calculate the economic impact of various things we were
involved in, many of those reports went to congress because many of
our conclusions became legislation (e.g., to limit exposure to a
particular substance.) We also spent a lot of time with unions,
management, and in particular insurance companies who often would be
holding the long-term bag for health costs from exposures. It was
fascinating...anyhow.
How different is this group from an epidemiology group, really?
Yes, grandma needs to be considered, the typical user needs to be
considered, non-profits, non-commercial mailing lists, etc etc etc.
It's not that complicated.
But my fundamental claim is either we inject economics into the
picture or we're doomed. We're doomed to just sit here another 10
years trying to invent a perpetual motion machine to solve the energy
crisis.
--
-Barry Shein
The World | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg