ietf-asrg
[Top] [All Lists]

Re: [Asrg] Email Postage (was Re: FeedBack loops)

2008-11-17 23:08:21

On November 17, 2008 at 22:14 sethb(_at_)panix(_dot_)com (Seth) wrote:
Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com> wrote:

Anyhow, again, based on that logic Amazon oughta start offering free
shipping for all orders and just print their own US postage stamps!

Whaddya think? Is it the trouble to do that which stops them? Or the
fear of getting caught?

You do realize that it's a felony to counterfeit postage stamps.  It's
at most a violation of contract to re-use e-postage, and Amazon
probably has bigger lawyers.

At this point in time, but violation of contract (and maybe criminal
fraud) are a LOT more than we have now.

And why do you imagine Amazon (e.g.) would want to counterfeit email
postage and challenge it in court?

I thought the whole point is that it's in their interest.

It's kinda like Amazon counterfeiting SSL certs, they rely on SSL
certs heavily right? And inserting a CA when they have no permission
to do so???

I guess they could do it and even win in court and kick the stuffing
out of the CA who challenged them but...why? Why would they do that?

Isn't it in their interest to play the game? Isn't it in their
interest to participate in something of minimal cost which might do
damage to spammers?

Isn't spamming to Amazon et al kinda like people being able to fill
your mailbox with tons of unpaid for junk and their stuff which they
paid for gets lost in the mess? Wouldn't they prefer to pay for
postage and that everyone else had to also? Isn't it the postage which
pays for enforcement of the postal rules like (US) it's illegal to put
anything into a mailbox, other than outgoing mail where permitted,
unless it's gone through the post office?

Do we all agree that an accepted characteristic of virtually all spam
is their inability to pay for legitimate advertising channels?

I don't think selling herbal viagra will pay for a billion honest
email messages a day. Even if it was only, I dunno, $1,000/day.

But what Amazon does could probably pay for $1M/day easily, and be
well worth it if it sharply increases their response rate.

Of course that's the hard part.

Spammers? Sure, they can try.

They can buy a stamp and keep on re-using it.

Well, that would be an inferior scheme wouldn't it?

If DKIM was designed so the sender key was always 16 ones then there'd
be real problems there also...phishers could probably tag their
headers with 16 ones also.

BUT that wouldn't be a very good design would it?

Anyhow, there are ecurrency methods which claim to attack this
problem.

And I could imagine social engineering methods, rewards, blacklists,
LEOs, etc.

I hate proposing specific designs at this point but maybe a more
concrete f'rinstance would help:

MTA's can check DNSBLs and similar now. They could, by a similar
mechanism, check a "stamp". Like credit card numbers the stamp could
indicate which authority to check with (the first four digits of a
credit card is the bank identifier.)

Something like that would be enough to detect most duplication, and
we'd even know who handed it off. If it's a crook, unknown, ok, it
just gets discarded, yay, spam defeated!  If it's Amazon, it gets
noted and could be the basis for objection and enforcement.

I'm having trouble imagining any scheme I've ever seen or likely
will see which could possibly stand up to these sort of objections
of bottomless rootkitting,

Real estimates are in the tens of millions of zombies.

I tell people this all the time. They never believe me either.

But I also claim that some of that zombie problem has to be attacked
by other means tho it's good whenever it can be frustrated at this
level.

Economic incentives could accelerate that.

trivial cracking of all cryptographic techniques, unbridled willful
crime and fraud by multi-billion dollar corporations...

You're the one who introduced Amazon.  The rest of us are talking
about Joe Spammer from Estonia.

Yeah, but if you're trying to create an economic incentive for
enforcement etc you start with the Amazons of the world, not the Joe
Spammers.

As I said before: Why have RIAA et al been so effective where
anti-spam measures haven't?

Money.

Isn't that why DKIM is aimed at the banks etc of the world and not Joe
Spammer per se? The banks have an economic incentive to have their
email authenticated. The hope is that the Joe Spammers then drop off
the face of the earth, at least in that realm.

Thus far, however, we don't know if DKIM will work Not
technologically, on paper, but to solve any actual problems. As I said
there's all that sticky stuff about reputation systems etc.

-- 
        -Barry Shein

The World              | bzs(_at_)TheWorld(_dot_)com           | 
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg