On Dec 1, 2008, at 5:42 PM, Barry Shein wrote:
On December 1, 2008 at 11:04 dotis(_at_)mail-abuse(_dot_)org (Douglas Otis)
wrote:
It is not hard to imagine why large providers wish to ignore
accounts using compromised systems, as these represent extremely
expensive support issues.
At the risk of being flip, it is not my responsibility to design
optimized business models for them.
There is no Internet related revenue stream being made available to
compensate providers who deal with bot-nets. Nor is there an
International Internet police force, men in black helicopters, that
might impose fines to generate the needed revenues. If there was some
way to establish a revenue stream that could be directed toward
providing corrective incentives, it might help create a much needed
market force.
As a native view, perhaps to offset support costs, individuals could
be offered Internet access discounts when they acquire a support and
insurance package that protects them from being 0wned. Support and
insurance premiums might be offset with reduced fees required by
provider who are able to assign support and monitoring duties to this
support and insurance agency. By allowing this agency to also monitor
their networks, they might be able to increase profits by judiciously
black-hole routing potential threats as needed.
It costs me a lot to deal with the spam from their business model
optimizations, and earns me nothing.
Which is also why the current Authentication-Results header is wrong
headed. It excludes the SMTP client IP address when assessing path
registration authorization. This header portrays the domain as an
"authenticated" message source, and makes it appear as if the provider
plays no role.
Once IPv6 opens the door to 340,000 decillion (10^33) IP
addresses, the granularity of evidence collection and blocking can
not be retained at the IP address.
Oh please. There won't be 10^33 ip addresses involved. There are
only about O(nx10^9), n<10, people on the planet etc etc.
The concern is being misunderstood. The number of IP addresses
involved has little to do with the number bad actors. For every
address range listed, collected evidence will be needed. Not only
does the size of the zone file supported by various DNS servers become
a concern, so are storage requirements for the evidence. The process
of establishing negative reputation assertions is not by the access
provider permitting abusive traffic. It is likely funded by list
subscribers. These list subscribers will not want to pay a fee
increased by the resources needed to support the additional monitored
space.
This might scale when done based upon registration and positive
reputation. One then needs some way to identify those registered, and
hope registration fees are not required, or there may be conflicts of
interest. Even checking receipt of a postcard becomes expensive when
abused. What transaction system would be efficient at collecting the
minor cost of mailing a postcard?
Put another way:
IF THEY CAN BILL THEM FOR A SERVICE THEY CAN MONITOR THEM.
Ok?
Not okay. Traditional list providers will be unable to bill those who
are obtaining large numbers of IPv6 addresses. : ^(
The rest follows from the above so no point in my responding.
But gack if I could just get back the many sleepless nights I spent
because AOL, and others, chose to not verify credit cards or other
info before automatically enabling accounts (something we did) and
the attack after attack from those accounts being created at script
speed and the sanctimonious "you don't understand what marketeers
call friction, checking credit cards before enabling would
constitute unreasonable marketing friction, go read a marketing book".
Larger providers are not surrounding themselves in virtue, and neither
are some of the various standards proponents. :^(
Until, I guess, those acts started attacking their own systems, then
it was "damn the market friction and full steam ahead!"
It was not an attack by their own network responsible for the
change. Black-hole listing abusive services helped provide the
needed market incentive.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg