On Mon, 2 Aug 2004, Hallam-Baker, Phillip wrote:
But if we were in that business then a perl script is simply the cost of
doing business. Not a big deal.
I'll remember that quote next time I have something for Verisign to
change. In fact, next time someone wants me to pay support for anything,
unless of course, its support I need to provide free of charge. Then its
different. Kind of reminds me of uucp days when people wanted to do
dial-back: Only one site can dial-back. If both insist, either one changes
their policy or they don't connect. Neither society nor networks can work
that way.
Some say otherwise. Some say it takes six months now to renumber IP
addresses, and we are going to add even more work to that task.
Argument by reference to anonymous source is not very credible.
Give a specific example.
I think you follow Nanog, and the recent lawsuit filed over renumbering.
Plaintiff claimed they didn't have enough time to renumber. Also, UUnet
gives 6 months standard to return address space--personal experience.
Specific enough?
We can't accept "I don't know what the problem is going to turn out to
be with this protocol so lets just put it into large scale universal
deployment in 8 months and see what happens.
Why not?
If you don't or can't understand why not, then we don't have enough in
common to communicate on the subject. People depend on the internet. We
can't just break it. But there are some irresponsible people who disagree.
Fortunately, the responsible people are starting to look over their
shoulder, in case they really don't understand.
But here are some pointers from the code of conduct to help you:
2 # Take all reasonable steps to minimise waste of natural resources,
damage to the environment, and damage to products of human skill and
industry.
4 # Avoid deploying technologies that defeat generally accepted
technical principles of the Internet, as documented primarily by the
Internet Engineering Task Force (IETF). In particular, avoid
technologies that tend to subdivide access to the Internet rather than
preserving its universal, unique, and international nature, except as
required by security mechanisms mentioned in the next paragraph.
The next paragraph, just in case anyone wants to add "frivolous,
gratuitous but really neato change" to the definition of "security
mechanisms":
5 # Pay particular attention to the protection of Internet services
against disaster and against a physical or electronic attack, and to the
protection of the integrity and privacy of stored or transmitted
information.
I am sure that whatever problems found will have to be solved by
others and my time is too valuable to bother looking for it now".
Well if you think there might be a problem one assumes that you
will have bothered to read the drafts and tell us about it.
Otherwise it sounds as if you are arguing to do nothing in case
we might break the net.
I not saying do nothing. I'm saying make sure it works, and works in more
than just trivial cases. I'm also saying it had better deliver on ending
abuse because 1) we've had enough of these gratuitous changes which have
never delivered on their promises in the past, and 2) I'm saying that
information theory says that it is impossible to make a protocol that
can't be abused, so you probably should have an award winning paper ready
explaining why information theory is violated.
So far, you haven't come close to meeting these standards.
If the IETF does nothing then Sender-ID will happen anyway and
all you will have achieved is breaking the IETF. The end-users
and the sysops are utterly fed up with waiting while nothing is
done.
Excuse me? If the IETF cancels or doesn't approve Sender-ID it will
happen anyway so we better work on it or else? Sure thing, Osama. I'll get
right on it.
I think the sysops and end-users are totally fed-up with being fed
promises that if they do this one thing, that spam will end. I think they
are fed up with being taken for a ride.
I have a better metaphor:
Witch doctors shouldn't have promised the sysops and end users that
something _could_ be done that can't be done. (a common enough mistake
frequently made by marketing in modern times) The witch doctors said that
if we stand on our heads it will stop the flooding, and by that they
technically mean that it will keep our feet dry. Now it had better stop
raining and the flood waters had better recede. And we had better not
drown while we are standing on our proverbial heads.
I'm the scientist who said that standing on your head will not affect the
rainfall nor the drainage. And I say that standing on your head in a flood
might keep your feet dry but you'll drown faster. I say its better to
spend your time building rain ditches, dikes and levys, and that this
standing on your head business is just so much hooey.
But the witch doctors have said other things in the past:
Run Cancel bots, that'll get 'em
Use this blacklist
Kill the IEMCC, (it came back in CAN-SPAM)
Use Pop before SMTP
Use SMTP AUTH
Use this other blacklist
Use this whitelist
Try this DCC thing
None of that worked. We are getting fed up with stuff that doesn't work.
Doesn't seem like outsourcing is going to work at all. I already gave
as an example scenario of real Av8 Internet customers who send email
from: ...
This is not what I understand by the term 'outsourcing'
If the users are using an earthink address they better use a
method of authenticating their mail that is approved by
earthlink. It probably means that they relay their outgoing
email through earthlink.
It doesn't, contrary to the assumptions of some, but not the actual
experience of others.
If they want to do different then they should get their own
domain name. They can still receive on the earthlink address.
In some cases, they did this, and in some cases earthlink hosts part of
that domain. No difference.
In an ideal world the IAB or IESG would be providing a priority list
of things to fix. Since they have not others have decided priorities
instead. If you feel that other priorities should be attended to
then submit a proposal.
Then get back to me when you have a system of changes that
will solve the problem.
Since when did your opinion matter?
Silly me. Why would anyone be interested in a working system, rather than
a really neato, but non-working system.
I don't want to do a bunch of stuff that won't solve the problem.
Been down that road far too many times in the last 8-10 years.
You make it sound as if the IESG had been issuing directives to solve
spam on a daily basis during that time.
The IESG, technically, no. Other witch doctors? yes.
Fact is that you have not been asked to do one thing to solve this
problem by the IETF *EVER*.
I'd say SMTP AUTH was an IETF proposal to replace Pop-before-SMTP. And
while the IETF carefully removed "spam control" from its official goal,
that was in fact the goal of Pop-before-SMTP. So the IETF has had the
opportunity to address spam, and is clearly not ignorant of the problem,
as you know very well from participation in the DNSEXT namedroppers list
where "spam control" was used to abuse some participants over the last
several years.
Instead you have had self-appointed vigilantes taking over that
role.
Some of those vigilantes have rather close associations with the IETF.
But I've always been against vigilantism. Control of abuse involves
limiting the rights and privileges of people, and that quickly becomes a
goverment activity. It is never a technical activity, other than to
provide evidence of the activity and who did it.
Anyway, in compliance with the ISOC code of conduct rule 3:
3 # If his or her professional advice is not accepted, take all
reasonable steps to ensure that all persons neglecting or over-ruling
this advice are aware of the possible danger or damage which may result.
I don't think many on _this_ forum agree with me to wait with large scale
deployment until more positive results are known. Though enough did on
DNSEXT to kill RMX.
Yes. It is not a problem finding the people who do things when the
incentive to find them exists. It is not a matter of "can't find
them", it is a matter frequently of "No significant cost damage so
Feds won't bother to even look for them".
I am in regular contact with the Secret Service, Mail Inspectorate
and the FBI. Catching the authors of MyDoom and the various gangs who
launched it is a major priority. MyDoom has been used to steal rather
a large amount of money.
We agree on something. Always good to agree on _something_.
--Dean