[Top] [All Lists]

Re: New incompatible Tricks promotes change

2007-12-06 12:08:33

On Dec 6, 2007, at 2:06 AM, Hector Santos wrote:

Change promotes chaos which strives for equilibrium which instigates a new round of survival of the fittest, deviation and imperfection, thus the cycle begins again.

Trick XYZ requires change like any other trick. If change is what we want, IMO your particular trick no longer applies - there are by far more simpler solutions.

SMTP v3.0 needs registration and enforcement ideas. Thats all - two fundamental ideas that we are very careful not to revisit again.


Even when everything is authenticated, some type of temporal, opaque identifier is needed to deal with repeatedly abusive sources. Registration serves as a means to rate-limit abuser access, but that is not a complete solution.

TBR allows offering "questionable" transmitters a choice -

1) Receive a temp error, or

2) Provide a nonspoofable, content immutable, and opaque source reference

The TBR reference does not require receivers to expend resources associated with obtaining keys, cryptographic analysis, obtaining extensive address list of all hosts used on behalf of a domain, or investigating all permissions at every hop. Bot nets are making receiver resource intensive analysis impractical, to say the least.

Expect registration and enforcement to be the role of different parties. Don't expect email providers to proactively play the role of enforcer. They naturally have conflicted interests with a desire is to attract as many users as possible. A large number of users in itself, allows, and may invite, lax enforcement. Those offering access to services often operate at thin margins where customer support represents a substantial component of their overhead. Dealing with a compromised system often requires hours of labor and a high level of interaction.

There are lucrative business models for either party, however SMTP currently and significantly lacks a means for fine grain enforcement. The interests of those offering registration are significantly different from those attempting to keep lines of communication clear. Those offering email services and those blocking abuse should not be seen as being adversaries. The latter is more prone to DDoS attack where it is very much in their interest to keep the number of compromised systems in check. As such, they offer notification with a place to go for resolution, many such companies even offer free remdiation.

TBR is not a trick defeated by changing a message's format. TBR can not be defeated by lying about some header within the message. TBR does not depend upon _anything_ that would give the transmitter an advantage over that of the receiver. In that sense, TBR can remain a long term solution unlike most other efforts or proposed solutions. By not having any identifier with a granularity smaller than the domain or the client's IP address, too often those providing enforcement have created problems for the providers. This tends to put them at odds. Levels of abuse can be expected to rise unless finer grain enforcement becomes possible. After all, we all want to get along. Sounding a bit like Jerry McGuire, help us to help you.

TBR offers a fine grain, opaque, identifier at an extremely low resource cost from the perspective of the receiver. TBR is NOT about conserving the Internet. TBR is about providing an effective and scalable mean of enforcement which acknowledges the different roles of transmitter and receiver, or email and anti-abuse provider. TBR is not a clever trick. It is dead simple and can be very effective.