ietf
[Top] [All Lists]

Re: IAB policy on anti-spam mechanisms?

2003-02-27 11:01:44
From: "Mike O'Dell" <mo(_at_)ccr(_dot_)org>

i think you'll find that port 25 is blocked going anywhere except
the operator's outgoing MTA

Only by the slumlord ISPs.


this is to require authentication to send email, exercise rate
limiting, and other anti-spam-sending strategies

Or so they say.

if the ISP is going to be held responsible for the behavior of
their clients, then the ISPs are going to take some action to
police that behavior
...

Blocking port 25 is equivalent to replacing glass windows with Lexan
and putting razor wire fences around your tenement in order to control
bad tenents instead of policing them.  Both are a lot cheaper than
enforcing good behavior including making enough examples to deter it.

UUNet in particular has demonstrated this sad syndrome.  For years,
instead of ejecting its spamming and spam-friendly resellers, it lied.
Then it lied for years about installing port 25 filtering.  Finally,
it got port 25 filtering working, and reduced the amount of dial-up
spam it was spewing.  All of that was instead of enforcing an anti-spam
AUP and genuinely cracking down on spammers.  (By "lies" I mean official
public statements in news.admin.net-abuse.email and to individuals that
the UUnet spokesmen could not possibly have failed to know were false.)

Of course, UUNet is far from the only example.  Another good one is
Sprint, which had the audacity to claim to not know how to use ANI to
find spammers running up 5-figure bills on stolen credit numbers or
how to interest law enforcement agencies....this from a telco!


there is a huge disconnect here.  one camp claims that mail sending
should not be allowed by just "anyone", since that ability is
instantly abused by Bad Guys.  another camp claims that forcing email
through alien MTAs is a violation of the end-to-end principle,
privacy, assorted other good ideas.

both are right at some level

That first is how it is seen by spam-friendly ISPs, ISPs that want to
cram the Internet back into the ancient AOL/Genie/etc users-with-dumb-
terminals model, and assorted people who like to fight with spammers.
All three groups have reasons for ignoring the fact that outgoing spam
is not a major problem among ISPs that honestly enforce anti-spam AUPs.


...
this means that actions on the Internet are inherently anonymous, or
at least unaccountable because the only "identity" arises from a
contractual business relationship between a person and an access
provider.  the access provider is therefore held to be a proxy for
the individual since he does (or at least should, at some level)
have a role in allowing that individual to take various actions.

And it is cheaper for service providers to prohibit SMTP than to break
some financial kneecaps to convince spammers to use spam-friendly ISPs.


...
so if a Bad Guy acquires access, he can do a lot in the amount of
time required for the business feedback loop to deny access and
cancel the account.  in the mean time, the Bad Guy has acquired
numerous other accounts and when one fails, he just starts using
a new one.  

Yes, and if the ISP does no more than cancel the account, we have
examples such as Netcom's special spam-for-a-day rates.  Of course,
Netcom was not the first and certainly won't be the last to cater to
the spam-for-a-day business.

This is essentially a "disposable identity". The identity is the
binding inherent in the business relationship with an access provider,
and when it becomes worthless, it is discarded and a new one is used.

That's what the slumlord ISPs claim, but we all know it's false.
Except for stolen credit cards, the identities associate with credit
cards are not that disposable or anonymous.


A consequence of the ease with which credentials can be acquired is
the ease with which new accounts, and hence new identities, can
be acquired.  

To fix this at the "source", so to speak, it would require
making access *much* harder to get.  simply matching credit cards,
etc, is insufficient (credit cards are easy to get), so this leads
to a world where some kind of background check would be required.
...

If that were true, then credit card purchases of merchandise would
be hopeless.   Even "bricks-and-mortar" credit card transactions would
involve too much fraud to be tolerable.

There's no reason ISPs cannot use the same sort of fraud prevention
mechanisms used by other online merchants.  For example, there are
equilvents to matching credit card shipping and billing addresses such
as requiring a new customer to sign a contract and return it by paper
mail (including terms of service that impose significant penalties
for abuse).  The problem with such measures is that the are not free.
It's cheaper to put up the razor wire fences around the tenements.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com