On Sat, 24 May 2003, Bill Cunningham wrote:
http://story.news.yahoo.com/news?tmpl=story&u=/nm/20030524/wr_nm/tech_spam_d
c_3
Is this what we want? The legal system taking over something that should
be done by IETF. This new legislation isn't supposed to stop e-mail
marketing, but stop deception. Will it work? :-s
There are 3 types of email that we generally call spam:
Type 1: Bonafide Messaging with a real Commercial or non-profit(ie
political) purpose. This includes people selling contraband (eg drugs)
illegally, so long as they intend to deliver the illegal goods.
Type 2: Bonafide fraudulent activity. Someone is really trying to get your
money, but has no intentions of honoring their obligations to the purchase
contract. This includes bonafide attempts at identify theft.
Type 3: Annoyance activity. This has no bonafide intention of getting
money or even personal information, even though at a casual glance it may
appear so. Type 3 is broken into 2 subtypes:
Type 3A is a relatively harmless disgruntled person, who is not terribly
sophisticated in their abuse, or in hiding their tracks. This type can be
handled by warnings or account termination. Besides spam, this type is
also involved in small DOS attacks and other unsophisticated abuse.
Type 3B is a career criminal using viruses and rooted machines to conduct
annoyance, which is frequently just another type of DOS attack, but
targeted perhaps at an email address, or perhaps at a domain. This type of
attacker is already a career criminal, having broken into many, often
hundreds of computers, illegally. This type cannot be dealt with
effectively by ISPs, because they are reasonable adept at hiding their
tracks. Usually, the ISP only detects the infected computer, but does not
identify or catch the cracker.
Of these types of spam, Type 1 and Type 2 can be dealt with by law, and
through the actions of the FTC and other regulatory agencies. Once
something has been determined to be contraband, then the appropriate
enforcement agency is called in. Type 3A can be handled by the ISP or
their employer. Type 3B is much more difficult to handle.
What is unclear is how much of the total spam is due to each of these
types. A lot of the spam that I recieve, and I have kept all this for
some time now, appears to be from type 3B. It is possible that my previous
conflicts with radical anti-spammers may affect the type and proportion of
spam that I get. My testing and logging of a large block of IP address
space over a period of years, has indicated that much abuse is supported
and promoted by certain open relay blacklists which scan for, and then
advertise open relays and open proxies to abuse. Relays scanned by such
organizations have shown up on commercial sites selling this information.
such as helllabs.com.ua. The question of whether this activity is merely
exploited or done with active participation seems to be prejudicially
answered by the fact that the "blacklists" advertise input addresses even
though these have no utility to "normal" users of the blacklist. This
type of abuse (Type 3B) is often done with their ISPs ignoring both their
illegal scanning, and their solicitation of abuse, false advertising,and
other issuses. It is becoming more common for such activities to try to
operately completely anonymously, or to use false out-of-country addresses
to avoid prosecution[1]. It is unclear how much this type of abuse
contributes to the total spam volume.
I note that helllabs.com.ua makes false and misleading claims that relays
and proxies are free. The anonymity claimed by a customer's product
(www.ghostsender.com) is also false. And of course, if the spam is of
Type 1 or Type 2, there is no anonymity at all. Frauds (Type 2) that
obtain money are easy to track via mail fraud or wire fraud. Only abuse
of Type 3 is hard to track, and requires law enforcement powers to obtain
the required information.
Legislation of the type we have seen is not going to any affect on Type
3B, as this type is already committing federal felonies, and the
equivalent in many countries. But we don't need additional legislation
for this activity since it is already a federal felony with a 5 year jail
term. The problem is catching the culprit. This is partly an issue of
law enforcement interest in catching these "harmless" criminals.
Whether the legislation has any affect on total spam will depend on the
proportion of the various types of spam.
With that in mind, we can consider what the IETF can do: The IETF can
specify protocols. But what protocols can be specified to reduce or
eliminate spam?
Dr. Claude Shannon, one of the founders of the science of Information
Theory, proved that it is impossible to prove the non-existance of a
covert channel. In terms of spam, this means that it is impossible to
construct a protocol that cannot be abused, since one cannot prove that it
is impossible (the channel can't exist) to send abuse (a covert channel).
No protocol can ever be constructed that is spam-free. Radical
anti-spammers often try to couch their arguments as though the spammers
are "outsiders" who have been let in. This isn't true. All abusers are the
customer of some ISP, somewhere. There are no outsiders. The spammers are
in fact authorized users of some ISP that are authorized to send email.
They remain authorized to send email until they lose service with that
ISP. Once this is understood, it is completely obvious even without the
formality of Shannon's theorem that protocols such as SMTP AUTH will have
no effect whatsoever.
So IETF efforts in this area are limited to finding means of identifying
the abuser, once the abuser has been detected. There is also the technical
task of detecting abuse.
Once law enforcement becomes involved to make the appropriate requests of
different ISPs, it has not been a technically difficult matter to track
down abusers. Though the technical know-how seems to elude the Law
Enforcement Authorities (e.g. Kevin Mitnick) until a technically
knowledgeable person becomes involved (Shimomura)[2]. There are many
examples of persons who have been arrested for using the internet to make
bomb threats, as well as persons who have released particularly dangerous
viruses, and persons who have cracked computers belonging to financial
institutions. Once there is a law enforcement interest in finding the
identity of the people involved, there seems to be little technical
obstacle other than technical competence to finding the people. So I think
there is little to be done technically so far as identification goes.
The issue of detecting abuse was the focus of the MIT anti-spam
conference. There are many paths presently being pursued: Blacklists,
header analysis, and various kinds of content analysis. I think the
general consensus was that content analysis offers the most promising
means of detecting and blocking abuse. I think it is too early to tell
how protocols can be helpful in this area, or if new protocols are
necessary. One scheme, used by MSN, gives the user a button to submit a
message as spam. Their system then tracks the number of complaints
involving characteristics of the message, and blocks messages accordingly,
and on per-user control. Of course, this requires no change to any
protocols, just to applications.
--Dean
[1] SPEWS has attemtped to avoid prosecution and legal responsibility by
remaining completely anonymous. ORBZ.ORG was criminally investigated for
crashing the City of Battle Creek's computer system. The City dropped the
investigation after ORBZ announced it would end operations. However,
simultaneously or before the City's announcement, ORBZ operator Ian
Gulliver registered DSBL.ORG with a Brazilian address. Quite obviously, he
had no intention of halting operations, but merely to disguise their
jurisdiction.
[2] Even though Kevin Mitnick was on the FBI's most wanted list, the FBI
was unable to track him down. Only after one of his victims became
involved, was Mitnick finally located and arrested.