Re: The utilitiy of IP is at stake here

Dean,

Since this is a response to a note I wrote, I'm going to try torespond to it. Then I'm going to go back to deleting your mailwithout reading it, because it doesn't appear to me as if youreally intend to participate in this discussion, rather thanreciting your set of canards over and over again. The opinionof others may differ, of course but, as far as I am concerned,you are succeeding in losing all credibility.

--On Tuesday, 27 May, 2003 20:15 -0400 Dean Anderson<dean(_at_)av8(_dot_)com> wrote:

Good try, but no cigar.  This would be entirely reasonable if
open relays were the only way to accomplish what you are
after.


They are the only way to accomplish some things, like offering
RFC 821 SMTP service to customers outside our your address
space.

Time to start checking either your facts or your explanations.People offer SMTP service to others (customers or otherwise)"outside their address space" all the time. Even I do it, as acourtesy to colleagues who have gotten stuck behind some ofthose ISP "use only our SMTP server, no outgoing SMTPconnections get past our boundaries" arrangements (I won'tdignify them by calling them "services") I detest. Few of us doit with open relays -- we do it with the two options Imentioned, with selective address filtering (a poor option, IMO,but it is often adequate), with "send after POP" (ditto), andother techniques that involve at least rudimentaryauthentication and authorization.

But, if open relays were used this way, the spam flow through
those open relays are such that "aol/roadrunner/etc" would
start blocking the IP addresses of those relays.  Back to
square one, with no gain.

Type 1 spammers don't abuse open relays.

That is a fairly strong universal assertion. I trust that youhave carefully interviewed and polled all of them, and that allof them told you the truth. I've had evidence to the contraryfrom time to time but, unless Paul Vixie's superhuman, and, IMO,helpful, efforts to collect statistics and categorize the stuff,I just get rid of it as quickly and efficiently as possible (anexpensive process by any measure, unless you believe my time asa value of zero, as you apparently do).

In my experience,
Type 3 abusers (anti-spammers in some cases), do this.  For
example, about a year ago, I got into an argument with two
radical antispammers. Suddenly, 2400 hundred different IP
addresses started trying to abuse our relays. This continued
for about 10 days, and then abated.  Fortunately, our relay
monitoring software blocked this, but it still involved
sorting through (no exaggeration) millions of messages.  After
that, (and still continuing aperiodically), someone began
trying to send viruses through a relay address advertised by a
European open relay blacklist, forging my address.

Coincidence? I don't think so.  Not given other more overt
threats and abuse by antispammers, such as Chris Neill and
others.

Even if you have been unreasonably abused, it doesn't make yourpoint valid. Wrt regard to the legitimacy of spam, or spammerbehavior, the technical term for your discussion above is "redherring".

Instead, there are at least two options available for that
host on a "residential" network (both in heavy use today):

        (i) The host uses a relay supplied by its ISP, one that
        is not blocked by "aol/roadrunner/etc".  This is more or
        less satisfactory depending on what additional
        restrictions the ISP imposes on that relay, but the
        typical restrictions (much as I think they are
        unreasonable) have very little impact on the typical
        residential user who corresponds actively with
        "aol/roadrunner/etc users".

        (ii) The host uses a relay with which its owners have
        established some sort of business relationship and which
        relay is in a position to authenticate the host (via SSL
        certificates, SMTP AUTH, or some combination of a tunnel
        and authentication).


(ii) isn't an option.

Here's a short answer:

1) This is not a standard. It is optional, even if eventually
standardized.

Gee. I am co-author of some odd RFC whose status seems to be"proposed standard". Something like RFC 2195. There is alsoRFC 2554, also a proposed standard, which is, I think, whereSSL/TLS tunnels are covered (this isn't worth the energy for myto go back and check). And virtually all Internet standards, atall maturity levels, are "optional" in the sense that no onerequires anyone to implement them. If they are useful andneeded, they get implemented. If not, they don't. You are,IMO, just wasting time here -- yours and, more important,everyone else's.

2) There are only about 15 mail clients that support it.

And I'd guess the first half-dozen of those represent the _vast_majority of non-AOL email senders on the Internet. And userswho _need_ these capabilities tend to find clients that supportthem. So your point was?

3) It doesn't scale for non-dialup ISPs

And you base this on...? Technologically, several of thosetechniques (note that I mentioned a series of techniques, so I'mnot quite sure what "it" refers to) is easier to support withhardwired, semi-permanent, connections than it is with dialup.

4) Time Warner called it "unsuitable for business".

And Ken Olsen couldn't imagine anyone really wanting a"personal", desktop, computer. Your point is?

5) It doesn't reduce spam. Spammers are not outsiders. It
fails to violate Shannon's theorem.

You keep repeating your dubious reference to Shannon'sobservation about disproof of a covert channel. Nice try, butit is largely irrelevant. That theorem is the informationtheory version of the observation in traditional logic that onecan't prove a universal negative and a relative of Goedel's workon the limits of set theory and mathematical logic systems. Allthree are nicely proveable, but our day-to-day world is moreempirical and statistical: no one I know of is asking for aproof that there are no covert channels out there or that allspam can be stopped. Most of us would be quite happy to justnot see any of it in a given month. And you are wasting time --yours and everyone else's. I suppose that, since you value thattime at zero (based on your claims about the cost of spam) thatis ok from your perspective. But you are, I suspect, beingrapidly added to a lot of filters.

6) about a thousand other mail clients don't support it, and
have no plans to.

So? Either their users don't need it, or they are headed forfailure in whatever marketplace in which they exist. That ishow both standards and products play themselves out.

I was a big fan of open relays a decade ago, but am no longer
convinced that they are the required solution to any problem
we need to solve.

There were no "open relays" a decade ago. There were
"anonymous relays" back then. This "anonymous relay" problem
had nothing to do with SMTP, but was a problem with reverse
DNS, and lack of a numeric IP address in the Received: header.

Thank you for the lecture on SMTP and its predecessors, whoseoperation and history you obviously know more about than I do.

Traditionally --although obviously not in the circles in whichyou travel-- the term "open relay" has been used to describe anSMTP server that would accept traffic for relaying from anysource, without attempting to either authenticate that source orapply authorization rules to it. That has a great deal to dowith the way SMTP works in relay mode, and nothing at all to dowith either reverse DNS or issues about what information is, oris not, copied into Received headers.

This problem was been fixed around 1993.. It is not possible
to send anonymous email through an open relay. (you still hear
this from radical antispammers, though).

If sufficient logging information is maintained, it is notpossible to send mail through a relay (open or not) withoutidentifying the IP address of the sender (that statement wastrue before and after the changes you identify as "around1993"). Getting from that IP address to identification of theindividual sender --which is what you presumably mean by "notanonymous"-- is more or less difficult and more or lessexpensive, depending on a number of other circumstances. Insome cases --and, again, if one believes that people's time hasany value-- the practical costs of identifying an individual farexceed any possible value in doing so. In some others, it maybe nearly impossible. For example, there is a well-known Asiancountry in which most of the dialup services appear to befreenets, with widely-available dialup numbers and passwordsshared among, I believe, literally millions of people. The mailrelays on those systems have no way to determine which user isoriginating a piece of mail, the user's IP address is of nohelp, and a system receiving mail from one of those relays canonly identify the relay host. That is a pretty goodapproximation to anonymity in my book.

And, no, I don't believe that either of the measures above
will significantly reduce the volume of spam.


Then why bother at all?

First, because I was trying to respond factually to a messagethread that appeared to assert that the only way to obtaincertain classes of service was to have open relays. My note waswritten simply to refute that claim.

Second, because, where it is possible and doesn't cause otherproblems, having sufficient authentication that mail servers canbe held responsible for traffic originating on them or relayedthrough them may have technical and social advantagesindependent of their relationship to spam (and your observationsabout "anonymous relays", as discussed above, just don't holdwater).

And finally, believing that a particular technique will not beespecially effective --in statistical or absolute terms--against some behavior I don't approve of does not give me theobligation to make things any easier for the offender.


          john