Re: The utilitiy of IP is at stake here
2003-05-27 19:18:34
Dean,
Since this is a response to a note I wrote, I'm going to try to
respond to it. Then I'm going to go back to deleting your mail
without reading it, because it doesn't appear to me as if you
really intend to participate in this discussion, rather than
reciting your set of canards over and over again. The opinion
of others may differ, of course but, as far as I am concerned,
you are succeeding in losing all credibility.
--On Tuesday, 27 May, 2003 20:15 -0400 Dean Anderson
<dean(_at_)av8(_dot_)com> wrote:
Good try, but no cigar. This would be entirely reasonable if
open relays were the only way to accomplish what you are
after.
They are the only way to accomplish some things, like offering
RFC 821 SMTP service to customers outside our your address
space.
Time to start checking either your facts or your explanations.
People offer SMTP service to others (customers or otherwise)
"outside their address space" all the time. Even I do it, as a
courtesy to colleagues who have gotten stuck behind some of
those ISP "use only our SMTP server, no outgoing SMTP
connections get past our boundaries" arrangements (I won't
dignify them by calling them "services") I detest. Few of us do
it with open relays -- we do it with the two options I
mentioned, with selective address filtering (a poor option, IMO,
but it is often adequate), with "send after POP" (ditto), and
other techniques that involve at least rudimentary
authentication and authorization.
But, if open relays were used this way, the spam flow through
those open relays are such that "aol/roadrunner/etc" would
start blocking the IP addresses of those relays. Back to
square one, with no gain.
Type 1 spammers don't abuse open relays.
That is a fairly strong universal assertion. I trust that you
have carefully interviewed and polled all of them, and that all
of them told you the truth. I've had evidence to the contrary
from time to time but, unless Paul Vixie's superhuman, and, IMO,
helpful, efforts to collect statistics and categorize the stuff,
I just get rid of it as quickly and efficiently as possible (an
expensive process by any measure, unless you believe my time as
a value of zero, as you apparently do).
In my experience,
Type 3 abusers (anti-spammers in some cases), do this. For
example, about a year ago, I got into an argument with two
radical antispammers. Suddenly, 2400 hundred different IP
addresses started trying to abuse our relays. This continued
for about 10 days, and then abated. Fortunately, our relay
monitoring software blocked this, but it still involved
sorting through (no exaggeration) millions of messages. After
that, (and still continuing aperiodically), someone began
trying to send viruses through a relay address advertised by a
European open relay blacklist, forging my address.
Coincidence? I don't think so. Not given other more overt
threats and abuse by antispammers, such as Chris Neill and
others.
Even if you have been unreasonably abused, it doesn't make your
point valid. Wrt regard to the legitimacy of spam, or spammer
behavior, the technical term for your discussion above is "red
herring".
Instead, there are at least two options available for that
host on a "residential" network (both in heavy use today):
(i) The host uses a relay supplied by its ISP, one that
is not blocked by "aol/roadrunner/etc". This is more or
less satisfactory depending on what additional
restrictions the ISP imposes on that relay, but the
typical restrictions (much as I think they are
unreasonable) have very little impact on the typical
residential user who corresponds actively with
"aol/roadrunner/etc users".
(ii) The host uses a relay with which its owners have
established some sort of business relationship and which
relay is in a position to authenticate the host (via SSL
certificates, SMTP AUTH, or some combination of a tunnel
and authentication).
(ii) isn't an option.
Here's a short answer:
1) This is not a standard. It is optional, even if eventually
standardized.
Gee. I am co-author of some odd RFC whose status seems to be
"proposed standard". Something like RFC 2195. There is also
RFC 2554, also a proposed standard, which is, I think, where
SSL/TLS tunnels are covered (this isn't worth the energy for my
to go back and check). And virtually all Internet standards, at
all maturity levels, are "optional" in the sense that no one
requires anyone to implement them. If they are useful and
needed, they get implemented. If not, they don't. You are,
IMO, just wasting time here -- yours and, more important,
everyone else's.
2) There are only about 15 mail clients that support it.
And I'd guess the first half-dozen of those represent the _vast_
majority of non-AOL email senders on the Internet. And users
who _need_ these capabilities tend to find clients that support
them. So your point was?
3) It doesn't scale for non-dialup ISPs
And you base this on...? Technologically, several of those
techniques (note that I mentioned a series of techniques, so I'm
not quite sure what "it" refers to) is easier to support with
hardwired, semi-permanent, connections than it is with dialup.
4) Time Warner called it "unsuitable for business".
And Ken Olsen couldn't imagine anyone really wanting a
"personal", desktop, computer. Your point is?
5) It doesn't reduce spam. Spammers are not outsiders. It
fails to violate Shannon's theorem.
You keep repeating your dubious reference to Shannon's
observation about disproof of a covert channel. Nice try, but
it is largely irrelevant. That theorem is the information
theory version of the observation in traditional logic that one
can't prove a universal negative and a relative of Goedel's work
on the limits of set theory and mathematical logic systems. All
three are nicely proveable, but our day-to-day world is more
empirical and statistical: no one I know of is asking for a
proof that there are no covert channels out there or that all
spam can be stopped. Most of us would be quite happy to just
not see any of it in a given month. And you are wasting time --
yours and everyone else's. I suppose that, since you value that
time at zero (based on your claims about the cost of spam) that
is ok from your perspective. But you are, I suspect, being
rapidly added to a lot of filters.
6) about a thousand other mail clients don't support it, and
have no plans to.
So? Either their users don't need it, or they are headed for
failure in whatever marketplace in which they exist. That is
how both standards and products play themselves out.
I was a big fan of open relays a decade ago, but am no longer
convinced that they are the required solution to any problem
we need to solve.
There were no "open relays" a decade ago. There were
"anonymous relays" back then. This "anonymous relay" problem
had nothing to do with SMTP, but was a problem with reverse
DNS, and lack of a numeric IP address in the Received: header.
Thank you for the lecture on SMTP and its predecessors, whose
operation and history you obviously know more about than I do.
Traditionally --although obviously not in the circles in which
you travel-- the term "open relay" has been used to describe an
SMTP server that would accept traffic for relaying from any
source, without attempting to either authenticate that source or
apply authorization rules to it. That has a great deal to do
with the way SMTP works in relay mode, and nothing at all to do
with either reverse DNS or issues about what information is, or
is not, copied into Received headers.
This problem was been fixed around 1993.. It is not possible
to send anonymous email through an open relay. (you still hear
this from radical antispammers, though).
If sufficient logging information is maintained, it is not
possible to send mail through a relay (open or not) without
identifying the IP address of the sender (that statement was
true before and after the changes you identify as "around
1993"). Getting from that IP address to identification of the
individual sender --which is what you presumably mean by "not
anonymous"-- is more or less difficult and more or less
expensive, depending on a number of other circumstances. In
some cases --and, again, if one believes that people's time has
any value-- the practical costs of identifying an individual far
exceed any possible value in doing so. In some others, it may
be nearly impossible. For example, there is a well-known Asian
country in which most of the dialup services appear to be
freenets, with widely-available dialup numbers and passwords
shared among, I believe, literally millions of people. The mail
relays on those systems have no way to determine which user is
originating a piece of mail, the user's IP address is of no
help, and a system receiving mail from one of those relays can
only identify the relay host. That is a pretty good
approximation to anonymity in my book.
And, no, I don't believe that either of the measures above
will significantly reduce the volume of spam.
Then why bother at all?
First, because I was trying to respond factually to a message
thread that appeared to assert that the only way to obtain
certain classes of service was to have open relays. My note was
written simply to refute that claim.
Second, because, where it is possible and doesn't cause other
problems, having sufficient authentication that mail servers can
be held responsible for traffic originating on them or relayed
through them may have technical and social advantages
independent of their relationship to spam (and your observations
about "anonymous relays", as discussed above, just don't hold
water).
And finally, believing that a particular technique will not be
especially effective --in statistical or absolute terms--
against some behavior I don't approve of does not give me the
obligation to make things any easier for the offender.
john
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- major ISP spam count, (continued)
- Message not available
- Re: spam, Anthony Atkielski
- Re: spam, S Woodside
- Re: spam, Anthony Atkielski
- The utilitiy of IP is at stake here, Tony Hain
- Re: The utilitiy of IP is at stake here, shogunx
- Re: The utilitiy of IP is at stake here, John C Klensin
- Re: The utilitiy of IP is at stake here, Dean Anderson
- Re: The utilitiy of IP is at stake here,
John C Klensin <=
- Re: The utilitiy of IP is at stake here, Dean Anderson
- RE: The utilitiy of IP is at stake here, Tomson Eric \(Yahoo.fr\)
- RE: The utilitiy of IP is at stake here, Dean Anderson
- Re: The utilitiy of IP is at stake here, Anthony Atkielski
- RE: The utilitiy of IP is at stake here, Tomson Eric \(Yahoo.fr\)
- RE: The utilitiy of IP is at stake here, Dean Anderson
- RE: The utilitiy of IP is at stake here, John C Klensin
- RE: The utilitiy of IP is at stake here, Dean Anderson
- Answering questions and defamation (was: RE: The utilitiy of IP is at stake here), John C Klensin
- Re: Answering questions and defamation (was: RE: The utilitiy of IP is at stake here), Dean Anderson
|
|
|