on 5/30/2003 8:57 AM Vernon Schryver wrote:
Why are do many spam "solutions" address only forgery? I think there
are two main reasons. Stopping forgery seems far easier than stopping
spam. More important is that admitting forgery is not part of a
significant fraction of spam (your other 50%) and not a required part
of spam in general requires admitting that the spam problem exists only
because many of our own ISPs do not care enough about spam to punish
our fellow spamming customers. Many ISPs are like UUNET/MCI, which
always dealt with spam with more wishful thinking and even bald faced
lies than its finances. (People here may have missed the years of
obviously false statements from the UUnet abuse department spokesmen in
news.admin.net-abuse.email. I hope bland claims of the impossibility
of examining RADIUS logs to find a reseller to hold responsible or the
technical impossibility of packet sniffers on fiber would have been
laughed out of the IETF.)
Accountability features would (hopefully) prove useful for preventing base
forgeries, but I don't think anybody has said that would be its only
benefit. Although some spammers might stop spamming if they lose their
artificial anonymity, the real strength comes from the improved ability to
enforce rules against a known identity (the meaning of the word).
The first step in that means weakening the ability to use forgery
techniques as a shield, but that's just a start. It should also help
against some of the prevarication you describe above, since there would be
less room for waffling if recipients were able to "prove" by verifiable
transfer-path analysis that a particular node had absolutely sent some
piece of spam. This ~provability would also be useful in whatever legal
enforcement options might be available (even if it's just one of the
state-specific laws, or a private lawsuit on the part of AOL/whoever).
Another benefit would come from the ability to have better pre-transfer
filters wherever the identity information made itself available.
These are all examples of how accountability can be used as a tool to help
fight spam. Forgeries are just a part of that particular fight.
Secondarily, there is another class of user where forgeries are
problematic in their own right, which is outright impersonation and/or
fraud, and in that context the anti-forgery capabilities would stand as a
unique benefit. However, the enforcement options which were made available
to those users as a result of the accountability features would be no less
compelling to those users if forgery were attempted and caught.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/