ietf
[Top] [All Lists]

Re: Principles of Spam-abatement

2004-03-01 13:53:24
On Mon, 1 Mar 2004, Robert G. Brown wrote:

On Mon, 1 Mar 2004, Paul Vixie wrote:

And everyone else needs to move from the generic reference to
"consent" on to something that is more concrete, as well as being
integrated into a full range of human uses for email.

i'm pretty comfortable with www.dictionary.com's definition of "consent".

Ah, are we about to develop psmtp (psychic simple mail transport
protocol)?  The first mail protocol that can read my mind and see if I
"consent" to a particular communication before I (or rather, my mail
agent, since that's where one part of the abuse occurs) receive it?

That's a neat trick...

It seems that many of the people who consider themselves to be sitting at
the "grownup-table" really have a child-like ignorance of causality
constraints in their schemes.

I am always amused when people naively critcize SMTP for permitting spam,
as though changing the protocol would make people not want break the
rules.  I am also impressed by the people who think that people just
aren't taking the problem very seriously.

The list of the "Principles of Spam-abatement" is itself very naive. It
assumes that spammers are people who make money selling products.  
Certainly, there are some who would prefer people believed this.
Unfortunately, the (January) results coming back from the CAN-SPAM show
that 56% of the 95 top spammers are _fully_ compliant with the CAN-SPAM
act.  Yet few messages in my inbox are even partially compliant. This
gives one some idea of how much spam is being sent by viruses and "fake"
spammers: Quite a lot.  The genuine spammers are permission based, and
have honest opt-out facilities and aren't annoying anyone except the
radicals who can't abide their existance.

Any "solution" to spam has to stop the viruses that have no genuine
products or services to sell, no interest in finding out if they reach
real addresses, no concern for taxes, nor any regard for civil or criminal
law.

<extract>
*** Anonymous Bulk Email Software

*** is a super fast bulk email software that sends out at speeds greater
than 1,000,000 emails per hour* on a dedicated mailing server.

*** has the capability to use Proxies and Relays and also to send
directly.

Some of the features include:
Anonymous Mailing using Proxies
Message Randomization to bypass Spam Filters
Speeds over 850-950K emails per hour on Turbo Mode
Up to 1000 Threads
Unlimited Email List Size (up to 100 Million per file)
HTML and Plain Text Emails
Tag Macros to personalize and randomize emails
Custom Headers ....... more on
</extract>

The above description is for a product that violates the CAN-SPAM act,
which prohibits deceptive practices. But wait, it also claims to advertise
proxies and relays--that's something I know about:  Analysis of our logs
over a long period have only found anti-spammers scanning for relays.  We
know this because for one to scan for a relay, they have to include an
email address that recieves email. Setting up an "unused" mailserver
allows easy collection of the email addresses of those scanning relays.  
So far, all such scanning has been by anti-spam sites. So, this "spamware"
is not a truly genuine product--it is either a complete fraud (no
product), or a deception sold by "anti-spammers" to identify potential
spammers, or it is a group of people (anti-spammers) helping spammers
spam--presumably hoping to annoy people into helping their cause.

While it is harder to identify the people scanning for proxies, it is
still easy to detect such scanning, and stop the scanning. After stopping
the scanning, we are left with the technique of having the virus-infected
computer "phone home". However, this can also be used to identify the
operator.

Clearly, there are people out there trying to make the spam problem worse.
Paul Vixie told me (in email)  back in 1997 that it was his "goal to make
things worse", that anything that makes the spam problem worse, makes it
more likely that spam will be banned.  Undoubtedly, there are people who
have taken that goal too literally.  He's also said recently that he's
been in contact with the "script kiddies"  (who operate viruses) and that
they are mostly anti-spam. Yet almost all viruses send spam.  Any
realistic measure needs to consider how to stop those radical antispammers
and script kiddies who just want to annoy people until they "take spam
seriously".

Someone else wrote:
Something along the lines of 'Know your enemy' comes to mind; get hold
of such a product, reverse engineer it, find its weaknesses and nullify
it.

People have been doing this for many years. Probably since 1994, but
certainly in earnest since 1996 or 1997.  No luck for a permanent
solution. It is just a whack-a-mole operation.

Someone else wrote:
I am thinking that spam is and will remain a long-term battleground
and it needs serious effort to counter, perhaps a Cert-like
organisation, and we are just not putting in enough serious effort yet;
perhaps the cost to us is not yet high enough to stir us to action.

Well, there have been very serious efforts, for a very long time, by very
smart people. These efforts are just not enough, and as information theory
shows, will never be "enough".

It is interesting that the same people who promised a technical solution
many years ago, and have failed after 7 or 8 years of trying to create a
permanent technical solution to spam, are still saying things like "we
need to change the protocol", or (essentially) "we need to have time
travel to block spam."

It is also interesting that the IEMCC proposal made in 1997, and now
basically implemented in the CAN-SPAM act, has shown that commercial
spammers are not the abusers. This is more than the radicals have come up
with in the intervening 7 or 8 years.

Its also apparent that we could have had the IEMCC proposal implemented 7
years earlier, were it not for a group of radical anti-spammers that
attacked AGIS and Cyberpromo with Distributed Denial of Service attacks.  
Had we done that, we would be focused on stopping the criminals operating
viruses and conducting abuse for the sake of abuse. If we had spent the
last 7 years doing that, then we would have far less junk that we call
spam.  Those radicals did "make it worse".  We have them to thank for our
spam.  The radicals were wrong years ago, are wrong now, and have been
making the problem worse, not better.  The first "Spam Abatement
Principle" needs to acknowledge that radical anti-spammers are a source of
the problem, and that these radicals shouldn't be "at the grownup table".

                --Dean