Race's BCP/blacklist Proposal (was Re: Principles of Spam-abatement)
2004-03-02 22:37:34
The problem with this kind of proposal is that it punishes too many of
the wrong people. I myself was the victim of a blacklist for most of
last year; my ISP was blacklisted by another ISP, and they spent 6
months arguing about it, during which time all my email to users of the
other ISP was blocked (although they kept helpfully telling me that I
could always switch to using *them* as my ISP).
In essence, a blacklist cuts users off from some subset of the Internet
based on the conclusions of some ISP or other "authority" with which
the user has no relationship at all. At best, this says that users are
guilty until their ISP is proven innocent. At worst, it is -- as I
suspect it was in my example last year -- a weapon for nasty
competition among ISP's, with one ISP using blacklists to try to lure
customers away from another by denying them services and blaming their
ISP.
An analogy: Imagine you live in a town with two newspapers A and B, and
you subscribe to newspaper A. Newspaper B announces that newspaper A
is doing something really bad (say, murdering children to use their
blood as ink) and starts going around town picking up all of A's
newspapers as soon as they are delivered, on the grounds that they are
"bad communications" and deserve to be blocked. Newspaper A denies all
charges, and you believe them, but you still can't receive newspaper A,
and you're not very amused by newspaper B's attempts to get you to
subscribe to their paper as a replacement.
I understand that part of the motivation of this approach is precisely
to enlist a rogue ISP's own users to convince it to clean up its act.
As the draft says, "some abusive managements listen attentively to
their own customers while serenely ignoring the shrieks of their
victims." But any scheme that distributes judgment and enforcement
(the "who is a rogue" question) to each individual ISP so lacks
accountability as to empower each ISP to act as a vigilante, denying
due process to the allegedly-offending ISP while punishing the
certainly-innocent users of that ISP.
One man's blacklist is another's denial-of-service attack. Denial of
service is not the answer in a world where it's so hard to assure that
the correct people are being punished. -- Nathaniel
On Mar 2, 2004, at 11:30 PM, Dr. Jeffrey Race wrote:
John, your summary distils a lot of hard work but is deeply troubling,
because it is constructed entirely on a "make the victims pay"
foundation. As long as that is your stance, then sure it is so that
"Spam . . . will remain a long-term battleground". However it is
just NOT so if the community will change its stance to that which
society uses (successfully) in every other area of human interaction
beside the internet: make the perpetrator pay. A number of us have
given this a lot of thought to come up with a practical solution which
requires no new technology and no new legislation. It has been
proven to work within hours.
Those interested may view an interim document (comments welcome) at
<http://www.camblab.com/misc/univ_std.txt>
based on
<http://www.camblab.com/nugget/spam_03.pdf>
I grind my teeth every time I read a summary like yours because while
the lemmas are true, the conclusions are contrary to reality and
contrary to everything known about human behavior.
Jeffrey Race
On Tue, 2 Mar 2004 19:32:00 -0500, John Leslie wrote:
I'm planning to post a summary to the MARID-planning list mentioned
elsewhere in this thread -- hopefully before 5:00 pm Korea time.
I expect there will be a proto-WG mailing list declared by the close
of
the MARID BoF at 11:30 Thursday (Korea time). I recommend the
discussion
continue there.
The current draft of what I will post follows:
=============================== cut here
===============================
On the <ietf(_at_)ietf(_dot_)org> mailing list there has been discussion of
Principles of Spam Abatement. This is a brief summary of principles
which _may_ have consensus of that list. I accept full responsibility
for editing errors and misunderstandings.
- All communications must be by mutual consent.
- The spam problem starts with freely accepting mail from strangers.
- Spam is and will remain a long-term battleground and it needs
serious
effort to counter.
- Every mail message carries a practically unforgeable token: the IP
address of the SMTP client.
- It is pointless to erect some expensive Maginot Line and pretend it
will solve the problem.
- There is not and can never be a hoop low enough to pass all human
strangers but exclude spammers' computers.
- If you want more of something, subsidize it; if you want less, tax
it.
- Spammers need scale because they get a very low return. Therefore,
part of the solution should be to deny scalability to spammers.
- If we can communicate to the sender (without adverse side effects)
that a message is discarded, then occasional false positives aren't
as much of a problem.
- If you reject the message during the SMTP session you don't need to
generate a bounce message, the other side will do this.
- Errors returned after the close of the SMTP transaction are likely
to go to an innocent party; and should be deprecated for any email
identified as spam.
I also recommend perusing the summary of principles expressed on the
Next-Generation Mail <mail-ng(_at_)imc(_dot_)org> list at:
http://www.cs.utk.edu/~moore/opinions/user-visible-email-ng-goals.html
--
John Leslie <john(_at_)jlc(_dot_)net>
|
|