On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
On Tue, Dec 09, 2003 at 01:56:00 +0000, Dan Boresjo wrote:
On Tuesday 09 December 2003 12:17 am, Meng Weng Wong wrote:
Validation implies revocation --- if a VeriSign customer turns out to be
a spammer, what's the punishment? Do you refuse to renew them? If the
renewal period is 1 year, they could spam for the rest of that year with
impunity.
It depends on what is being asserted by the CA. If it's simply a matter of
identity, 'Joe Spammer' remains 'Joe Spammer' regardless of what crimes he
may have commited.
True - no matter if he changes the IP or any DNS records....
The context was with respect to PKI certificates as actor identification. It's
axiomatic for any identity system though - if you are treating IP addresses
as identification then a different IP is a different identity.
On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
On Tue, Dec 09, 2003 at 01:56:00 +0000, Dan Boresjo wrote:
To assert that 'this person will not send spam' is impossible without (a)
applying prior restraint (active censorship), and (b) defining spam
precisely.
I fear my english can't cope with your "a" statement - but "b" is rather
easy:
ANY mail, that is unwanted by me - (and I don't mean flames or error
messages or the latest joke some friend tries to send me - I mean mail
from someone I haven't asked to send me mail regarding a topic or
something that is not personaly related to me (anyone of this list might
send me comments to SPF, but please keep your Windows-problems off me)
Anyone can invent their own definition, and not all will be the same. For
example some people might exclude political parties and charities. Their
reputations will hence be differ according to different criteria.
What about probation/redemption policies? Do spammers get a life sentence?
"Once a spammer always a spammer" reminds me too much of Victor Hugo's "Les
Miserables" for comfort.
What is the conviction/appeals process? A court of law or private star
chamber? Some kind of automatic aggregation/voting system? Who operates it?
How can it be gamed?
Each of these details will result in reputation differences appearing. One
system might hear a successful appeal whilst another may have no appeals
process at all.
On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
On Tue, Dec 09, 2003 at 01:56:00 +0000, Dan Boresjo wrote:
To assert that 'this person is not known to have sent spam before' is
implementable because it is paradigmatically 'one or more blacklist
checks'.
However defining what constitutes spam remains a value judgement and
myriad
policies will be required in order to suit different cultures.
well, I don't know the RFC by heart - but I heart rumors of something
called netuquette... or said otherwise - those that make this net going
are well aware what SPAM is...
I heard those rumours too. I also heard rumours that netiquette is dead.
No doubt both have been greatly exaggerated.
On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
IMHO "Cyberspace" in it's definition is not a place where someone can
say "hey I'm from culture A - I am allowd to SPAM and to ignore RFCs" -
if you connect yourself to the Internet you have to abide to it's
rules... BCPs, RFCs and other Documents - the all apply to every device
connected to the net, regardless of the users belive or culture or what
else.
Absolutely wrong. Nobody is _required_ to follow RFC's. It is common for hosts
to fail to comply with them just by ignorance. The point is that the system
can no longer operate on the assumption that every reachable host is
trustworthy. Competing companies and warring countries are all intended to be
reachable within the internet's 'universal medium'. You may hate Joe Spammer,
but the manufacturers of penis enlargement devices presumably do not.
By running an SMTP server you are choosing to participate in a protocol that
permits anyone to send you mail anonymously. This is not what you really want
to do. You only really want to receive mail from actors which fulfil certain
arbitrary criteria - like (for instance) not being spammers according to your
adopted definition of a 'spammer'.
An alternative criterion might be allow only mail from persons within reach of
a legal juristiction that will punish spammers 'a posterioi', to your
satisfaction.
On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
On Tue, Dec 09, 2003 at 01:56:00 +0000, Dan Boresjo wrote:
Thus an identity system should simply say "this is joe" and not "this is
joe,
who has not been convicted of spamming in Brazil". Then a separate
reputation
system should say "joe has not been convicted of spamming in Brazil".
Well, I should say, "Joe's spam threashould is 4 spams per minute" - so
if you can accept that than it's fine.... if you only accept one spam
per hour he's out of business....
Good for you. Now wouldn't it be nice if there was a common, value-neutral
authentication framework you could build on and use to find out that it is
Joe who sent it? Like SPF perhaps?
On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
On Tue, Dec 09, 2003 at 01:56:00 +0000, Dan Boresjo wrote:
In any case all reputation systems have the failing that new people are
constantly being born (or just getting wired) at a rate sufficient to
drown
us in spam no matter how complete our history-based blacklist is.
Furthermore
Well, I don't blame the users - as I give the mailserver of lazyisp.com
a bad ratio, not a single user... thus if a provider takes care of it's
userbase than the ISP will not get in trouble, but if he the sort of,
"hey, we have cheap mailing (because we don't maintain our
infrastructure)" then that is one of the candidates who loose their
creditability - face it, spam is only possible because of poor
maintained infrastructure! And I don't take it as an excuse if someone
sais "Oh, we are aol.com, we have 17 Million users, we can't affort
to maintain out infrastructure, that costs to much."
Are you saying that ISP's should exercise prior restraint on their users? No
outbound port 25? Apply a single uniform standard of what is acceptable mail
to all users? Maybe review and censor?
I'd like to look at this scenario from two angles:
(1) An ISP with 'perfect monopoly'. This would apply a uniform standard to all
communities. All speech will be censored according to the criteria
established for 'spam' by the directors of 'Global ISP'. Failure to comply
results in the loss of all internet access.
(2) Many ISP's in 'perfect competition'. People pick and choose their ISP
according to exactly the qualities they want. They can in effect write their
own 'acceptable mail policy' which just happens to not prohibit whatever they
wish to send.
Other ISP's in this system consequently block mail from those ISP's that are
unacceptable to them. But this results in a problem - some mail is not
getting through because people from widely different ISP's sometimes need to
communicate. This being perfect competition, people start selecting ISP's for
their receipt policies as well as sending policies. After a while sending
ISP's will realise that the best sending policy is to check the receiver's
policy instead. Hence the sending policy itself becomes redundant.
This means that the most realistic design that best emulates perfect
competition is:
(3) Zero restraint
Few ISP's in imperfect competition, but none restrain their user's speech in
any way. Receivers' each have their own policy for what is acceptable.
On Tuesday 09 December 2003 7:14 pm, Philipp Morger wrote:
On Tue, Dec 09, 2003 at 01:56:00 +0000, Dan Boresjo wrote:
a lot of starving people may decide that their online reputation is less
important than food they can by with Joe's bribe.
no offense meant, but this is BS.
It's an extreme example. Ever noticed how crime tends to cluster in poorer
neighbourhoods and poorer parts of the world?
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡