----- Original Message -----
From: "Matt Burleigh" <matt(_dot_)burleigh(_at_)eiisolutions(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, July 16, 2004 4:23 AM
Subject: Re: "Stripping Wars!" [Re: [spf-discuss] SPF is not usable as legal
measure against spammers.]
I developed the first Offline Mail System for the FidoNet called Opus
Xpress. I wrote it in 2 weeks for the Opus BBS. :-)
Wow! I remember alot of this stuff happening and I do remember Opus,
QWK, Silver Express, Galaticomm and debates well. It was Its really
awesome to hear some of the details this many years later. Its awesome
to meet you after all this time!!!
Glad to meet you too :-)
Here is how I saw the SPAM problem evolve over time. I can say this because
if my support for nearly all the mail systems and BBS systems.
In you generic BBS system, there was no such concept of anonymous logins.
You had a strong user/pwd login concept . I will use a user record and mail
record outline to illustrate the evolution of relaxed provisions and spam.
Version 1: Strong Authentication Real Name Login Accounts
User Structure:
Username (RealName)
Password
Phone Number
Address Info
The enclosed RealName because most of the early systems enforced having your
real name. Of course, what is in a "name?" The user can provide anything,
but was important is the sysop "knew his users." The BBS market offer
subscription and expiration concepts so for billing real names were
required.
The typical mail structure was defined from a local standpoint called
conference or forums. What is important to understand is the mail structure
and integrity were very important in molding the laws to come - the 1986 US
ECPA. The typical mail conference options were:
(_) Private Only (_) Public Only (_) Both
[_] Recipient Must Exist
Version 2: Strong Authentication, Real and/or Alias Login Accounts
Then one of the first and still among the biggest markets started - The Porn
Market! In fact, nearly all of the porn systems got their start using BBS
systems. We have about 3-5 of the largest system using Wildcat!
But what the Porn Market did was forever change the behavior of the
User/Host Online experience! It is was one of the "key reasons" that
started the Anonymous Sender and spam problem today!
User Structure:
Username (RealName)
Password
Phone Number
Address Info
AliasName
Conference Options:
(_) Use Real name (_) Use Alias (_) User Select
(_) Private Only (_) Public Only (_) User Select
[_] Recipient Must Exist
Because "Daddy" was now calling the BBS to peek at porn, the market
pressured forced the BBS authors to add the Alias Name concept. There was
still a strong link with the user account. So you always knew who the alias
user was, but this was the beginning that we call today "Display Names" that
became popular on the "BIG BBS" systems like CompuServe and AOL.
Some systems allowed login using the real or alias or just real and allowed
him to switch to the display name for "Who Is Online" listings and/or
creating mail. So new conference options were added to allow the user to
use the real, alias or allow him to select what he wanted to use when
creating mail.
So this was the first form of relaxation.
Version 2: Strong Authentication, Real and/or Alias Login Accounts, P2P
Network.
Now P2P networking started with BBS systems sharing conferences and offering
netmail (email). To make this work, the mail network used a common network
tag for the conference, like PORN_XXXX. This is akin to the newsgroups. In
fact, if the BBS had a NNTP Gateway, the Network Tag was the Newsgroup name.
Conference Options:
(_) Use Real name (_) Use Alias (_) User Select
(_) Private Only (_) Public Only (_) User Select
[_] Recipient Must Exist
Network Tag Name: PORN_XXX
So now the Gateway software had to make sure that it followed the mail
integrity of the system respecting the Sysop Conference Settings.
However, the FROM name in the message was not verifiable any more. The only
thing you had was tracking since Fidonet tracking each message using SeenBy
and Path Network control lines. You know exactly what BBS on the network
got a copy of the message and where it originated from.
So you did not 100% lost the identity because the original site was still an
alias system and the user was traceable.
If the message was from a UUNET newsgroup, that is when you started to lost
identity. You did have some level low of spam but most of the concern was
PORN more than anything else.
Version 3: Strong Authentication, Real, Alias, Anonymous Login Accounts, P2P
Network.
Now "Daddy" wanted to hide his name, he wanted the option to change his name
at any time. So the BBS systems still required strong authentication by
logging in with Real or Alias, but the conference options changed:
Conference Options:
(_) Use Real name (_) Use Alias (_) Any Name/User Select
(_) Private Only (_) Public Only (_) User Select
[_] Recipient Must Exist
Network Tag Name: PORN_XXX
Now the user can hide his name in the From: field with a conference that
allowed user selection. The message was still traceable in Fidonet but
again UUNET was now getting worst. A user can now really behave STUPID in
anonymous networked mail forum.
Version 4: No Authentication Required, Real, Alias, Anonymous Login
Accounts, P2P Network.
Now newer BBS systems offered complete amonymous login ideas. Lots of new
legal challenges across the board.
Version 5: No Authentication Required, Real, Alias, Anonymous Login
Accounts, P2P Network. Internet
Finally, with the integration of the internet and many systems offering free
email accounts just by signing up, you really started to begin to see the
beginning of abuse.
Most of the users still needed to dialup directly but with a growing based
of PPP users, they can now go out and find that "true anonymous" system and
blast it with mail.
So in summary, we began to lose the battle after version 2.
And what are we trying to do now with PRA, PUA and ESMTP AUTH, SUBMITTER and
SPF?
Get back to version 2 atleast! <g> You still want to user to use an alias
(alternative email address) but he must be traceable with an account
somewhere.
PS: Wildcat! is still at level 2. It never allowed true anonymous logins
and never will!
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com