On Wed, Aug 18, 2004 at 03:23:47PM -0700, Dobes Vandermeer wrote:
For a long time I've had the thought that most of the spam I receive is
from people who do NOT have deep pockets, and who are conducting illegal
activities. This is inspired by the way they do not use their own mail
servers to send the spam, and often forge sender and other contact
information. Thus, any system which allows receivers to correctly and
accurately identify a spammer will also allow prosecution against
spammers. If prosecution against spammers were possible, then spamming
could be eliminated through prosecution (by ISP's more often than users, I
imagine).
I think another and maybe more important reason for not using their own mail
servers is that these servers would get blacklisted very soon, rendering them
useless. To prevent this, they have to use an ever changing set of sending mail
ervers (such as zombied machines and previously open relays).
In a sender-paid service, it seems likely that spammers have to identify
themselves in some way in order to pay and send email, and thus they
become trackable and prosecutable. It seems unlikely to me that the
purveyors of penis-enlargment products, pornography, and viruses are going
to finance, pay for, or otherwise invest in this service. Collectively
these markets are large, but they are also fragmented (maybe this is just
an illusion?). I find it more likely they would continue to act outside
the system and continue hijack sender-identities and so forth in order to
have their junk mail delivered by illegitimate means.
Of course, it's naive indeed to think these spammers will comply and pay the
money for an accredited domain. They will of course try to find a way out of
it. Stealing third-party accredition is one option, the other is to just not
participate. The next thing receivers will do is blacklist anything that is not
accredited, and the extortion scheme is in effect: pay or be blocked.
If SPF is adopted by yahoo, msn, and other popular domains then spammers
will be driven to use email addresses from small domains who have not
implemented SPF. Whether the spam fighters talking people into adding SPF
to their DNS will be able to keep pace with the spammers finding new
non-spf-protected domains remains to be seen, but there should be at least
a noticable reduction in spam messages delivered. Or so I imagine.
As more and more domains implement spf the reason to do so will be more
apparent since by not doing your domain is more probable to be mis-used. Of
course, this is a same kind of extortion as I described above: at a certain
point it might be possible that you have to have spf records for your mail to
be accepted. I somehow find this less like extortion than the 'pay or be
blocked' scheme above.
Sender-ID is another technology that (assuming I'm connecting the name to
the concept) tries to ensure that you can connect an email to a live
person, and this creates the paper trail necessary to prosecute spammers.
Yet again we face the fact the spammers are willing to work around the
system - stolen identities, viruses, etc. and this isn't going to
completely stop spam either. Instead, it may just allow us to prosecute
innocent dupes of spammers.
Furthermore, on what basis do you want to prosecute spammers? Unless they sell
illegal products, if they comply with the rules and don't steal domains or
identities, what law are they violating ? Or, perhaps more importantly, which
countries laws are applicable and which countries judicial apparatus applies to
the spammers operations?
I don't think prosecution is of any help at all.
Koen
--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/