Interesting People mailing list archives
IP: well worth reading. spam and forced email servers.....
From: David Farber <dfarber () earthlink net>
Date: Wed, 13 Mar 2002 10:37:23 -0400
-----Original Message----- From: "Mike O'Dell" <mo () ccr org> Date: Wed, 13 Mar 2002 09:11:01 To: dave () farber net Subject: spam and forced email servers..... people don't like spam service providers don't like spam either - trust me on this anyone who believes a network operator makes money on spam is simply out of their mind - covering a headcount of 50-odd people in a large abuse department is expensive holding people responsible requires some degree of tracability the Internet email protocols don't provide any support for this what to do?? it depends on how much you think is required by the various spam-fighting extortionist vigilantes (1) force sending via SMTP servers through a connection which requires presentation of credentials of some kind - this allows the prevention of "unauthorized relays" while still allowing mobile users to send via those SMTP servers problem: this doesn't prevent a paying user from sending spam with forged source addresses, thereby still provoking the vigilantes so (2) force outgoing email to use traceable FROM addresses. that way outright forgeries are filtered and miscreants can be traced new problem: people with existing domains get hosed so (3) provide exception lists in the forwarding path to allow certain domains to get through as authorized new problems: complex machinery - database to maintain forwarding performance in mail servers who gets to put domains in the database? how do you know they are allowed to do it? how do you deal with the inevitable screwups? Folks, this is a really hard problem. And it's hard in the real world in a fundamental way. The problem being posed here requires identifying the intent of an action *as would be interpreted by the reciever* BEFORE IT HAPPENS. THIS IS NONSENSE. It's hard for another reason - a strong notion of "identity" is very squishy in the real world, and expecting electronic surrogates to make good value judgements about these matters is just silly. PEOPLE have trouble doing this. For example - Dave, prove to me that you are indeed the Dave Farber that i have in mind. It's very hard. In fact, when the Government needs to establish who you really are, they take MONTHS to determine that you are indeed who you claim to be. I submit that nobody would stand for a TS/SCI background investigation just to get an Internet account somewhere. However, people assume that service providers can have the visibility into a customer's affairs that even government agencies can't always get right with people who have *agreed* to a regular colonoscopic exam. The can't and if you think about it, you don't want them to. Bad behavior cannot be prevented. If you know how to do this, why are you worried about spam and not murder?? This is not a hyperbole - the ability to foretell intent is required in both cases. The instrumentality to commit spam is the same as required to send perfectly valid email. the only difference is the intent of the sender. TECHNOLOGY CANNOT DETERMINE THIS. I'm sorry if this is bad news, and i'm certain i'll get yelled at as some kind of "friend of the spammers". Anyone who knows how much of my time i've spent on the problem knows othewise. But there are limits to how much can be done. I'm sorry. Remember Heiden's First Law: When you want it bad, You get it bad, And most people want it in the worst way. So everyone get a grip here. The service providers do not have a magic bullet and most of the actions are being taken directly in response to what people have demanded. cheers, -mo Mike O'Dell Ex-Chief Scientist UUNET Technologies For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: well worth reading. spam and forced email servers..... David Farber (Mar 13)