The Wrong Way to Stop Spam: Dictatorship by ISPs

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Thu, 30 Oct 2003 09:56:36 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: The Wrong Way to Stop Spam: Dictatorship by ISPs
To: dave () farber net
Cc: lauren () pfir org, neumann () pfir org

Dave,

It's worth noting that "Project Lumos" (as mentioned below in your earlier
mailing) appears to represent the very sort of draconian, ISP-based control
that PFIR's Tripoli proposal ( http://www.pfir.org/tripoli-overview ) works
very hard to avoid.  Under the Lumos model, users are passive receipients of
rules that are dictated to them.  E.g., send more than 100 e-mails/day and
you have to be certified (get your credit card ready!) whether your
receipients want to enforce this regime or not.  Interesting-People would
apparently be treated just like a large business spammer, er, excuse me,
advertiser in many respects.

Let's be clear about what's going on.  The primary purpose behind projects
like Lumos is to ensure that the large "legit" bulk mailers can get their
messages through.  By creating an ISP-enforced environment where the "big
boys" can try assure their messages won't be stopped, they avoid having
their materials pulled into the same black holes as the more salacious or
otherwise obvious spams, even though most recipients still consider
them all worthy of being lumped together and trashed en masse.

Tripoli, on the other hand, specifically gives these choices to the
*individual recipients* of e-mail, including the determination of what levels
of certification, registration, or what sort of certifying entities (if any)
would be deemed acceptable in any given case.  In fact, a motivated
individual could act as a certifier, just as easily as VeriSign, under the
Tripoli model.  Tripoli also specifically provides for mechanisms to ensure
that ISPs cannot interfere in any way with users sending e-mail on a direct,
end-to-end basis as desired, and also would provide intrinsic e-mail
security via encryption.

I know there are many who pine away for the "good old days" of e-mail and
wish there was no need for Tripoli.  But I urge you to imagine the
ramifications of the oppressive, dictatorial alternative of centralized,
ISP-based control over fundamental e-mail decisions as represented by Lumos
and its ilk.  There are some things even worse than spam.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com or lauren () privacyforum org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Co-Founder, URIICA - Union for Representative International Internet
                     Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy



 - - - -


>
> E-Mail Providers Devising Ways to Stop Spam
>
> By Jonathan Krim
> Washington Post Staff Writer
> Thursday, October 30, 2003; Page E01
>
> Congress recently edged closer to passing the nation's first law to curb
> e-mail spam, but those who work under the Internet's hood are attacking the
> problem from another angle.
>
> Rather than trying to flag and prohibit unsavory messages, as a Senate bill
> that passed last week would attempt, they are tinkering with the technical
> architecture of e-mail so that computers will be able to recognize good 
mail.
>
> Then, the theory goes, it is a relatively simple matter to block all other
> e-mail from getting through.
>
> For the past nine months, several separate initiatives by technologists at
> e-mail and Internet provider companies have sought to crack the problem,
> but solutions have been elusive. A major hurdle is that spammers exploit
> the very attributes of e-mail that help make it popular: Anyone can send
> mail directly to anyone else and can do so anonymously if they choose.
>
> The result is that it can be difficult to sort good from bad. Not only can
> spammers devise fictitious Internet addresses to mask their locations, but
> increasingly they are forging the addresses of legitimate individuals and
> companies.
>
> Now, efforts to make such identity "spoofing" more difficult are beginning
> to yield results. The software code for one such approach, put forth by a
> small e-mail account company in Philadelphia, was made available this week.
> > Meanwhile, a trade group of direct e-mailers issued a blueprint for its
> system last month.
>
> And Microsoft Corp., America Online, Yahoo Inc. and EarthLink Inc. -- the
> top Internet provider and e-mail account companies that joined together to
> work on the problem last spring -- are close to an announcement on a
> "trusted sender" system.
>
> "We have to allow legitimate senders of e-mails to distinguish themselves
> from spammers," said Harry Katz, a program manager at Microsoft.
>
> The approaches by the different groups vary, but they all hinge on
> retooling e-mail so that servers -- the computers that power networks of
> other computers -- can mark mail that is sent as trusted and identify those
> same characteristics when the e-mail is received.
>
> "The impunity of anonymity" for bulk mailing must be stopped, said J.
> Trevor Hughes, executive director of the Network Advertising Initiative, a
> consortium of companies that do bulk e-mailing for firms marketing products
> and services.
>
> Last month, the group unveiled the first outlines of a plan, dubbed Project
> Lumos, to certify e-mail and to electronically measure the reputations of
> bulk mailers.
>
> Like other initiatives, the plan relies on bulk e-mailers voluntarily
> adopting a set of technical standards for adding information to the
> "header" portion of a message, which provides routing information for the
> Internet's e-mail system.
>
> Internet account providers such as AOL, Yahoo, Microsoft and EarthLink
> would adjust their incoming mail servers to recognize the new information
> and block mail sent in bulk that does not include the information.
>
> To be certified, bulk mailers would have to agree to abide by rules that
> would require them to take certain actions, such as providing easy ways for
> consumers to stop getting messages. The system also creates an electronic
> scoring system that rates mailers based on the number of complaints they
> receive for failing to comply with the rules, and incoming mail servers
> could block mail from mailers with low compliance.
>
> The proposal and other such efforts are being followed closely by a loose
> federation of organizations that govern the Internet's plumbing.
>
> "Project Lumos is a well-thought-out proposal," said Paul Q. Judge, chief
> technology officer for CipherTrust Inc., a Georgia-based e-mail security
> firm. He also is co-chairman of the Anti-Spam Research Group, one of many
> such groups under the umbrella of the Internet architecture board.
>
> Another system, known as SPF, for senders permitted from, simply seeks to
> stop spammers from hiding behind fictitious Internet addresses or forging
> the addresses of others, a tactic known as "Joe-jobbing."
>
> "People get Joe-jobbed every day," said Meng Wong, chief technology officer
> and founder of Pobox.com, a Philadelphia-based e-mail account provider.
> "Spammers forge their e-mail address and then send huge spams. The only
> thing their [Internet provider] can do is to shut off their mail."
>
> Under Wong's system, companies that operate outgoing mail servers would
> electronically "publish" the numeric Internet addresses of all confirmed
> machines that send mail from its domain.
>
> Every Internet-connected computer is assigned such an address by its
> Internet account provider.
>
> When an e-mail arrives that purports to be from an aol.com address, for
> example, the incoming mail server could check to see whether it is indeed
> coming from a numeric Internet location that AOL has assigned. If not, the
> AOL address has been spoofed, and the mail would be rejected.
>
> If AOL account holders are spamming, they can be easily found.
>
> Wong acknowledged that his system would not work if a spammer is exploiting
> a worm that allows him to actually commandeer another computer and launch
> spam from that machine. In that case, the spam is coming from a legitimate
> source, even though the owner has nothing to do with it.
>
> Wong said that Internet providers have expressed interest in his system and
> that one spam-blocking software company, SpamAssassin, will include it in
> its next version.
>
> Katz of Microsoft said that the working group of top Internet providers
> plan to have an announcement of its system in the coming weeks.
>
> Katz said that to be effective, any of these new initiatives will require a
> "tipping point," or a threshold of participants after which a firm that did
> not join in would be at risk of losing business.
>
> A spokesman for America Online said that identifying good mail is "an
> elixir, not a panacea." He added that his company remains committed to its
> filtering system as well as to collaborative research on other approaches.
>
> Hans Peter Brondmo, one of the technical architects of the Project Lumos
> initiative and a senior vice president at bulk mailer Digital Impact Inc.,
> said he does not know whose initiative will prevail, but he thinks the
> first step will be an Internet address check along the lines of Wong's plan
> by the end of this year.
>
> But a broader solution is at least a year away, he said.
>
> "I'm reasonably good with crystal balls, but not so good with timing,"
> Brondmo said.
>
>
> -------------------------------------
> You are subscribed as lauren () pfir org
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting-people/ 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/