Re: why IPv6 isn't ready for prime time, SMTP edition

[Owen DeLong <owen () delong com>]

On Mar 27, 2014, at 10:31 PM, Barry Shein <bzs () world std com> wrote:

> On March 27, 2014 at 12:14 owen () delong com (Owen DeLong) wrote:
> > On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs () world std com> wrote:
> >
> > > On March 26, 2014 at 22:25 owen () delong com (Owen DeLong) wrote:
> > > > Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has 
> > > > previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, 
> > > > then your postage is put into the recipients e-postage account to offset the cost of their emails.
> > > >
> > > > Thoughts?
> > >
> > > It's a fine idea but too complicated.
> > >
> > > Look, the (paper) post office doesn't say "oh, you WANTED that mail,
> > > ok, then we'll return the cost of postage to the sender!"
> > >
> > > Why? Because if they did that people would game the system, THEY'D
> > > SPAM!
> >
> > How would they benefit from that?
>
> > From what, being able to send free paper mail? I think that would be
> considered a benefit by most junk mail advertisers. But see next...
>
> > SPAM — Pay, say $0.10/message.
> > Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself.
> > Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the
> > original provider keeps the other $0.05.
> >
> > > And it would take way too much bookkeeping and fraud identification etc.
> >
> > Please explain in detail where the fraud potential comes in.
> >
> > By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to 
> > profit from sending SPAM this way.
>
> Well, it's advertising, so they do.
>
> Advertising is a valuable commodity.  Free advertising is particularly
> valuable, ROI with I close to zero.

But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t 
want it isn’t free.

> So offering to not charge you because you wanted that mail makes no
> sense, right?

But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the 
mail and transporting it and the sender sending it is pretty much sunk by some arguments.

This is an effort to provide a financial disincentive for spamming.

> > > Let's take a deep breath and re-examine the assumptions:
> > >
> > > Full scale spammers send on the order of one billion msgs per day.
> > >
> > > Which means if I gave your account 1M free msgs/day and could
> > > reasonably assure that you can't set up 1,000 such accts then you
> > > could not operate as a spammer.
> >
> > Not sure how you enforce these user account requirements or how you avoid duplicative accounts.
>
> If you want to attach e-postage you have to go get some and that can
> be a contract which says you don't do that, if you have multiple
> accounts you split it among your accounts or buy more. And if you do
> what you describe you understand that it is criminal fraud. Click
> Agree [ ] before proceeding, or similar.

Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right?

> > > Who can't operate with 1M msgs/day?
> > >
> > > Well, maybe Amazon or similar.
> > >
> > > But as I said earlier MAYBE THEY SHOULD PAY ALSO!
> >
> > I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email 
> > communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to 
> > their list of problems.
>
> That assumes that spam is free for them, and you. Including "free" as
> in "stealing your time”.

No, it assumes that most of the messages I get from Amazon are NOT SPAM.

The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related 
to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them 
forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.

> > > We really need to get over the moral component of spam content (and
> > > senders' intentions) and see it for what it is: A free ride anyone
> > > would take if available.
> >
> > I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
>
> How can it be a theft of service if we're not charging anything?

I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my 
authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I 
would gladly do so.

> Well, if they use others' resources it's a theft of those resources,
> such as botnets, is that what you mean?

Botnets, my mail server, my disk storage, my network, etc. where my mail is processed… All of the above.

> But by morality I mean that we tend to define spam in terms of
> generally agreed to be undesirable email content such as questionable
> herbal cures or other apparent fraud or near-fraud -- I dunno, maybe
> someone hiring a spammer really believes their herbal hair re-growth
> tonic works.

I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If 
the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, 
it’s SPAM.

> I assert that the line is getting fuzzier all the time.

Yep. If you try to define it on content, the fuzz grows out of control.

> Even if the product is completely legitimate and maybe there's some
> business relationship someone can draw it doesn't mean I like being
> pummeled with hundreds of ads per day (some of that is projection,
> remember.)

If you ask the sender to stop and they don’t, then their further messages are SPAM.

If you can’t find the sender in order to ask them to stop, then their messages are fraudulent SPAM.

> But, just as importantly, the people who want to send me an ad would
> like to see me pummeled with less junk so maybe I pay attention to
> their ad or communication.

The spammers would like to see you pummeled with less “junk” so you can pay attention to their ad, too. Difference is 
in your definition of “junk” vs. their definition of “junk”.

> Heck, I alreadly almost never read email from what appears to be my
> bank because it's just too much time and effort to verify that it's
> legitimate.

I just bank with banks that don’t have enough customers to be attractive to spammers… Saves a lot of effort. Also makes 
for a nicer relationship with the bank. The tellers mostly know who I am and I’m treated like a customer instead of an 
inconvenience.

> It'd be just as much effort under this, perhaps, but at least maybe I
> won't feel like I'm desperately trying to sort through 300 msgs that
> came in while I was asleep.

I wish I could get it down to 300.
> > So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that 
> > problem by charging them more for those services that they are stealing (and, by the way, also charging some 
> > legitimate users as well).
> >
> > My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to 
> > be free are going to object.
>
> I think you're skipping the point about how they'd have to
> successfully attach e-postage to every piece of email they sent from
> your system.

Why would you assume that once they bot a system, they would be unable to steal the e-postage from said system?

> So it's not the resources, it's the authorization which we're trying
> to control.
>
> Right now every piece of email they send from your botted system is
> the same as any email you'd send.

I’m not really seeing how this would make a difference in that.

> If there were some sort of e-postage system with some basic security
> and tracking that becomes much more difficult for the spammer.

Given how most bots become bots, I tend to doubt it. They just have to
keystroke log your MUA in a two-step process instead of the one-step
process of days of yore.

Further, since they’re sending lots and lots of the same spam with identical
envelope contents and the only differences are in the SMTP exchange, not the
internal contents of the envelope, a replay attack against the same postage
would seem pretty trivial.

> Or they can use your system to send out a million msgs with no
> e-postage which, one hopes, will be rejected by receiving systems
> without delivery, much like fraudulent DKIM or SPF credentials.
>
> Which, one hopes, won't be profitable for them any more.
>
> > > P.S. And in my vision accepting only email with valid e-postage would
> > > be voluntary though I suppose that might be "voluntary" at the
> > > provider level. For example someone like gmail at some point (of
> > > successful implementation of this scheme) might decide to just block
> > > invalid e-postage because hey your gmail acct is free! Let someone
> > > else sell you rules you prefer like controlling acceptance of invalid
> > > e-postage yourself.
> >
> > Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the 
> > implementation of such a scheme and I think the devil is prevalent among them.
>
> I agree, but I hope my efforts indicate it's not entirely half-baked
> or off the cuff.

Intrigued, but not convinced.

Owen