Re: increase in spam and what to do about it

In article <4ssd5nF110jjhU1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <1164427612.373176.124490@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
davidc@xxxxxxxxxxxx writes:
Bill Gunshannon wrote:

And I guess I'm still not sure exactly how your method is to actually
work, and how all these agreements are executed and enforced.

The agreements are executed by tou asking me to exchange email
with you and my agreeing to do so. Enforced? It can be as
formal or as informal as the two parties want it to be. If it
were me and you I would likely opt for a gentlemans agreement.
Same for other places like SLAC or Island. For people I don't
know well or have any reason to trust, I would likely opt for
a formal signed contract. That can be enforced in the courts
just like any other contract. Of course, depending on the
agreement, the other side has the choice of either deciding to
go ahead or not. How is USENET News done today? I had feeds
from people like UPenn and an ISP in Belgium. No paperwork,
just a gentleman's agreement. I also had a feed from Cidera.
Required a signed legally binding contract. There is nothing
really new or inovative in what I am proposing, only in the way
I see it being implemented.


Then the social solution (valid or not) is socially unaccepted.

My social solution has not yet been tried, so we don't know that it
is socially unaccepted.

I would at least venture that it hasn't been accepted yet, then?

Well, being as it's still just an idea and hasn't been proposed yet...


Unless you charge per e-mail, there's nothing removing the conduit or
preventing its abuse. But then you penalize good people just for the
sake of banning the bad people.

Metered service has been looked at and it is unacceptable. Plus, it
doesn't stop spam but is very likely to make the innocent pay for it.

Agreed, even AOL has had lots of complains about it's plans to
implement something like this. How do you punish the abusers without
inflicting punishment or worse on the vast majority of people who don't
abuse it?

By making the users (at least the one's you don't trust) sign a legally
binding contract that has the ability to impose real penalties on those
who violate it.

Two problems

1) One-to-one agreements aren't scalable with the modern internet unless you
severely restrict who you want to talk to which would be unacceptable for
most organisations.

(
note. Usenet News is not a one-to-one agreement between your organisation
and the senders. You have one-to-one agreements with your Usenet feeds but
they just pass along ALL those newsgroups you have agreed to accept which
in turn have been passed along from their feeds etc
Any particular Usenet posting will have passed through a large number of
Usenet systems, which you have no direct agreement with, before reaching
your systems. Usenet is also a broadcast system, unlike email, which makes
such a structure feasible.

Also, of course, Usenet has it's own problems with
inappropriate postings/SPAM.

)


2) Getting organisations to sign legally binding contracts with respect to
their emission of SPAM is likely to be difficult.


It looks like there was an attempt to set something like this up which overcame
the first problem via the use of a whitelist.
If you look on

http://shopping.declude.com/Articles.asp?ID=97

you'll find a fairly good list of anti-spam lists

at the bottom it mentions


BONDEDSENDER - A whitelist of E-mail senders that have
posted a bond to help prove that their
E-mail is legitimate.


Sadly, if not particularly unexpectedly, when you go to the url listed
http://www.bondedsender.org/ you find
that the service has been renamed "Sender Score Certified" and no longer
seems to mention anything about posting bonds.



How do you stop it at the source? Which is the spammer, himself?

True. You stop it by not giving the spammer a venue from which to send
his spam. The sysadmins all agree (by contract) to not allow spam to be
sent from their systems. Penalty: ostracism. The sysadmins of the local
mailsystems have AUP's that carry penalties (which depend on the type of
organization, ie. ISP - include hefty fines in your customer contract,
business - employee can be fired, school - expulsion or other academic
sanctions, etc.) Thus, the spammer has no place where he is welcome on
the new email network.

Back in the mid '90's, such things were done. Erols and other networks
had fines and such for spammers. It didn't work. This again referrers
to the "whack-a-mole" game of spammer termination. Also, often the
spammers would sign up with accounts using credit cards of the clients,
or even stolen credit cards.

Ummm.... That's a crime, probably federal.

So you end up not billing or punishing
the spammer, anyway. You kill one spammer account, and they have 10
more waiting to abuse when needed.

If you make the users identify themselves and sign a legally binding
contract you know who they are and they can't have 10 more accounts
waiting.


Of course, now much spam is from zombied Windows boxes. The spam can't
be traced back past the zombied PC. So, do you fine and terminate the
account of the person with the infected PC? That's going to sit well
with customers. What about the Wingate proxy exploitation of several
years ago? The proxy would allow SOCK4-like remote access, making the
Wingate proxy appear to be the source, but no way to determine who
initiated the connection. And the wide variety of formmail.pl web form
abuse that occured (and actually, I STILL had several dozen attempts by
some spammer to test my form mail web script on the Hobby Site:
dinotto2@xxxxxxx and topcopl2@xxxxxxx are their test accounts - may the
harvesters get them)? And there are still open SOCK4 proxies, open
SMTP relays, and any number of other methods people are spamming
without using mail servers they are authorized to use.

And, because my proposal doesn't use SMTP at all, none of the above
pose a threat.


If your not using SMTP then what are you using (UUCP) ?


http://www.rhyolite.com/anti-spam/you-might-be.html

programmer-11
The FUSSP involves replacing SMTP.



They are already not using email networks where they are not welcome,
so why does your solution work?

How are they "not using email networks where they are not welcome"?
Right now, except for private networks, there is only one network
and everyone who is exchanging email is using it. Any Email host
(and many non-legitimate ones like zombied PC's) can contact any
other and 90% of them will accept the connection and the email from
any other.


Also, how do you require uniform AUP's across ISP of various countries?

It is all based on agreements between individuals. Regardless of where
one is I can require whatever I want or refuse to let them play in my
sandbox.

Your free to set up your own agreements with whatever companies you wish
to accept their mail and reject all other mail. It's easy enough to do with
most mailservers (no need to switch to UUCP just set up your mailserver to only
accept mail from specific IP addresses). However such a solution isn't
acceptable to most companies who want complete strangers (otherwise known as
customers) to be able to contact them.


Read what I said up above. The customers of the ISP all sign a contract
(I know I had to!) You put serious penalties in the contract.


Yes, but they really have no teeth, the spammers are often using
fraudulent information,

If I don't know/trust the individual, I require them to prove who they
are. How is that any different than when someone walks into a store and
plops a credit card down? Fraud is illegal. As near as I know, that
applies in pretty much every civilized country.

or on ISP which don't have strong AUP,

I don't let them join the network until they agree to institute an AUP
that meets the requirements of my network.

or the
spammers are using network which they are not authorized.

Won't be able to use mine. I will know who is allowed to access my mail
server and no one else will be able to.


You are assuming the spammers are Law Abiding Honest Citizens. That
may be true of Usenet back in the day, not anymore.

In order to join the nework, they will have to positively identify
themselves. If they choose to violate the law after they have
positively identified themselves, well, that's what the courts are
for. :-)


Sorry your system will only work if you can impose such rules on all the
ISPs and your only weapon against those who don't comply is to stop them
sending you mail. Until the majority of internet sites adopt those rules
it is simpler for the ISPs to just ignore your rules and let you isolate
yourself.

http://www.rhyolite.com/anti-spam/you-might-be.html

senior-IETF-member-5
The FUSSP won't be effective until it has been deployed at more than 60% of
SMTP servers and that's not a problem.



David Webb
Security team leader
CCSS
Middlesex University


Years ago panix, epoch,
and many other ISP's played constant whack-a-mole against spammers
creating accounts on their networks.

But they have never instituted serious (and enforced) penalties against
the people who violate their AUP.

Sure they did. It just didn't stop the spammers. Because they don't
care.

You can't posibly tell me that a spammer is going to continue to spam
if he has been positively identified and faces penalties of hundreds
of thousands (or more) dollars for his violation.

The reason they don't care now is because in most cases they can't be
identified. This anonymity would be the first thing to go in my network.


So, how do you get everyone that wants to send email to sign an AUP,

You don't need everyone, only those who want to return email to the
useful form it had 20 years ago.

But how does that help when there are those that don't?

It helps me and those who do. Those who don't are free to continue
along the path they are on until Email becomes totally useless.


After all, who would the enforcing body
be?

If the users sign a contract, that would be the courts. :-) Especially
if the contract includes serious financial penalties.

What if you get hit with a fine because your PC got trojaned?

You keep missing one big point. There are no PC's sending email on my
network. It isn't using SMTP and all the current attacks won't work.
Or, perhaps you mean hit with a fine by your ISP, well, that's between
you and your ISP. It will be in the best interests of the ISP to take
a more proactive role in keeping their customers PC's clean. Right
now, they don't care because there is no penalty.

Are you
going to quietly pay the fine, or are you fight it because you weren't
the one sending the spam.

Umm... If it's your PC, you are the one sending the spam. If you sign
a contract and then violate it, I really think the courts are not going
to have much pity. That might make PC users more carefull. But the main
thing to remember, is that it is not really the unwashed masses that will
be interested in this. It is people like you and me that actually want
email to be usable for serious communications. The majority of todays
users will stay on the standard INTERNET Email system and continue to
send their chain-letters and jokes. And those who take Email seriously
can exchange their serious email on the new network with others of the
same ilk while agressively filtering and blocking the INTERNET email
system.


We have ISP's and providers with AUP's today.

Name one ISP that has an AUP that includes a serious fine for spamming!

Been there, done that, didn't work. You end up punishing the wrong
people, like in the case above.

Can't. If the PC sent the spam because the PC user is an idiot, then it
is totally his fault. ISP's can stop this. Right now, they have absolutely
no incentive to do so. Some will continue. I (personally, not my mail
server) have not accepted email from any AOL account in seceral years.
I also do onot accept any email from any domain that ends in ".br" and
others. You know what. I have yet to miss anything. Or are you going
to tell me I missed that announcement that I won the $10,000,000 Brazilian
Lottery?


Usenet news isn't good example, since it's been rampant with spam even
before e-mail (remember the Brierbart Index and Cancelmoose? Canter
and Seigel?).

I didn't mean it as an example of a system that works perfectly, I meant
it as an example of a system that only works between "trusted hosts".
Try setting up a news server on your own. It won't go very far until you
find at least one other News site willing to exchange with you. There is
really nothing to stop these "trusted hosts" from having stricter AUP's
so that none of the above existed. As a matter of fact, I believe that
was the intent of USENET-II (I haven't looked lately to see how this has
worked out.)

Yes, but peering news isn't that difficult. I used to when I was on
Sprint as an ISP. My current provider doesn't carry a feed, but there
are places that I can get a feed if I need it. Even still, spam is
still a big problem on Usenet, even today.

Actually, it is much less of a problem than it is on email. I see very
little spam on my newsfeed. Probably less than 10 messages a month in
all the groups I actively read. One of the reasons is that the limited
number of connectione between peers makes filtering much easier to do.
And, how is peering news any easier than peering email would be? Usenet
News is a private network of peers who exchange information they consider
to be of value. I think the same can be applied to Email.


True, but those ISP's can be (and likely are) RBL'd against.

If they were, I wouldn't be getting the spam. :-)

Then either you are using the wrong RBL's, or you are not RBL-ing the
entire offending ISP's address space.

But wait, one of your original problems with my proposed solution was
the liklihood of cutting off customers or potential customers. Aren't
you doing that when you RBL an entire ISP's address space? If you are
not going to accept email from them, then you won't hear from that
potential customer. The big difference is the current method is reactive
and I think it is time for amuch more poractive solution.


Sometimes it's not the money, but the expense. Chasing and terminating
spammers takes time and effort. Then they just get a new account or
you end up with a new batch. Eventually, it just cost less to ignore
it.

Unless you made them sign a contract in the first place that had severe
financial penalties.

But that didn't work. Unless you require ALL ISP's to do that, and
again that's a "social contract" you're not going to get all ISP"s to
adhere to.

Then they stay on the current network and risk having their email not get
delivered due to very aggressive filtering.

However, you can RBL their address space until they do. Or
whitelist (which helps but doesn't elimitate the issue due to
Job-jobbing).

Which is still an option. As long as your going to use the term anyway,
think of my proposal as very agressive white-listing. You have a network
of machines that are white-listed and because the method used to echange
email is different, there is no way for someone not on the white-list
to break into it.


But how do you reject it at the source? You get a customer to sign an
AUP? As I mentioned, we've already gone through that whack-a-mole
tactic of dealing with spammers years ago.

But the AUP's they signed in most cases included no penalty beyond
loosing your account. They need to carry serious financial penalties
as money is all anyone understand today.

You seem to honestly think that will work, since you continue to come
back to that. It doesn't work because you are either not punshing the
actual spammer,

You keep coming back to the supposedly "innocent" PC owner. Because my
network isn't open to the usual PC attacks, this isn't a problem. (Actually,
a PC could join the network, but the PC user would have to agree to the
same terms as any other mailhost and, he would have to more knowlegable
than the average PC user and thus is not likely to be a threat.)

or the spammer just moves somewhere else or hides their
activities via other tactics.

That only works today because they can get annonymous connections. In
order to join my porposed network, they would have to give up that
anonymity. Being as it is unlikely any of them would, they will not
show up on my network. They are free to continue their activities
on the INTERNET Email system which I am free to aggressively filter.


Exaclty - if a spammer spams through your mail server, and it gets
blocks (i.e. you socially disagree to accept their email traffic), all
your customers are punished. Not good for your business. You can't
stay in business when you treat all your customers like crooks.

Under my system, one would assume that the peers would not need to be
so draconian as to cut someone off on the first incident. Of course,
it would likely depend on how the originating site handled the incident.
If they had in their AUP (agreed to as a contract so that the courts are
an arbiter) something along the lines of a $1000 fine for each incident
of SPAM sent by the customer and they enforced it, it wouldbe very
un-profitable to end spam and there would be little if any chance of
not getting caught. Thus removing the greatest incentive to spamming.

Okay, your zombied PC is invovled in a spam run. Are you going to pay
the $1,000 fine? A 0-day exploit is found in your system, and
overnight you send out 1,000,000 spams. You get the bill. Do you pay
it?

If you signed a contract, do you have a choice? Of course, you are
free to seek redress from the person who infected your PC, but it
doesn't excuse you from your contractual obligations. To be honest,
I don't see it happening. The entire architecture of my proposed
network would stand in the way. All of these attacks you keep bringing
up rely on one thing in particular and that is the fact that under the
current email architecture on the INTERENT any machinecan send email
to any other machine. Some of them blindly accept email from any of
these random machines. That is the major flaw in the system and one
that is the first thing my proposal gets rid of.


No, it has to be. There is just too much damage via phishing, identify
theft, DDoS, and more to allow hundreds of thousands of Billy boxes on
the network. The cost is too high, and currently Microsoft does not
have the pressure to to substantially fix it, despite the financial
loss caused by zombied machines. Either they need to be hardened or
more isolated. Maybe Microsoft can't do it, but eventually some
government or business is going to take a huge loss (probably a
lawsuit) due to damage caused by one or more Windows boxes.

Sorry, but I don't believe this will happen until MS runs it's course
and is supplanted by something better.

I can only hope. Maybe Linux, since there seems to be much more
security and less abuse of Linux systems out there. I've only had two
times ever where a Linux box on my network has been exploited (and even
then, the exposure was limited) - one by a XML PHP script one a friends
web server (which the fix are readily available) and a SSL V2 flaw many
years ago.

But, regardless of the OS involved, the major flaw still exists. Any
machine can send email to any other machine. And, add to that how easy
it is to spoof identitiy under SMTP and the problem still exists. It is
these two fatal flaws that I eliminate first.


Like I said, perhaps when companies and people start dropping MS after
that potential huge Multi-Mil-$ class-action lawsuit, we'll see some
REALLY serious action from MS on "Trusted Computing".

Eventually, someone is going to get an identity theft class-action
lawsuit against a company, and will win because they can demonstrate
that the data on their Windows boxes was exploited because they either
didn't update their virus definitions enough, or missed a service pack.

But you just gave the best defense. The user "didn't update their virus
definitions enough, or missed a service pack" and thus, it was their own
fault.

You don't see it, do you? The COMPANY missed a service pack/virus
update. The USERS data was on the COMPANY's computer. Jury will
probably award large damages. Company will review putting critical
data on MS software, as will others.

MS has been in court before. The courts chose to punish them by extending
their reach. All of these problems are already well known. HIPPA is
probably the biggest data protection responsibility with the biggest
teeth. And yet, hospitals are rushing headlong into putting more and
more of their infrastructure on PC's running MS software. Go figure.


And frankly, I was around in the old Usenet days, too, but I never
signed an AUP to prevent me from spamming or any such thing.

What's your point? Back in those days there were machines on the DARPANET
that didn't even have passwords. Society in general was different and
among the computer community in particular. Draconian AUP's weren't
needed. Of course, people also used to leave their cars and even their
houses unlocked, too. I can't hink of many who still do.

Exactly. Pandora's box has been openned. Things that worked in the
good old days just don't apply anymore and/or don't scale well. After
all, that's why DNS was born, since even in the early DARPA days,
propogating a /etc/hosts wasn't feasible anymore.

Which doesn't change under my proposal. We still run DNS. We still
connect accross the INTERNET. We just don't use SMTP for our serious
email. Many people today agree that while it may have been nice when
it first came out it was not a well designed protocol and doesn't do
the job well. So then, why are we still using it? Inertia? Why not
start a different system in paralel and let things continue to develop?
Maybe after seeing what happens between the two systems we might find
that there is a third, as yet un-designed, system that is the long-term
winner.


Email was
just a poor medium to spam, so it wasn't used that way. Your
"original Usenet days" weren't socially or technically better than
before, just not viewed as a target of abuse.

I disagree. I think they were better socially. The lack of Spam was
probably more due to the limited social coverage nature of the medium.

Society has scammers, cons, thieves, and more. D/ARPANET wasn't a
target since there wasn't enough volume to be worth it. Now instead of
thousands of people, it's millions of people. Not just research
scientists and Computer Science students. It's kids, grandma's,
executives, homeless - and the best and worst of all of them.

Yeah, it's kind of like the difference between city life and country life.
Now, there's a social difference. And there are many people who choose
to give up that urban paradise and go back to the rural existence. So,
from a social standpoint is a good example of going backwards. Of course,
there are people going the other way. I am sure there are people who will
find my system too restrictive. And, they are free to move into the city.
But those of us who prefer a simpler existence should have that option too.


Usenet News was where
the spamming problem started due to it's more "broadcast" nature.
E-mail didn't become prevelent until the middle 1990's once the
Internet started to gain mindshare and more people had e-mail
(Compuserve, Prodigy, AOL).

There were lots of different Email systems in the past, USENET, FIDO,
Bitnet, etc. And then there were the commercial services like you
mention, although Prodigy and AOL were latecommers. there was TELENET
and TYMNET. But what was lacking technically was the computing resources
and the conduit to handle the volume needed for spamming.

Not just the volume, but the target-rich environment. How many people
used to have e-mail 20 years ago? FAXes where the big thing back then.
But they had a "spamming" problem of their own, didn't they?
Something the Telecommunication Protection Act of 1991 had to help
solve. Well, it didn't so much, since the FCC had many forfeitures
even as lately as a few of years ago with fax.com and American Blast
Fax.

Same scum, just adapting to newer technology.

Granted, but I am not willing to just throw up my hands and say, "OK, the
spammers win!"


Your sysadmin choice of social "trusts" have been implmented by public
and private RBL lists, spamassasin, Bayesian and other filtering
methods, but most can't just whitelist the rest of the world, either,
since many people NEED to be contacted by previously unknown places
(i.e. me). And until you get that first spam (or subscribe to an RBL
or other service to look at it for you), you really can't tell if it's
spam yet.

As I said, RBL's is not a trusted host relationship it is trying to
put the responsibility on a third party and after the fact. That is
a system destined to fail. It must be stopped at the point of origin
and before the fact. It must be proactive and not reactive in order
to work. If it is reactive, there are just too many potential spammers
to deal with.

Sure it's a trust relationship. You trust the RBL to help you validate
the sender is not a likely spammer. Much like 3-rd party
authentication is commonly done with SSL/TLS.

But it's reactive and it is strictly a one-way trust relationship. That's
not what a society is all about. the trust has to be in both directions or
it isn't a society.


But as I've mentioned, you can't stop the "point of origin" due to much
of the fraud and unauthorized use of zombied PC's, open proxies, and
various software exploits curerntly in use.

But, again, those attacks all rely on the two fatal flaws of SMTP. The
ability of any machine to connect to any other machine for the excahnage
of mail (this one coupled to the willingness of most machines to blindly
accept it) and the ability under SMTP to spoof your identity. Neither
of which will be possible under my proposed system.

Since often, the Received
header you track either is fradulent, or only gets you back to the
exploited system - not back the the actual spammer in control.

Actually, I have yet to receive any email message that I could not
identify the actual IP Address of the real sender. And, there can
be no doubt about where any particular message enters my proposed
network.


The problem is oh-so-much bigger than just getting Ma Kettle to sign an
AUP saying she won't spam. She won't, but that doesn't mean her PC
won't be an unwitting accomplice to the act.

One: That is between her and her ISP. If the ISP cares they will take
a more proactive role in preventing it. (Hint: I run a lot's of PC's
that are open to all our students. While the University constantly has
doezens of infected PC's in its labs, I hve not had an infected PC in
any of my labs since the Windows98 days.)
Two: If the ISP is not interested, fine, they don't join my network and
are free to stay out there on the INTERNET with an email to spam ratio
of 2%/98%.


But as the whack-a-moles at ISP's worked (socially terminating their
connectivity for AUP violations),

More agressive penalties are needed in the AUP!!

But you can't require that, nor can you be assured that the penalties
actually punish the spammer in control.

Of course I can. If you won't play by my rules, you don't play in my
sandbox. Ever hear of INTERNET-2?


spammers just used different tricks,
like third party SMTP relays,

You don't relay. Oh, and did I mention that my proposal doesn't use
SMTP. :-)

No, you didn't mention that. So how do you get the whole world to
switch to your protocol,

Actually, I have mentioned it numerous times. I don't give a rat's
patootie about the whole world, only those who are interested in
making Email useful again. It's not my protocol. It's been around
for a couple decades and is supported by lots of boxes as well. (Pretty
much any UNIX system and ther eused to be versions for VMS as well,
but like much other software, I can't really say that the VMS version
kept up.) It's called UUCP.

and why is it unable to be exploited any
differently than SMTP has?

Because, it lacks two of the basic flaws of SMTP. The ability of random
machines to connect to anyone else and the ability to spoof who you are.


exploitation of WinGate firewalls,

Not sure what that means, but I'll bet it relies on SMTP to send the
mail from the attacked machine. See above.

exploitation of formmail.pl scripts

Well, I won't even go into the potential security problems with any
PERL or PHP scripts, but I can tell you that I was able to win the
battle here to not allow the mail function on our web server.

(which I have a spammer attempting
to do that off the Hobbyist web form for the past few days -
topcopl2@xxxxxxx), abuse of SOCKS4 proxies, and the growing tide of
bot-nets.

I'll bet all of these depend on SMTP as the underlying protocol and they
also don't care who connects.

And forget just e-mail, IM spamming and web forum/blog
spamming is on the increase, too.

They were never truly useful anyway, so I really don't care. I am trying
to salvage Email, let someone who cares fix the others.

The problem is whatever the social
contracts are, the spammers will violate them and bypass them, as they
have for years. Spammers have been fined, sued, terminated, blocked,
and more (which is about as strong of a social solution statement you
can make), yet they still persist.

Sorry, I have never heard of any spammer who has been held financially
liable for his actions. Please provide some real examples.

Read the news. An owner of a bot-net recently got some jail time.

What did he go to jail for? I'll bet it wasn't spamming but probably
something like fraud.

Even back in the mid-90's Sanford Wallce lost a lawsuit to AOL for
spamming. Several states (Washington State for one) have also
prosocuted and won, too. You honestly haven't heard about any of
these? Just read Slashdot or The Register on occasion. Or read some
archives of news.admin.net-abuse.email.

I stopped reading most of that because people were only interested in
trying to find away to fix the old system and seemed unwilling to accept
that the system might be flawed beyond the ability to fix it.

Those cases must not have been very groundshaking because there
still an awful lot of spammers out there and they sure don't see
what happened to these two as a threat to their way of doing
business.


There is no one solution. There may not be a solution. But you also
can't turn back the clock to the good ole days, either. Profiteers
will try anything they can to exploit the system for a measly buck.

Or we can just sit here and let the bastards win. Sorry, I would rather
try to convince people in a position to do something that the time is
ripe for fixing things.

So, appearently you don't use SMTP, and you have to sign an agreement
with someone somewhere. Well, I guess it's a start, but how many
people do you have buy in on this so far?

Haven't started it yet. I'm a small fish. I work at a little school
in the middle of nowhere. I am currently trying to write a paper on
it which I will likely try to get someone like The ACM to publish.
Other than that, I just try to discuss it, both to get other people's
ideas and to try and sow the seeds of thought.

And exactly how does my
email get from my server to your server when whatever paper work you
require is done? And how is it not subject to abuse?

Accross the INTERNET the same way it does now. Only using UUCP instead
of SMTP. It might surprise you to find out that most of the existing
MTA's can still deal with UUCP. :-)


Part of the problem of your solution is that it requires cooperation
from a rather large number of ISP's and admins,

No, only those who want to see Email become useful for their users
again. the rest are free to stay with what they currently have.
When USENET first came into existence it was just AT&T machines
exchanging email. It had a number of serious limitations. It
used the phone system as it's transport. That meant it was expensive.
More so depending on distance. So it had to do most of its moving at
night. This meant time. A message could take several days to get from
source to destination. And still it grew. Eventually, hubs showed up.
Machines like seismo and others and eventually, UUNET. This sped things
up a bit but it still required mostly waiting until nighttime to move
messages. And still, it grew. This was probably its biggest drawback
and the one it no longer has as it can use the INTERNET for its transport
medium.

It is not necessary for there to be a mass movement right up front. It
can easily co-exist with the current system and be allowed to grow on its
own. Let's look at one possibility.

We here in c.o.v are a rather well-kniit community. So, we set up a
network that involves us. Most of us would likely trust each other
making the agreement between us much easier. Now, we can all agree
to exchange email with everyone else, or we can have a couple of
people (like Island and Montagar just for example) volunteer to be
hubs. The hubs set up their UUCP to accept email from the mailservers
of the otehr members of the c.o.v community. So, emails between any of
us goes to one of the hubs and then to the destination mailhost. Two
hops and probably gets there just as fast it would under the current
system. Now, I'm a University. Because of academic interests I start
getting agreements with other schools. Some of the big ones might opt
to be hubs (heck even I can do that!!). Same thing as we had in the
c.o.v community. But wait, now the c.o.v community also has a cleaner
way to exchange email with all the Universities that sign on. And so
it grows. At least in my dream. :-)


several software
developers,

What software developers?

deployment across hundreds of thousands of servers.

I doubt it, but thousands or tens of thousands I would hope.
I don't think there are a hudred thousand servers worth talking to.
I have Verizon at home. I don't use their email. Never have, likely
never will. Of course, I can see it this were to take off that I
might move some of my less serious stuff (like Ebay, if I ever decide
to try it again) over to my Verizon account and leave my UofS account
for serious endeavors.

And
that's going to take some big doing and demonstration that what you
propose WILL work.

Thus my example above. It is small serious communities that would
need to be convinced of its utility first. I am sure once the first
couple communities got started it would rapidly become apparent that
the system had advantages. An even better way to do this would be to
create a new email account specifically for use on the neew network
which would make the difference even more apparent. After all, in
just the time I have been typing this I have received 6 emails. All
spam. So far this weekend (counting since Thanksgiving) I have received
over 60 emails. All of them spam. There comes a time when you have to
just throw up the window, stick your head out and scream, "I'm mad as
hell and I am not going to take it anymore!"

So I think I might need to hear a little more than
"Oh, and did I mention that my proposal doesn't use SMTP. :-)".

Well, I appreciate your comments. Believe it or not, based on what
objections you offered, I am more convinced that the proposal is doable.
Part of getting this together is having peopel try to shoot holes in my
idea. But then, that's what academia is all about. I only hope that I
can take this beyond the level of academics and into the real world
where it counts.

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.

Quantcast