Re: increase in spam and what to do about it
- From: bill@xxxxxxxxxxx (Bill Gunshannon)
- Date: 27 Nov 2006 18:13:37 GMT
In article <ekc29h$41a$1@xxxxxxxxxxxxxxxxx>,
david20@xxxxxxxxxxxxxxxx writes:
In article <4ssd5nF110jjhU1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <1164427612.373176.124490@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,Two problems
davidc@xxxxxxxxxxxx writes:
Bill Gunshannon wrote:
And I guess I'm still not sure exactly how your method is to actually
work, and how all these agreements are executed and enforced.
The agreements are executed by tou asking me to exchange email
with you and my agreeing to do so. Enforced? It can be as
formal or as informal as the two parties want it to be. If it
were me and you I would likely opt for a gentlemans agreement.
Same for other places like SLAC or Island. For people I don't
know well or have any reason to trust, I would likely opt for
a formal signed contract. That can be enforced in the courts
just like any other contract. Of course, depending on the
agreement, the other side has the choice of either deciding to
go ahead or not. How is USENET News done today? I had feeds
from people like UPenn and an ISP in Belgium. No paperwork,
just a gentleman's agreement. I also had a feed from Cidera.
Required a signed legally binding contract. There is nothing
really new or inovative in what I am proposing, only in the way
I see it being implemented.
Then the social solution (valid or not) is socially unaccepted.
My social solution has not yet been tried, so we don't know that it
is socially unaccepted.
I would at least venture that it hasn't been accepted yet, then?
Well, being as it's still just an idea and hasn't been proposed yet...
Unless you charge per e-mail, there's nothing removing the conduit or
preventing its abuse. But then you penalize good people just for the
sake of banning the bad people.
Metered service has been looked at and it is unacceptable. Plus, it
doesn't stop spam but is very likely to make the innocent pay for it.
Agreed, even AOL has had lots of complains about it's plans to
implement something like this. How do you punish the abusers without
inflicting punishment or worse on the vast majority of people who don't
abuse it?
By making the users (at least the one's you don't trust) sign a legally
binding contract that has the ability to impose real penalties on those
who violate it.
1) One-to-one agreements aren't scalable with the modern internet unless you
severely restrict who you want to talk to which would be unacceptable for
most organisations.
Actually, among the more serious users, it is probably a lot more
acceptable than you think. Many places don't allow the use of their
email system for anything but official communications both in and
outside ot their own house. (ie. Procter & Gamble). .mil and .gov
severly restrict what can be accessed from their networks. I would
think that places like this would very much like to have a clean
network from which they could contact and conduct business with
their contractors. As would many other serious .coms. The only
one who seems to be likely to prefer being on the outside are the ISP's
with their grandma's and their 9 year old users. I odn't know about
you, but I really have no need to contact or to be contacted by them.
(
note. Usenet News is not a one-to-one agreement between your organisation
and the senders. You have one-to-one agreements with your Usenet feeds but
they just pass along ALL those newsgroups you have agreed to accept which
in turn have been passed along from their feeds etc
Any particular Usenet posting will have passed through a large number of
Usenet systems, which you have no direct agreement with, before reaching
your systems. Usenet is also a broadcast system, unlike email, which makes
such a structure feasible.
Which is why I used Usenet only as an example of how halfway measures
helped. Considering the volume, Usenet has considerably less spam by
percentage than most emails today. I saw no spam messages on Usenet
over the weekend while even with moderate filtering at the server and
aggressive filtering at the personal mailbox I still had a real/spam
ratio of 2/183 just over the last 4 days. This is handled by spam
filtering and the UDP. Not much, but it works. Peering agreements
with the email system can do it to, but they would require a system
that eliminates the three primary flaws I have already mentioned.
Three flaws that NNTP does not have, by the way.
Also, of course, Usenet has it's own problems with
inappropriate postings/SPAM.
See above, not even close to the level found in email today.
)
2) Getting organisations to sign legally binding contracts with respect to
their emission of SPAM is likely to be difficult.
Again, what the agreement ends out being is left as an exercise for
the reader. If you deal with someone who's AUP you are already
awar of and you know they enforce it draconianly (ie. .mil) then
you might not require any kind of formal agreement. I have said
the same thing about "communities" like c.o.v. Strongly worded
binding contracts are more likely going ot be for those you don't
trust. they might show you how deterined to work within the rules
they are. if they don't want to agree to paly by the rules, send
'em packin'.
It looks like there was an attempt to set something like this up which overcame
the first problem via the use of a whitelist.
If you look on
http://shopping.declude.com/Articles.asp?ID=97
you'll find a fairly good list of anti-spam lists
at the bottom it mentions
BONDEDSENDER - A whitelist of E-mail senders that have
posted a bond to help prove that their
E-mail is legitimate.
Sadly, if not particularly unexpectedly, when you go to the url listed
http://www.bondedsender.org/ you find
that the service has been renamed "Sender Score Certified" and no longer
seems to mention anything about posting bonds.
But, by not eliminating the three flaws I have already mentioned, it
was doomed from the beginning. The current system can not be fixed.
We can try an already existing method that eliminates these flaws,
we can create a whole new protocol that elimantes these flaws or we
can stay with the status quo. Putting a bandaid and some neosporin
on a wound isn't going to help if the wound is already gangrenous.
How do you stop it at the source? Which is the spammer, himself?
True. You stop it by not giving the spammer a venue from which to send
his spam. The sysadmins all agree (by contract) to not allow spam to be
sent from their systems. Penalty: ostracism. The sysadmins of the local
mailsystems have AUP's that carry penalties (which depend on the type of
organization, ie. ISP - include hefty fines in your customer contract,
business - employee can be fired, school - expulsion or other academic
sanctions, etc.) Thus, the spammer has no place where he is welcome on
the new email network.
Back in the mid '90's, such things were done. Erols and other networks
had fines and such for spammers. It didn't work. This again referrers
to the "whack-a-mole" game of spammer termination. Also, often the
spammers would sign up with accounts using credit cards of the clients,
or even stolen credit cards.
Ummm.... That's a crime, probably federal.
So you end up not billing or punishing
the spammer, anyway. You kill one spammer account, and they have 10
more waiting to abuse when needed.
If you make the users identify themselves and sign a legally binding
contract you know who they are and they can't have 10 more accounts
waiting.
Of course, now much spam is from zombied Windows boxes. The spam can't
be traced back past the zombied PC. So, do you fine and terminate the
account of the person with the infected PC? That's going to sit well
with customers. What about the Wingate proxy exploitation of several
years ago? The proxy would allow SOCK4-like remote access, making the
Wingate proxy appear to be the source, but no way to determine who
initiated the connection. And the wide variety of formmail.pl web form
abuse that occured (and actually, I STILL had several dozen attempts by
some spammer to test my form mail web script on the Hobby Site:
dinotto2@xxxxxxx and topcopl2@xxxxxxx are their test accounts - may the
harvesters get them)? And there are still open SOCK4 proxies, open
SMTP relays, and any number of other methods people are spamming
without using mail servers they are authorized to use.
And, because my proposal doesn't use SMTP at all, none of the above
pose a threat.
If your not using SMTP then what are you using (UUCP) ?
http://www.rhyolite.com/anti-spam/you-might-be.html
programmer-11
The FUSSP involves replacing SMTP.
I'll visit the site, but I got the idea from other comments I have
seen that they post mostly humorous stuff. maybe I have them confused
with someone else. Of course, the last line looks like they agree with
me on at least one point.
Your free to set up your own agreements with whatever companies you wish
They are already not using email networks where they are not welcome,
so why does your solution work?
How are they "not using email networks where they are not welcome"?
Right now, except for private networks, there is only one network
and everyone who is exchanging email is using it. Any Email host
(and many non-legitimate ones like zombied PC's) can contact any
other and 90% of them will accept the connection and the email from
any other.
Also, how do you require uniform AUP's across ISP of various countries?
It is all based on agreements between individuals. Regardless of where
one is I can require whatever I want or refuse to let them play in my
sandbox.
to accept their mail and reject all other mail. It's easy enough to do with
most mailservers (no need to switch to UUCP just set up your mailserver to only
accept mail from specific IP addresses). However such a solution isn't
acceptable to most companies who want complete strangers (otherwise known as
customers) to be able to contact them.
Which is why my proposal is to run both simultaneously and let the serious
user migrate as they see the value of it until eventually all of your
serious usrs (read real customers) are on the clean system and you can
pay much less attention to the garbage. Let me throw one more example out.
We have all been spammed by someone who got our address from c.o.v. Many
people have been forced to munging their address (which poses a burden on
anyone who wishes to talk to them because they can no longer just use the
reply option!) or having other mail accounts on other machines specifically
for use in Usenet postings, which is certainly a butrden on the user.
What if the address you used in your Usenet postings couldn't be reached
by people outside the group, but could be by those within the group?
Wouldn't that offer an advantage?
Read what I said up above. The customers of the ISP all sign a contract
(I know I had to!) You put serious penalties in the contract.
Yes, but they really have no teeth, the spammers are often using
fraudulent information,
If I don't know/trust the individual, I require them to prove who they
are. How is that any different than when someone walks into a store and
plops a credit card down? Fraud is illegal. As near as I know, that
applies in pretty much every civilized country.
or on ISP which don't have strong AUP,
I don't let them join the network until they agree to institute an AUP
that meets the requirements of my network.
or the
spammers are using network which they are not authorized.
Won't be able to use mine. I will know who is allowed to access my mail
server and no one else will be able to.
You are assuming the spammers are Law Abiding Honest Citizens. That
may be true of Usenet back in the day, not anymore.
In order to join the nework, they will have to positively identify
themselves. If they choose to violate the law after they have
positively identified themselves, well, that's what the courts are
for. :-)
Sorry your system will only work if you can impose such rules on all the
ISPs and your only weapon against those who don't comply is to stop them
sending you mail. Until the majority of internet sites adopt those rules
it is simpler for the ISPs to just ignore your rules and let you isolate
yourself.
But as long as I continue to accept other emails as well, I am not isolated.
And, as the users I want to communicat4e with begoin to migrate (assuming my
idea takes hold, of course) I can slowly begin to more and more agressively
filter their garbage and it is eventually they that will be isolated, in a
sea of spam. I don't care about that 98% of garbage that makes up most of
the INTERNET. I am sure that most real businesses and acadeics doing real
research and people like c.o.v who share a common interest are the same.
Let those who really want to get all that spam stay with their ISP and
take it all in. I don't want it.
http://www.rhyolite.com/anti-spam/you-might-be.html
senior-IETF-member-5
The FUSSP won't be effective until it has been deployed at more than 60% of
SMTP servers and that's not a problem.
Mine takes some point at which it attains critical mass as well. I will look
at this FUSSP stuff, but unless it eliminates the three flaws in SMTP it is
doomed to failure. And, if it is yet to be implemented in any usable form,
my proposal still has the advantage. Given some number of interested email
system admins I can have the first stages of my network up and running in
less than 24 hours. The software is already there and the hardware needed
to run it (especially int he earlier stages) can be found in most people's
junk box.
And, to add even more fuel to the fire, ever hear of HECnet? It's there
and I understand it works. And it really offers much less utility than
what I offer.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.
- References:
- increase in spam and what to do about it
- From: Phillip Helbig---remove CLOTHES to reply
- Re: increase in spam and what to do about it
- From: JF Mezei
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: david20
- increase in spam and what to do about it
- Prev by Date: Re: Thoughts on the book: DEC is dead, long live DEC
- Next by Date: Re: OpenVMS Support Issues
- Previous by thread: Re: increase in spam and what to do about it
- Next by thread: Re: increase in spam and what to do about it
- Index(es):
Relevant Pages
|
