Re: increase in spam and what to do about it

In article <4t0o6hF11i1kvU1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <ekc29h$41a$1@xxxxxxxxxxxxxxxxx>,
david20@xxxxxxxxxxxxxxxx writes:
In article <4ssd5nF110jjhU1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <1164427612.373176.124490@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
davidc@xxxxxxxxxxxx writes:
Bill Gunshannon wrote:

And I guess I'm still not sure exactly how your method is to actually
work, and how all these agreements are executed and enforced.

By making the users (at least the one's you don't trust) sign a legally
binding contract that has the ability to impose real penalties on those
who violate it.

Two problems

1) One-to-one agreements aren't scalable with the modern internet unless you
severely restrict who you want to talk to which would be unacceptable for
most organisations.

Actually, among the more serious users, it is probably a lot more
acceptable than you think. Many places don't allow the use of their
email system for anything but official communications both in and
outside ot their own house. (ie. Procter & Gamble). .mil and .gov
severly restrict what can be accessed from their networks.

Any company that has customers (or in the case of education institutions wishes
to recruit students ) needs to expect to receive mail from perfect strangers.



I would
think that places like this would very much like to have a clean
network from which they could contact and conduct business with
their contractors. As would many other serious .coms. The only
one who seems to be likely to prefer being on the outside are the ISP's
with their grandma's and their 9 year old users. I odn't know about
you, but I really have no need to contact or to be contacted by them.


(
note. Usenet News is not a one-to-one agreement between your organisation
and the senders. You have one-to-one agreements with your Usenet feeds but
they just pass along ALL those newsgroups you have agreed to accept which
in turn have been passed along from their feeds etc
Any particular Usenet posting will have passed through a large number of
Usenet systems, which you have no direct agreement with, before reaching
your systems. Usenet is also a broadcast system, unlike email, which makes
such a structure feasible.

Which is why I used Usenet only as an example of how halfway measures
helped. Considering the volume, Usenet has considerably less spam by
percentage than most emails today. I saw no spam messages on Usenet
over the weekend while even with moderate filtering at the server and
aggressive filtering at the personal mailbox I still had a real/spam
ratio of 2/183 just over the last 4 days. This is handled by spam
filtering and the UDP. Not much, but it works. Peering agreements
with the email system can do it to, but they would require a system
that eliminates the three primary flaws I have already mentioned.
Three flaws that NNTP does not have, by the way.

If by the three flaws you mean


1) Anonymous access is allowed
2) Protocol allows anyone, anywhere to connect to anyone, anywhere
3) Protocol allows for easy address spoofing which adds to 1)

then they are totally irrelevent if you want to restrict which systems
can send to you via one-to-one agreements.

Just use SMTP but set your mail system up so that it just accepts mail from the
IP addresses of the mailservers of the people you have agreements with.
Reject all other connections.

(Such a setup wouldn't as I indicated above be acceptable to most companies
but there is nothing to stop you setting that up. No need to get rid of SMTP).

(
Of course NNTP does in fact have at least flaws 1) and 3) since you
have no control over what the systems you peer to have peered with and what
systems those have peered with etc
)



Also, of course, Usenet has it's own problems with
inappropriate postings/SPAM.

See above, not even close to the level found in email today.

Depends on the groups and when you look. A while back a number of the vmsnet
groups were almost impossible to use because of binary postings of warez.


)


2) Getting organisations to sign legally binding contracts with respect to
their emission of SPAM is likely to be difficult.

Again, what the agreement ends out being is left as an exercise for
the reader. If you deal with someone who's AUP you are already
awar of and you know they enforce it draconianly (ie. .mil) then
you might not require any kind of formal agreement. I have said
the same thing about "communities" like c.o.v. Strongly worded
binding contracts are more likely going ot be for those you don't
trust. they might show you how deterined to work within the rules
they are. if they don't want to agree to paly by the rules, send
'em packin'.



It looks like there was an attempt to set something like this up which overcame
the first problem via the use of a whitelist.
If you look on

http://shopping.declude.com/Articles.asp?ID=97

you'll find a fairly good list of anti-spam lists

at the bottom it mentions


BONDEDSENDER - A whitelist of E-mail senders that have
posted a bond to help prove that their
E-mail is legitimate.


Sadly, if not particularly unexpectedly, when you go to the url listed
http://www.bondedsender.org/ you find
that the service has been renamed "Sender Score Certified" and no longer
seems to mention anything about posting bonds.

But, by not eliminating the three flaws I have already mentioned, it
was doomed from the beginning. The current system can not be fixed.
We can try an already existing method that eliminates these flaws,
we can create a whole new protocol that elimantes these flaws or we
can stay with the status quo. Putting a bandaid and some neosporin
on a wound isn't going to help if the wound is already gangrenous.

More likely the participants found themselves hosting zombied
systems despite their best efforts and that persuaded them that agreeing to
pay out lots of money when they couldn't guarantee that they could stop it
happening again was not a good idea.





How do you stop it at the source? Which is the spammer, himself?

True. You stop it by not giving the spammer a venue from which to send
his spam. The sysadmins all agree (by contract) to not allow spam to be
sent from their systems. Penalty: ostracism. The sysadmins of the local
mailsystems have AUP's that carry penalties (which depend on the type of
organization, ie. ISP - include hefty fines in your customer contract,
business - employee can be fired, school - expulsion or other academic
sanctions, etc.) Thus, the spammer has no place where he is welcome on
the new email network.

Back in the mid '90's, such things were done. Erols and other networks
had fines and such for spammers. It didn't work. This again referrers
to the "whack-a-mole" game of spammer termination. Also, often the
spammers would sign up with accounts using credit cards of the clients,
or even stolen credit cards.

Ummm.... That's a crime, probably federal.

So you end up not billing or punishing
the spammer, anyway. You kill one spammer account, and they have 10
more waiting to abuse when needed.

If you make the users identify themselves and sign a legally binding
contract you know who they are and they can't have 10 more accounts
waiting.


Of course, now much spam is from zombied Windows boxes. The spam can't
be traced back past the zombied PC. So, do you fine and terminate the
account of the person with the infected PC? That's going to sit well
with customers. What about the Wingate proxy exploitation of several
years ago? The proxy would allow SOCK4-like remote access, making the
Wingate proxy appear to be the source, but no way to determine who
initiated the connection. And the wide variety of formmail.pl web form
abuse that occured (and actually, I STILL had several dozen attempts by
some spammer to test my form mail web script on the Hobby Site:
dinotto2@xxxxxxx and topcopl2@xxxxxxx are their test accounts - may the
harvesters get them)? And there are still open SOCK4 proxies, open
SMTP relays, and any number of other methods people are spamming
without using mail servers they are authorized to use.

And, because my proposal doesn't use SMTP at all, none of the above
pose a threat.


If your not using SMTP then what are you using (UUCP) ?


http://www.rhyolite.com/anti-spam/you-might-be.html

programmer-11
The FUSSP involves replacing SMTP.

I'll visit the site, but I got the idea from other comments I have
seen that they post mostly humorous stuff. maybe I have them confused
with someone else. Of course, the last line looks like they agree with
me on at least one point.




They are already not using email networks where they are not welcome,
so why does your solution work?

How are they "not using email networks where they are not welcome"?
Right now, except for private networks, there is only one network
and everyone who is exchanging email is using it. Any Email host
(and many non-legitimate ones like zombied PC's) can contact any
other and 90% of them will accept the connection and the email from
any other.


Also, how do you require uniform AUP's across ISP of various countries?

It is all based on agreements between individuals. Regardless of where
one is I can require whatever I want or refuse to let them play in my
sandbox.

Your free to set up your own agreements with whatever companies you wish
to accept their mail and reject all other mail. It's easy enough to do with
most mailservers (no need to switch to UUCP just set up your mailserver to only
accept mail from specific IP addresses). However such a solution isn't
acceptable to most companies who want complete strangers (otherwise known as
customers) to be able to contact them.

Which is why my proposal is to run both simultaneously and let the serious
user migrate as they see the value of it until eventually all of your
serious usrs (read real customers) are on the clean system and you can
pay much less attention to the garbage. Let me throw one more example out.
We have all been spammed by someone who got our address from c.o.v. Many
people have been forced to munging their address (which poses a burden on
anyone who wishes to talk to them because they can no longer just use the
reply option!) or having other mail accounts on other machines specifically
for use in Usenet postings, which is certainly a butrden on the user.
What if the address you used in your Usenet postings couldn't be reached
by people outside the group, but could be by those within the group?
Wouldn't that offer an advantage?



Read what I said up above. The customers of the ISP all sign a contract
(I know I had to!) You put serious penalties in the contract.


Yes, but they really have no teeth, the spammers are often using
fraudulent information,

If I don't know/trust the individual, I require them to prove who they
are. How is that any different than when someone walks into a store and
plops a credit card down? Fraud is illegal. As near as I know, that
applies in pretty much every civilized country.

or on ISP which don't have strong AUP,

I don't let them join the network until they agree to institute an AUP
that meets the requirements of my network.

or the
spammers are using network which they are not authorized.

Won't be able to use mine. I will know who is allowed to access my mail
server and no one else will be able to.


You are assuming the spammers are Law Abiding Honest Citizens. That
may be true of Usenet back in the day, not anymore.

In order to join the nework, they will have to positively identify
themselves. If they choose to violate the law after they have
positively identified themselves, well, that's what the courts are
for. :-)


Sorry your system will only work if you can impose such rules on all the
ISPs and your only weapon against those who don't comply is to stop them
sending you mail. Until the majority of internet sites adopt those rules
it is simpler for the ISPs to just ignore your rules and let you isolate
yourself.

But as long as I continue to accept other emails as well, I am not isolated.
And, as the users I want to communicat4e with begoin to migrate (assuming my
idea takes hold, of course) I can slowly begin to more and more agressively
filter their garbage and it is eventually they that will be isolated, in a
sea of spam. I don't care about that 98% of garbage that makes up most of
the INTERNET. I am sure that most real businesses and acadeics doing real
research and people like c.o.v who share a common interest are the same.
Let those who really want to get all that spam stay with their ISP and
take it all in. I don't want it.


http://www.rhyolite.com/anti-spam/you-might-be.html

senior-IETF-member-5
The FUSSP won't be effective until it has been deployed at more than 60% of
SMTP servers and that's not a problem.

Mine takes some point at which it attains critical mass as well. I will look
at this FUSSP stuff, but unless it eliminates the three flaws in SMTP it is
doomed to failure. And, if it is yet to be implemented in any usable form,
my proposal still has the advantage. Given some number of interested email
system admins I can have the first stages of my network up and running in
less than 24 hours. The software is already there and the hardware needed
to run it (especially int he earlier stages) can be found in most people's
junk box.


I think you are misunderstanding the FUSSP (Final Ultimate solution to the
Spam problem) is a general description of solutions such as yours to SPAM.
The full title of the webpage is
"You Might be an Anti-Spam Kook If ..."

David Webb
Security team leader
CCSS
Middlesex University




And, to add even more fuel to the fire, ever hear of HECnet? It's there
and I understand it works. And it really offers much less utility than
what I offer.

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.

Relevant Pages

  • Re: increase in spam and what to do about it
    ... One-to-one agreements aren't scalable with the modern internet unless you ... paid to wade through the garbage (a kind of wetware spam filter :-). ... Usenet News is not a one-to-one agreement between your organisation ... Just use SMTP but set your mail system up so that it just accepts mail from the ...
    (comp.os.vms)
  • Re: Report this spam to: groups-abuse@google.com
    ... If the spammers derived $0 in spam related ... A slight understanding that usenet is pretty much ... Google groups is simply a node on the usenet network, ... 1581 ROM from early Commodore disk drives. ...
    (sci.electronics.misc)
  • Re: increase in spam and what to do about it
    ... One-to-one agreements aren't scalable with the modern internet unless you ... paid to wade through the garbage (a kind of wetware spam filter :-). ... Usenet News is not a one-to-one agreement between your organisation ... Just use SMTP but set your mail system up so that it just accepts mail from the ...
    (comp.os.vms)
  • Re: increase in spam and what to do about it
    ... The agreements are executed by tou asking me to exchange email ... How is USENET News done today? ... doesn't stop spam but is very likely to make the innocent pay for it. ... the new email network. ...
    (comp.os.vms)
  • Re: BASEBALL SITE?
    ... google newsgroups for baseball although there is a a bit more spam and ... What's usenet? ... A network that's useful? ...
    (alt.sports.baseball.ny-yankees)