[Brad makes some very good points. Previous Politech message: http://www.politechbot.com/p-04741.html --Declan] --- Date: Sat, 10 May 2003 23:05:39 -0700 From: Brad Templeton <bradat_private> To: Declan McCullagh <declanat_private> Cc: politechat_private Subject: Re: FC: Rich Kulawiec's Draconian idea to rid the Net of spam, forever In-Reply-To: <5.2.1.1.0.20030510194520.02730000at_private> Organization: http://www.templetons.com/brad Declan, I would normally not want to include the entire text of an earlier article in a posting, but that's because I want people who agreed with this to re-read it and substitute, for spammer, some internet activity that some forces don't like but which the reader likes. People seem ready to say "blame the ISP, force them to act against the user, cut them off if they won't" as a technique against spam. But aren't they often the same people who would scream if you advocated blaming the ISP, and pressuring them to cut off any users who: a) Run Gnutella or other P2P software b) Have a NAT box c) Have an open wireless lan d) Host a web site with indecent material e) Host a web site with unpleasant political views f) Host a file which is allegedly a copyright infringement g) Post messages allegedly violating the copyrights of the Church of Scientology And many other things? Don't most of us here cry foul when people try to blame the ISP for actions of users like these, try to pressure the ISPs to cut off these users? Yet with spam, do we reverse that philosophy? These are not idle examples. We've seen ISPs try to ban users from doing all these things, and legal and other pressures put on ISPs to cut off users who do them. (except B, which mostly the ISPs themselves try to impede.) Do we believe in the end to end principle? Under the E2E principle, the ISP's job is to provide an efficient bit pipe, not to pass judgement and restrictions on the nature of the traffic flowing over it. I see the attraction of the approach of punishing the ISP for the actions of its users. But it also means punishing the innocent users of the ISP for the actions of the guilty. Do we advocate doing that? As I've stood up so many times to stop people from blaming the ISPs for what users are doing, I can't stand up in support of principles like this. Take your favourite banned action and insert it in the essay below in place of spam. On Sat, May 10, 2003 at 08:07:43PM -0400, Declan McCullagh wrote: > > --- > > Date: Fri, 9 May 2003 11:52:05 -0400 > From: Rich Kulawiec <rskat_private> > To: declanat_private > Subject: Re-engineering mail: a nice idea, but won't stop spam > > [ Declan: for politech, if you deem fit/appropriate/etc. ---Rsk ] > > I have now seen at least half a dozen different proposals on how the > entire Internet's mail system should be changed in order to stop spam and > (as a secondary goal) stop malware like worms and viruses. [1] > > I *do* think that the mail system is due for an overhaul. Maybe even > overdue. We know lots of things about how mail works or doesn't work > that we didn't know two decades ago; we should apply that knowledge. > > But I don't think we should allow the nature and schedule of that overhaul > to be dictated by spammers. It's certainly not the most desirable option > and it WON'T stop spamming, regardless of the many claims that it will. > > Why not? Because (some) spammers have already demonstrated great > ingenuity. They will find a way to abuse whatever's put in place, and/or > they'll shift to other protocols and spam using those -- so at *best*, > and even this is quite a bit to hope for, it will force them off SMTP > and onto something else. It will not solve the problem. It will only > move it around. [2] > > The only way to stop spamming is remove spammers from the Internet, > permanently. And to make it clear that anyone allowing them to connect > again will be quickly and completely shunned by the rest of the 'net. [3] > > But none of these re-engineering efforts do that. And so they miss > the point: if the spammers are made to go away, the problem goes away. > And nothing BUT making the spammers go away will make the problem go away. > > This doesn't happen by inventing challenge-response mail systems or > trusted authorities or bureaucracy or HTML (spit) mail or crypto certs > or any of the other ideas that have been suggested as part of a new and > better way of moving mail around. Yes, it's all very nice, and some of > it may be a darn good idea, but it only treats the SYMPTOMS of spam and > not the DISEASE. > > The DISEASE is treatable only at its source; and it's treatable only by > disconnecting spammers from the Internet. Permanently. > > There is no technical reason why this can't be made to (mostly) happen. > > What is missing here is not something technical [4], which is why > technical solutions won't work. What's missing here is the WILL to > solve the problem and, along with it, the WILL to endure the fallout: > the complaints, the loss of revenue, the revenge attacks, the frivolous > lawsuits, etc. > > That will can't be supplied just by changing the way mail works. > > It either has to come from within -- as it does in people who know that > nuking spammers on sight is the Right Thing to do -- or without -- as in > people who don't know that, but who are being dragged to the realization > that hosting spamers -> getting blacklisted -> Bad Thing. > > I think we would all prefer to live in a world where ISPs are run by > the first group of people. Luckily, there are some of them and their > efforts go largely under-appreciated because they don't bring themselves > to our attention. To them, I say: you rock. May your mallet always > hit its target and may your BOFH badge never tarnish. > > However, as we know, there are a lot of ISPs run by the second group of > people, and they need to have it explained to them (via DNSBLs and the > like) that their conduct, specifically their continued provision of spam > support services, is unacceptable to the Internet community > > But "what we have here...is a failure to communicate." We have, to this > point, made it somewhat clear that some of our networks will not accept > SMTP traffic from some parts of spam-friendly networks. This message > is fine, as far as it goes, but it is not the message that spam-friendly > networks need to hear. > > What they need to hear is "Your know that AUP/TOS you have? The one > you never enforce? Well, here is our AUP/TOS: a LOT of us are going > to drop every packet you send on the floor until you demonstrate that > you are worthy to participate in the Internet community by removing ALL > your spammers. Meanwhile, enjoy your intranet. Do let us know when > you're done cleaning it up. Goodbye. <click>" > > *Should* this be necessary? Of course not. It's draconian even by > my standards. But I think that delivering an ultimatum to a couple of > select ISPs -- as in "remove your spammers or face the Internet Death > Penalty" -- is probably the only way to get through to some of them. > This is because it is a message written in a language they understand > (maybe the ONLY language they understand): money. > > I think it will work. If nothing else it'll herd the spammers into a > successively smaller number of networks. (We have already seen some > of this happening because of DNBSLs.) And thanks to the wonderful > documentation which has already been compiled by folks like ROKSO and > and CluelessMailers, we already know who most of the major spammers are > and where to find them. > > If it works, it will return mail to the nicely usable state that it > was in, say, ten years ago. We will no doubt all enjoy the relative > peace and quiet -- and we will be able to debate a new mail architecture > for the Internet without being distracted so badly by the spam issue. > > It it doesn't work, fine, I was wrong. > > But I think it's a much more effective avenue to pursue -- and > it's certainly much faster [5] than trying to get through all the > wrangling over a new mail protocol/architecture, the development of > production-quality code, the deployment and migration [6] , etc. > > ---Rsk > > [1] As to worms and viruses: breaking the addiction to M$ solves most > of that. Oh, no doubt if M$ were wiped off the face of the earth (oh > happy day! may I live to see it) malware authors would turn to MacOS > and OpenBSD and Linux and whatnot, but they will find far less fertile > ground there. This doesn't require re-engineering mail either: it only > requires getting people to switch to professional-quality operating > systems, of which there are now quite a few to suit every need, budget, > and hardware platform. > > [2] This has already happened. Spammers moved en masse off NNTP and onto > SMTP when the web made it possible for them to spam using protocol A and > deliver their payload via protocol B. They bought themselves years of > uninterrupted service by doing it, too, until it finally became clear > that the ISP providing service via B was just as culpable as the one > providing service via A. > > [3] That will probably require much more severe blacklisting that has been > used so far: think SPEWS++: blocking all IP traffic and with mandatory > penalty periods equal to the length of time spammers were allowed > to connect. Or something like that. So far, out of everything I've > seen -- from ROKSO to Wirehub!, from SpamCop to monkeys.com, THE single > most effective tool in getting spammers removed -- even temporarily -- > has been SPEWS. This doesn't mean that I like everything about SPEWS. > I simply recognize that it seems to work better than anything else at > getting spam-friendly ISPs to remove their spammers. > > [4] Nor will legal solutions, for the most part. Two of many reasons > why are (a) this problem crosses jurisdictions and (b) spam is not yet > correctly recognized as a distributed denial-of-service attack. > > [5] Even if The Perfect Mail Architecture were proposed tomorrow, > it would still take time -- a lot of time -- to develop code and get > it widely deployed. Meanwhile, spam is getting exponentially worse. > These are not compatible situations. > > [6] Those of you who recall the Usenet migration of the mid-80's know > what a massive effort that was. And it had the advantages of a somewhat > centralized authority (the "backbone"), a much less-used system, a much > more clueful administrative community, and a much smaller network. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun May 11 2003 - 06:27:35 PDT