[170494] in North American Network Operators' Group
Re: why IPv6 isn't ready for prime time, SMTP edition
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Mar 28 03:08:30 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <21301.2324.18376.209669@world.std.com>
Date: Fri, 28 Mar 2014 00:06:49 -0700
To: Barry Shein <bzs@world.std.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 27, 2014, at 10:31 PM, Barry Shein <bzs@world.std.com> wrote:
>=20
> On March 27, 2014 at 12:14 owen@delong.com (Owen DeLong) wrote:
>>=20
>> On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
>>=20
>>>=20
>>> On March 26, 2014 at 22:25 owen@delong.com (Owen DeLong) wrote:
>>>>=20
>>>> Actually, a variant on that that might be acceptable=85 Make =
e-postage a deposit-based thing. If the recipient has previously =
white-listed you or marks your particular message as =93desired=94, then =
you get your postage back. If not, then your postage is put into the =
recipients e-postage account to offset the cost of their emails.
>>>>=20
>>>> Thoughts?
>>>=20
>>> It's a fine idea but too complicated.
>>>=20
>>> Look, the (paper) post office doesn't say "oh, you WANTED that mail,
>>> ok, then we'll return the cost of postage to the sender!"
>>>=20
>>> Why? Because if they did that people would game the system, THEY'D
>>> SPAM!
>>=20
>> How would they benefit from that?
>=20
>> =46rom what, being able to send free paper mail? I think that would =
be
> considered a benefit by most junk mail advertisers. But see next...
>=20
>> SPAM =97 Pay, say $0.10/message.
>> Then Claim you wanted the SPAM, get your $0.10/message back for each =
SPAM you sent to yourself.
>> Or, claim you didn=92t want the SPAM and get $0.05/message for each =
message you received while the
>> original provider keeps the other $0.05.
>>=20
>>> And it would take way too much bookkeeping and fraud identification =
etc.
>>=20
>> Please explain in detail where the fraud potential comes in.
>>=20
>> By my interpretation, you=92d have to somehow get more back than you =
deposited (not really possible) in order to profit from sending SPAM =
this way.
>=20
> Well, it's advertising, so they do.
>=20
> Advertising is a valuable commodity. Free advertising is particularly
> valuable, ROI with I close to zero.
But it=92s only free if you send it to yourself and then approve it. Any =
message you send to someone else who doesn=92t want it isn=92t free.
> So offering to not charge you because you wanted that mail makes no
> sense, right?
But this isn=92t a charge for the post office and by the time you=92re =
connected to the internet, the cost of receiving the mail and =
transporting it and the sender sending it is pretty much sunk by some =
arguments.
This is an effort to provide a financial disincentive for spamming.
>=20
>>> Let's take a deep breath and re-examine the assumptions:
>>>=20
>>> Full scale spammers send on the order of one billion msgs per day.
>>>=20
>>> Which means if I gave your account 1M free msgs/day and could
>>> reasonably assure that you can't set up 1,000 such accts then you
>>> could not operate as a spammer.
>>=20
>> Not sure how you enforce these user account requirements or how you =
avoid duplicative accounts.
>=20
> If you want to attach e-postage you have to go get some and that can
> be a contract which says you don't do that, if you have multiple
> accounts you split it among your accounts or buy more. And if you do
> what you describe you understand that it is criminal fraud. Click
> Agree [ ] before proceeding, or similar.
Because spammers are all on the up and up and never commit fraud in =
order to send their SPAM, right?
>>> Who can't operate with 1M msgs/day?
>>>=20
>>> Well, maybe Amazon or similar.
>>>=20
>>> But as I said earlier MAYBE THEY SHOULD PAY ALSO!
>>=20
>> I, for one, don=92t want my Amazon prices increased by a pseudo-tax =
on the fact that they do a large volume of email communications with =
their customers. They have enough problems trying to get IPv6 deployed =
without adding this to their list of problems.
>=20
> That assumes that spam is free for them, and you. Including "free" as
> in "stealing your time=94.
No, it assumes that most of the messages I get from Amazon are NOT SPAM.
The vast majority of messages I get from Amazon are order confirmations, =
shipping status reports, etc. Messages related to transactions I have =
conducted with them. Yes, I get a little bit of SPAM from them and I =
wouldn=92t mind seeing them forced to pay me for those messages, but I =
certainly don=92t want to see them paying for every message they send.
>>> We really need to get over the moral component of spam content (and
>>> senders' intentions) and see it for what it is: A free ride anyone
>>> would take if available.
>>=20
>> I disagree. I see it as a form of theft of service that only immoral =
thieves would take if available.
>=20
> How can it be a theft of service if we're not charging anything?
I didn=92t authorize the spammer to use my computer, systems, disk, =
network, etc. They simply did so without my authorization. If I had a =
cost effective way to identify them, track them down, and hold them =
accountable for this, I would gladly do so.
> Well, if they use others' resources it's a theft of those resources,
> such as botnets, is that what you mean?
Botnets, my mail server, my disk storage, my network, etc. where my mail =
is processed=85 All of the above.
> But by morality I mean that we tend to define spam in terms of
> generally agreed to be undesirable email content such as questionable
> herbal cures or other apparent fraud or near-fraud -- I dunno, maybe
> someone hiring a spammer really believes their herbal hair re-growth
> tonic works.
I define SPAM not in terms of content, but in the nature of the =
relationship between the sender and the recipient. If the recipient has =
no relationship with the sender and doesn=92t want to receive the =
sender=92s message, then in most cases, it=92s SPAM.
> I assert that the line is getting fuzzier all the time.
Yep. If you try to define it on content, the fuzz grows out of control.
> Even if the product is completely legitimate and maybe there's some
> business relationship someone can draw it doesn't mean I like being
> pummeled with hundreds of ads per day (some of that is projection,
> remember.)
If you ask the sender to stop and they don=92t, then their further =
messages are SPAM.
If you can=92t find the sender in order to ask them to stop, then their =
messages are fraudulent SPAM.
> But, just as importantly, the people who want to send me an ad would
> like to see me pummeled with less junk so maybe I pay attention to
> their ad or communication.
The spammers would like to see you pummeled with less =93junk=94 so you =
can pay attention to their ad, too. Difference is in your definition of =
=93junk=94 vs. their definition of =93junk=94.
> Heck, I alreadly almost never read email from what appears to be my
> bank because it's just too much time and effort to verify that it's
> legitimate.
I just bank with banks that don=92t have enough customers to be =
attractive to spammers=85 Saves a lot of effort. Also makes for a nicer =
relationship with the bank. The tellers mostly know who I am and I=92m =
treated like a customer instead of an inconvenience.
> It'd be just as much effort under this, perhaps, but at least maybe I
> won't feel like I'm desperately trying to sort through 300 msgs that
> came in while I was asleep.
I wish I could get it down to 300.
>>=20
>> So you=92ve got a set of thieves who are stealing services to send =
vast volumes of email and you want to solve that problem by charging =
them more for those services that they are stealing (and, by the way, =
also charging some legitimate users as well).
>>=20
>> My guess is that the spammers are going to keep stealing and the =
people now being taxed for something that used to be free are going to =
object.
>=20
> I think you're skipping the point about how they'd have to
> successfully attach e-postage to every piece of email they sent from
> your system.
Why would you assume that once they bot a system, they would be unable =
to steal the e-postage from said system?
>=20
> So it's not the resources, it's the authorization which we're trying
> to control.
>=20
> Right now every piece of email they send from your botted system is
> the same as any email you'd send.
I=92m not really seeing how this would make a difference in that.
>=20
> If there were some sort of e-postage system with some basic security
> and tracking that becomes much more difficult for the spammer.
Given how most bots become bots, I tend to doubt it. They just have to
keystroke log your MUA in a two-step process instead of the one-step
process of days of yore.
Further, since they=92re sending lots and lots of the same spam with =
identical
envelope contents and the only differences are in the SMTP exchange, not =
the
internal contents of the envelope, a replay attack against the same =
postage
would seem pretty trivial.
>=20
> Or they can use your system to send out a million msgs with no
> e-postage which, one hopes, will be rejected by receiving systems
> without delivery, much like fraudulent DKIM or SPF credentials.
>=20
> Which, one hopes, won't be profitable for them any more.
>=20
>>=20
>>> P.S. And in my vision accepting only email with valid e-postage =
would
>>> be voluntary though I suppose that might be "voluntary" at the
>>> provider level. For example someone like gmail at some point (of
>>> successful implementation of this scheme) might decide to just block
>>> invalid e-postage because hey your gmail acct is free! Let someone
>>> else sell you rules you prefer like controlling acceptance of =
invalid
>>> e-postage yourself.
>>=20
>> Well, here we get a hint at how you envision this working. There are =
lots of details that need to be solved in the implementation of such a =
scheme and I think the devil is prevalent among them.
>=20
> I agree, but I hope my efforts indicate it's not entirely half-baked
> or off the cuff.
Intrigued, but not convinced.
Owen
