[170537] in North American Network Operators' Group
Re: why IPv6 isn't ready for prime time, SMTP edition
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Mar 29 11:34:10 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <21301.58989.363630.385662@world.std.com>
Date: Sat, 29 Mar 2014 08:28:32 -0700
To: Barry Shein <bzs@world.std.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 28, 2014, at 2:15 PM, Barry Shein <bzs@world.std.com> wrote:
>=20
> On March 28, 2014 at 00:06 owen@delong.com (Owen DeLong) wrote:
>>> Advertising is a valuable commodity. Free advertising is =
particularly
>>> valuable, ROI with I close to zero.
>>=20
>> But it=92s only free if you send it to yourself and then approve it. =
Any message you send to someone else who doesn=92t want it isn=92t free.
>=20
> I thought the suggestion was that a recipient (email, or by analogy
> postal) could indicate they wanted an email which would cancel the
> postage attached, that is, no charge to sender if they wanted it.
Yes, but you=92d have to say =93I wanted this=94 effectively after =
receiving and opening the mail, knowing what was inside, not before.
> So if a spammer or junk mailer could, say, trick you into accepting
> mail in those schemes then they get free advertising, no postage
> anyhow.
Sure, but how would they trick you into saying =93I wanted this =
advertising=94 once you=92ve actually seen that it is advertising.
> We're getting lost in the metaphors methinks.
I don=92t think so, I think we=92re having differing visions of how it =
would work in detail.
>>> So offering to not charge you because you wanted that mail makes no
>>> sense, right?
>>=20
>> But this isn=92t a charge for the post office and by the time you=92re =
connected to the internet, the cost of receiving the mail and =
transporting it and the sender sending it is pretty much sunk by some =
arguments.
>=20
> FIRST: There's a typo/thinko in my sentence!
>=20
> Should be:
>=20
> So offering to not charge THE SENDER because THE RECIPIENT wanted
> that mail makes no sense, right?
>=20
> SECOND:
>=20
> In response, someone has to scale resources to match volume.
>=20
> But maybe my typo/thinko confused this because you know that, sorry.
Yes, but those costs are essentially already sunk in existing internet =
access. The cost of transmission is already paid by all parties =
involved. This wouldn=92t be intended to subsidize that. The reason for =
splitting the postage between the recipient and the recipient ISP was to =
aid in recovery of the costs of administering the postage process.
>> This is an effort to provide a financial disincentive for spamming.
>=20
> Did I say that or you? I agree!
>=20
> Possibly with myself. Which judging by my just previous comments is
> not always a given.
I said it, but I=92m glad we are in agreement.
>>> If you want to attach e-postage you have to go get some and that can
>>> be a contract which says you don't do that, if you have multiple
>>> accounts you split it among your accounts or buy more. And if you do
>>> what you describe you understand that it is criminal fraud. Click
>>> Agree [ ] before proceeding, or similar.
>>=20
>> Because spammers are all on the up and up and never commit fraud in =
order to send their SPAM, right?
>=20
> I'm trying to create an economics around enforcement.
>=20
> But it's helpful to convince the relatively honest public that what
> you describe is a serious crime tantamount to counterfeiting.
Yes, that would be very helpful.
> And we don't want to be in a situation like we were in 1996 where we
> were debating whether Spam is even a crime.
Sadly, we seem to be in a situation where we have no good legal =
definition of
the crime and where the criminal definition of SPAM has been so badly =
watered
down by regulators as to neuter any attempts to regulate it out of =
existence or
prosecute it criminally.
Worse, even if it is a crime in jurisdiction A, it becomes very =
difficult to prosecute
a spammer in jurisdiction B for sending SPAM to a recipient in =
jurisdiction A.
> Enforcement is your usual avoidance, detection, recovery, sort of
> affair. But there has to be an economics pushing it or it gets mostly
> ignored (except for people complaining about spam.)
Yep.
> Compare and contrast for example spamming vs RIAA style enforcement of
> copyright violations.
I would not say that RIAA is the shining example to emulate, but, yes =
for this
particular concept, I think you have the right idea.
>> No, it assumes that most of the messages I get from Amazon are NOT =
SPAM.
>=20
> And I'm arguing we need to change our attitudes on this.
>=20
> This whole idea that because the recipient wants it it isn't "spam" is
> wearing thin.
Please present your definition of SPAM. I don=92t see how a shipping =
notification, a transaction receipt, etc. could possibly be considered =
SPAM.
> Just like my analogy with the post office, they wouldn't deliver mail
> for free just because the recipient wanted it.
That postage is already being paid for email=85 You pay for internet =
access and so do the spammers, so the idea that your proposed e-postage =
is a payment related to the delivery of the mail is absurd from the =
beginning.
>> The vast majority of messages I get from Amazon are order =
confirmations, shipping status reports, etc. Messages related to =
transactions I have conducted with them. Yes, I get a little bit of SPAM =
from them and I wouldn=92t mind seeing them forced to pay me for those =
messages, but I certainly don=92t want to see them paying for every =
message they send.
>=20
> The vast majority of paper mail I get from my bank accounts is useful
> and informative and often legally important.
>=20
> But every one of them has postage attached.
Yes, but you aren=92t paying the USPS a fee for you to have a mailbox =
that the mailman drives by whether you receive mail or not and neither =
is your bank. I certainly don=92t want to start double-paying for spam =
(or legitimate email for that matter).
Further, if someone sends me something I don=92t want, I can mark it =
=93refused, return to sender=94 and the post office is obliged to do so =
and I don=92t pay anything for it.
>> I didn=92t authorize the spammer to use my computer, systems, disk, =
network, etc. They simply did so without my authorization. If I had a =
cost effective way to identify them, track them down, and hold them =
accountable for this, I would gladly do so.
>=20
> Do you mean sending (making you a bot) or receiving spam?
Receiving.
> I'm saying the notion of who you did authorize to send you email is
> getting fuzzier and fuzzier and may no longer be a completely useful
> distinction.
How so? If I actually signed up with you to receive your mail, then I =
opted in and you have my permission on record.
If I bought something from you, then I signed up to receive emails =
RELATED TO THAT TRANSACTION and you have that permission on record.
If I checked the box to receive other emails from you, then you have =
that permission on record.
If you don=92t have my permission on record, then you don=92t have my =
permission. Seems pretty simple and clear and predictable to me.
Now, you might be able to get my retroactive permission by paying to =
ask, and if I agree, your =93permission fee=94 is refunded. OTOH, if I =
say =93no=94, then you don=92t get your money back.
> That should have been predictable. Create a fuzzy hurtle and it will
> get hurtled.
I=92m not seeing the fuzziness you claim is present.
> Accept that "it's not spam if I have a business relationship with the
> sender" and that "business relationship" definition will get
> stretched.
See above. I have a _MUCH_ narrower definition of what should be =
accepted.
> For example, Buy an auto insurance policy from Liberty Mutual and you
> just gave permission for every Liberty Mutual insurance agent in the
> world to hawk you life insurance, home owner's insurance, etc etc etc.
> over email.
No, I didn=92t. See above.
>> I define SPAM not in terms of content, but in the nature of the =
relationship between the sender and the recipient. If the recipient has =
no relationship with the sender and doesn=92t want to receive the =
sender=92s message, then in most cases, it=92s SPAM.
>=20
> Yeah, well, if you ever get an unexpected email (truly) from Bank of
> America for example offering great CD rates and can't imagine why they
> sent it have a ball calling the FTC and filing a CAN-SPAM violation.
If such a thing happened and it actually came from BofA, then, yes, it =
would.
However, BofA is smart enough to keep such SPAMvertising at arms length =
and you have to track down the spammer that actually sent the email =
under contract to BofA, not BofA themselves. It would be nice if =
CAN-SPAM were expanded to affect the advertiser and/or advertised =
product instead of just the entity actually sending the SPAM, but so =
far, that has not happened.
>=20
> Maybe something would happen, I can't say for sure.
>=20
> But I suspect they'd round file it because hey that's BANK OF AMERICA
> not SPAMMERS and you're just a KOOK!
No, more likely they=92d review the headers and point out to me that =
there=92s no evidence it was actually sent BY BofA, because most likely =
it wasn=92t sent by BofA, but by someone they may or may not have =
contracted.
> Extrapolate to any company the FTC has heard of and respects.
Really more a matter of how those companies keep their SPAM at arms =
length and circumvent the intent of the law than their reputation with =
the FTC.
> That's what I mean by a moralistic component.
>=20
> But if BoA was fudging their postal meters and the post office noticed
> it'd be Book 'Em Dan-O before the next commercial break.
Indeed, the mailing agency that BofA hires to send out their postal spam =
pays full postage and can=92t really avoid that.
But postage is related to the cost of delivering the mail. What you are =
proposing as e-postage isn=92t.
>=20
>>=20
>>> I assert that the line is getting fuzzier all the time.
>>=20
>> Yep. If you try to define it on content, the fuzz grows out of =
control.
>>=20
>>> Even if the product is completely legitimate and maybe there's some
>>> business relationship someone can draw it doesn't mean I like being
>>> pummeled with hundreds of ads per day (some of that is projection,
>>> remember.)
>>=20
>> If you ask the sender to stop and they don=92t, then their further =
messages are SPAM.
>=20
> In theory.
>=20
> Ever try to enforce that if you got a subsequent email?
>=20
> Particularly against a well known company?
>=20
> No. Because no one has even tried (oh there must be one I suppose.)
See above.
>> If you can=92t find the sender in order to ask them to stop, then =
their messages are fraudulent SPAM.
>=20
> I've read CAN-SPAM.
I wasn=92t specifically talking about CAN-SPAM, but it does include =
provisions like this, yes.
>>> But, just as importantly, the people who want to send me an ad would
>>> like to see me pummeled with less junk so maybe I pay attention to
>>> their ad or communication.
>>=20
>> The spammers would like to see you pummeled with less =93junk=94 so =
you can pay attention to their ad, too. Difference is in your definition =
of =93junk=94 vs. their definition of =93junk=94.
>=20
> Well, the difference I'm advocating is that Amazon (e.g.) can pay real
> do-re-mi for postage, the spammers can=92t.
I think you underestimate the available budget for SPAMming.
> Beyond that I don't really need a definition of "spam" per se, at
> least that's what's hoped.
>=20
> We the people just have to make sure that anyone sending me an email
> follows the e-postage rules.
Now you need to ask, am I going to pay a fee to participate actively in =
the IETF or the policy development process at ARIN for each and every =
message I send?
> No spammer can afford to pay even minimal e-postage.
You are dreaming.
> The best they can hope for is to fraud any e-postage system.
More than likely they will be able to do so, yes.
> Viola, it removes the moral judgement component of whether or not I
> really wanted this email.
True, but it also creates many negative unintended consequences.
> Or reduces the issue probably into the noise.
Unlikely to reduce any issue, IMHO.
>> Why would you assume that once they bot a system, they would be =
unable to steal the e-postage from said system?
>=20
> I think we can make that too difficult.
>=20
> But at least we'd have a trail in that case, like when the user's
> e-postage meter runs out and they can't send any more email this month
> and might pursue that if unexpected.
Not sure how that constitutes a trail so much as an increased workload =
for the users and their ISPs.
Might help reduce the bots, but I tend to doubt it.
>>> So it's not the resources, it's the authorization which we're trying
>>> to control.
>>>=20
>>> Right now every piece of email they send from your botted system is
>>> the same as any email you'd send.
>>=20
>> I=92m not really seeing how this would make a difference in that.
>=20
> Make it difficult to use your e-postage meter even if they get some
> (virus) software on to your system.
>=20
> For example, maybe you have to enter a passphrase to enable the
> e-postage meter with an idle-timeout, or any similar method, we've all
> seen many.
That=92s what key loggers are for. You can=92t protect a booted system =
from itself.
Dreaming that you can is kind of amusing.
> Heck you could use a USB or similar dongle which has to be plugged in
> to send email.
That might work, but how long before those are compromised?
> Sure, people would leave them in, until their e-postage meter was run
> out unexpectedly and they can't send any more email for the rest of
> the month, or actually would have to buy further allocation for real
> $$$.
Actually, rolling code dongles that simulate keyboards for =
authentication codes
might be a good choice here=85 Hit the button each time you need to =
enter postage.
That might actually be a secure solution.
But you=92re still left with the chilling effect on voluntary =
participation in governance and
other activities through email.
>=20
>>=20
>>>=20
>>> If there were some sort of e-postage system with some basic security
>>> and tracking that becomes much more difficult for the spammer.
>>=20
>> Given how most bots become bots, I tend to doubt it. They just have =
to
>> keystroke log your MUA in a two-step process instead of the one-step
>> process of days of yore.
>>=20
>> Further, since they=92re sending lots and lots of the same spam with =
identical
>> envelope contents and the only differences are in the SMTP exchange, =
not the
>> internal contents of the envelope, a replay attack against the same =
postage
>> would seem pretty trivial.
>=20
> But now it's running down your e-postage meter.
How so? I=92m just replaying the original e-postage. Reusing the same =
stamp over and over again as it were.
> And it's positively id'd on the receiving end, it has your e-postage
> meter id on it.
Yes, the spammer is able to use one of my stamps a few million times and =
then what?
> It does add a lot of hoops to jump through and evade.
Not really, no.
> That's progress!
>=20
> And I thank you! Many in this community hear the word "e-postage" and
> just mentally shut down.
Meh=85 I try to keep an open mind.
Owen
