[170552] in North American Network Operators' Group
Re: why IPv6 isn't ready for prime time, SMTP edition
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Mar 30 02:28:11 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <21303.11694.671771.160140@world.std.com>
Date: Sat, 29 Mar 2014 23:26:25 -0700
To: Barry Shein <bzs@world.std.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs@world.std.com> wrote:
>=20
> On March 29, 2014 at 08:28 owen@delong.com (Owen DeLong) wrote:
>>> So if a spammer or junk mailer could, say, trick you into accepting
>>> mail in those schemes then they get free advertising, no postage
>>> anyhow.
>>=20
>> Sure, but how would they trick you into saying =93I wanted this =
advertising=94 once you=92ve actually seen that it is advertising.
>=20
> I dunno, but they trick people all the time, isn't that what the
> entire phishing industry is based on?
>=20
> I guess the real point is that this idea that one would be sorting
> through their email saying don't charge for this one I want it, charge
> for this one, I don't, etc is not a good idea.
I was envisioning a system more where you white-listed your known =
contacts up front,
then only needed to say =93refund this one and add to white-list=94 or =
=93refund this one=94 when
confronted with one that wasn=92t already white-listed that you didn=92t =
feel was spam.
>>> We're getting lost in the metaphors methinks.
>>=20
>> I don=92t think so, I think we=92re having differing visions of how =
it would work in detail.
>=20
> Well, that's always the problem at some point. Lacking a specific,
> detailed proposal one tries to work out how it might work, look for
> inherent flaws in the idea, show stoppers.
>=20
> This is basically brainstorming.
Yep=85 Wasn=92t a criticism, merely an effort to home in on a more =
accurate problem description for the communications failures so we =
weren=92t trying to solve the incorrect cause.
>>>>> So offering to not charge you because you wanted that mail makes =
no
>>>>> sense, right?
>>>>=20
>>>> But this isn=92t a charge for the post office and by the time =
you=92re connected to the internet, the cost of receiving the mail and =
transporting it and the sender sending it is pretty much sunk by some =
arguments.
>>>=20
>>> FIRST: There's a typo/thinko in my sentence!
>>>=20
>>> Should be:
>>>=20
>>> So offering to not charge THE SENDER because THE RECIPIENT wanted
>>> that mail makes no sense, right?
>>>=20
>>> SECOND:
>>>=20
>>> In response, someone has to scale resources to match volume.
>>>=20
>>> But maybe my typo/thinko confused this because you know that, sorry.
>>=20
>> Yes, but those costs are essentially already sunk in existing =
internet access. The cost of transmission is already paid by all parties =
involved. This wouldn=92t be intended to subsidize that. The reason for =
splitting the postage between the recipient and the recipient ISP was to =
aid in recovery of the costs of administering the postage process.
>=20
> What about the costs of anti-spam technology? And all the other
> problems spam incurs? I thought that's why we were here.
Reality is those costs are pretty much sunk at this point as well, =
mostly embedded into the price of internet access and mail services as =
they exist today. Sure, there might be some long term reductions in =
those costs if this worked out, but at what relative price?
>> Please present your definition of SPAM. I don=92t see how a shipping =
notification, a transaction receipt, etc. could possibly be considered =
SPAM.
>=20
> My whole point is I don't WANT to have a definition of spam, except as
> a bad memory.
>=20
> I'm trying to figure out how to change the ecology/economics so spam
> is difficult, a minor problem.
I get what you want, but I don=92t see it as a solution due to the =
negative consequences described elsewhere in the thread.
>>> Just like my analogy with the post office, they wouldn't deliver =
mail
>>> for free just because the recipient wanted it.
>>=20
>> That postage is already being paid for email=85 You pay for internet =
access and so do the spammers, so the idea that your proposed e-postage =
is a payment related to the delivery of the mail is absurd from the =
beginning.
>=20
> Again, we're talking about spam and the harm it does, the costs it
> incurs. And phishing etc.
>=20
> That's sort of like saying my car can drive down the road perfectly
> well with some gasoline etc, why do I need to pay taxes for police?
I often find myself wondering exactly that=85 Usually after trying to =
get some service or other that the police are supposed to be providing.
Nonetheless, I get your point. OTOH, the city council, as a body, =
doesn=92t pay taxes for police. Neither does the city, which owns quite =
a fleet of vehicles. So, what is your equivalent in this regime to the =
=93tax exempt organization=94?
>>>> The vast majority of messages I get from Amazon are order =
confirmations, shipping status reports, etc. Messages related to =
transactions I have conducted with them. Yes, I get a little bit of SPAM =
from them and I wouldn=92t mind seeing them forced to pay me for those =
messages, but I certainly don=92t want to see them paying for every =
message they send.
>>>=20
>>> The vast majority of paper mail I get from my bank accounts is =
useful
>>> and informative and often legally important.
>>>=20
>>> But every one of them has postage attached.
>>=20
>> Yes, but you aren=92t paying the USPS a fee for you to have a mailbox =
that the mailman drives by whether you receive mail or not and neither =
is your bank. I certainly don=92t want to start double-paying for spam =
(or legitimate email for that matter).
>=20
> Recipients wouldn't pay in my scheme.
OK, turn it around and you aren=92t paying a separate fee for the =
mailman to drive by your place each day to see if you have any outgoing =
mail, either.
> If you mean that legitimate senders have to pay and somehow recover
> that cost, well, we all pay for police and other security. Security is
> often like that. When you pay for a prison you pay to house prisoners,
> any benefit to you is at best abstract (they're not on the streets
> etc.)
I don=92t pay the USPS any separate taxes to support the postal =
inspectors. That=92s rolled up into the postage.
>> Further, if someone sends me something I don=92t want, I can mark it =
=93refused, return to sender=94 and the post office is obliged to do so =
and I don=92t pay anything for it.
>=20
> This is probably getting off-track, but are you sure about that with
> the USPS?
Yes. For most mail, you can. Third Class and Bulk, not so much, they=92ll =
tell you to throw it away. I don=92t pay anything for that, either.
If I really want to get rid of a junk mailer (at least one who is dumb =
enough to send me postage-paid reply mechanisms), I=92ll package up a =
brick, attach the reply label they provided and send it off. (lead =
weights, shot-bags, etc. can also be effective candidates). I=92ve only =
used this tactic a few times, but it=92s never taken more than two heavy =
replies to get the flow of crap to stop abruptly.
> You can mark it NSA (no such addressee) or NFA (no forwarding address)
> or NSA/NFA or even put a forwarding address which may or may not do
> anything since the recipient is supposed to set that up with the post
> office (e.g., when they move.)
Yep. They=92ll take it back and either forward it if they can or send it =
to the dead letter office.
> But I never heard of taking all my junk mail for example and handing
> it back to a letter carrier saying "Here, I don't want this!" I think
> they'd say "throw it in the trash!=94
Specifically doesn=92t work with third-class and bulk. They are the only =
exceptions.
>>>> I didn=92t authorize the spammer to use my computer, systems, disk, =
network, etc. They simply did so without my authorization. If I had a =
cost effective way to identify them, track them down, and hold them =
accountable for this, I would gladly do so.
>>>=20
>>> Do you mean sending (making you a bot) or receiving spam?
>>=20
>> Receiving.
>=20
> Well, truth be told you didn't really authorize many people who send
> you email to use your resources.
If I wanted the email, then I retroactively authorize(d) them, =
authorized them by implication, or authorized them through other =
mechanisms.
> So we're back to the definition of spam problem.
Again, I don=92t see that as a hard problem.
> Which is exactly what I'm trying to get away from.
I=92m aware of that. However, I don=92t see you getting around several =
rather nasty unintended consequences that way.
>>> I'm saying the notion of who you did authorize to send you email is
>>> getting fuzzier and fuzzier and may no longer be a completely useful
>>> distinction.
>>=20
>> How so? If I actually signed up with you to receive your mail, then I =
opted in and you have my permission on record.
>> If I bought something from you, then I signed up to receive emails =
RELATED TO THAT TRANSACTION and you have that permission on record.
>> If I checked the box to receive other emails from you, then you have =
that permission on record.
>> If you don=92t have my permission on record, then you don=92t have my =
permission. Seems pretty simple and clear and predictable to me.
>>=20
>> Now, you might be able to get my retroactive permission by paying to =
ask, and if I agree, your =93permission fee=94 is refunded. OTOH, if I =
say =93no=94, then you don=92t get your money back.
>=20
> "Related to that transaction"? Is that in CAN-SPAM? Where did that
> limitation come from? How is that defined?
Forget current law. I=92m talking about the criteria I would want to set =
if we were to overhaul the system and do this right.
> You mean when Network Solutions bombards me with email about each new
> TLD they're violating CAN-SPAM? I never asked for that. I do have some
> domains with them, I think they're using that for a "legitimate
> business relationship=94.
No, I never brought CAN-SPAM into this, that=92s your idea. I=92m =
talking about the criteria that could easily be used to define SPAM =
consistently in a way that isn=92t fuzzy, doesn=92t have the problems =
currently created by CAN-SPAM (a law written by spammers for spammers), =
etc.
> Legitimate businesses (perhaps other than NetSol :-) do tend to
> restrain themselves and know recipients might get annoyed if they
> overdo their welcome and opt-out or even block them entirely.
>=20
> An example of the line getting fuzzy is when my frequent flyer sources
> (airlines etc) constantly hawk credit cards at me under the excuse
> that I'll get 50,000 free miles or some such. So it sort of sounds
> related to the frequent flyer program.
And by allowing the user to do one of:
Whitelist the airline
Accept each message they want (refunded, others airline pays)
Decline all messages (airline pays)
You could decide for yourself which messages from the airline you don=92t =
consider SPAM, with the added benefit that you get a small amount of =
money for each message you don=92t actively claim isn=92t SPAM.
> But I think they're just hawking Amex cards and getting a commission
> for each one they sell.
Of course they are, and I would not mark any of those messages as =
=93accepted=94 and it would cost them for each one they sent.
>>> That should have been predictable. Create a fuzzy hurtle and it will
>>> get hurtled.
>>=20
>> I=92m not seeing the fuzziness you claim is present.
>>=20
>>> Accept that "it's not spam if I have a business relationship with =
the
>>> sender" and that "business relationship" definition will get
>>> stretched.
>>=20
>> See above. I have a _MUCH_ narrower definition of what should be =
accepted.
>=20
> Wait. Are we talking about what you think should be ok, or what the
> current law (as it were, but CAN-SPAM for example) thinks is ok, or
> what common practice seems to think is ok, or how it should work under
> the regime I'm describing?
How it should work under the alternative regime I am describing.
> As I said, I'm trying to come up with a spam-definition-neutral
> approach.
I know, but I believe that approach to be fundamentally flawed and I am =
trying very hard to propose an alternative I believe could be more =
functional.
>>> For example, Buy an auto insurance policy from Liberty Mutual and =
you
>>> just gave permission for every Liberty Mutual insurance agent in the
>>> world to hawk you life insurance, home owner's insurance, etc etc =
etc.
>>> over email.
>>=20
>> No, I didn=92t. See above.
>=20
> Again, I think CAN-SPAM etc would agree with my description within
> reason.
I=92m sure it would, but I=92m not talking about CAN-SPAM and I=92m not =
sure why you brought it into the discussion.
>>>> I define SPAM not in terms of content, but in the nature of the =
relationship between the sender and the recipient. If the recipient has =
no relationship with the sender and doesn=92t want to receive the =
sender=92s message, then in most cases, it=92s SPAM.
>>>=20
>>> Yeah, well, if you ever get an unexpected email (truly) from Bank of
>>> America for example offering great CD rates and can't imagine why =
they
>>> sent it have a ball calling the FTC and filing a CAN-SPAM violation.
>>=20
>> If such a thing happened and it actually came from BofA, then, yes, =
it would.
>=20
> And I'm saying good luck getting whoever it is enforces CAN-SPAM to
> agree, unless it just happens to be on their radar for some reason.
CAN-SPAM is a rathole. Please drop it. It=92s not furthering our =
discussion.
>> However, BofA is smart enough to keep such SPAMvertising at arms =
length and you have to track down the spammer that actually sent the =
email under contract to BofA, not BofA themselves. It would be nice if =
CAN-SPAM were expanded to affect the advertiser and/or advertised =
product instead of just the entity actually sending the SPAM, but so =
far, that has not happened.
>=20
> There are limits to Agency Law. You can't hire someone to break the
> law and then say it's entirely their problem.
Ah, but BofA didn=92t hire them to break the law. BofA hired them to =
send the SPAM to the list they promised BofA was entirely opt-in users =
who chose to receive their mails. The fact that they lied to BofA means =
BofA doesn=92t have any liability. The fact that BofA profits from this =
lie without consequences means that BofA has no incentive to go after =
them for a refund or avoid using their services in the future.
> Well, there are all sorts of hard cases, but laying it out sometimes
> surprises people (like, yes you can be held responsible for the
> actions of a hired bodyguard, even if their behavior was way out of
> line. They sell insurance for that kind of thing.)
Sure, but the spammers happily cover BofA=92s ass contractually and then =
say =93oops=94 or =93we lied=94 or whatever they have to in order to get =
BofA off the hook. Then, nobody gets punished and business as usual.
>>> Maybe something would happen, I can't say for sure.
>>>=20
>>> But I suspect they'd round file it because hey that's BANK OF =
AMERICA
>>> not SPAMMERS and you're just a KOOK!
>>=20
>> No, more likely they=92d review the headers and point out to me that =
there=92s no evidence it was actually sent BY BofA, because most likely =
it wasn=92t sent by BofA, but by someone they may or may not have =
contracted.
>=20
> Well, now we're really just moving the goalpost and changing the
> scenario.
No, I=92m pointing out how organizations like BofA actually do this and =
you=92re talking about some fictitious scenario that doesn=92t happen in =
real life.
Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, but =
that=92s also why most telco-contracted backhoe operating companies have =
numbers in their name=85 Ho-Co #1 cut someone=92s fiber, so they sold =
their substantial assets to Ho-Co #2 for a song to pay their legal fees, =
then went chapter 13 before the case could make it to court.
>>> Extrapolate to any company the FTC has heard of and respects.
>>=20
>> Really more a matter of how those companies keep their SPAM at arms =
length and circumvent the intent of the law than their reputation with =
the FTC.
>>=20
>>> That's what I mean by a moralistic component.
>>>=20
>>> But if BoA was fudging their postal meters and the post office =
noticed
>>> it'd be Book 'Em Dan-O before the next commercial break.
>>=20
>> Indeed, the mailing agency that BofA hires to send out their postal =
spam pays full postage and can=92t really avoid that.
>>=20
>> But postage is related to the cost of delivering the mail. What you =
are proposing as e-postage isn=92t.
>=20
> Of course it is. If your email won't be accepted without proper
> postage attached then that's the cost of having your email delivered.
No, that=92s a protection racket/extortion scheme.
I=92m talking about the cost of moving the mail from point A to point B. =
You=92re talking about the cost of not having my nice email meet with an =
accident on the information superhighway.
> Just because the work can't be expressed in Newtons over Distance
> doesn't mean it's not valuable.
See above.
> Ok, I think a lot of the rest of this could be answered by:
>=20
> It would be interesting to ask a spammer or ex-spammer what they
> thought about the scheme.
LoL
> Beyond that we're just guessing as to whether what's proposed would
> alter their behavior.
True, but first we have to get past =93would the community accept it =
generally=94 and I think your proposal (and probably mine) fail the =
smell test there. If it can=92t get implemented, it doesn=92t matter how =
much the spammers would hate it.
> And I gotta go eat some lunch!
Bon apetit.
Owen
