[170557] in North American Network Operators' Group
Re: why IPv6 isn't ready for prime time, SMTP edition
daemon@ATHENA.MIT.EDU (Barry Shein)
Sun Mar 30 14:00:26 2014
From: Barry Shein <bzs@world.std.com>
Date: Sun, 30 Mar 2014 13:59:35 -0400
To: Owen DeLong <owen@delong.com>
In-Reply-To: <FAF2580E-6D92-4352-B675-0407ED756D4A@delong.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On March 29, 2014 at 23:26 owen@delong.com (Owen DeLong) wrote:
>=20
> On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs@world.std.com> wrote:
>=20
> >=20
> > On March 29, 2014 at 08:28 owen@delong.com (Owen DeLong) wrote:
> >>> So if a spammer or junk mailer could, say, trick you into accept=
ing
> >>> mail in those schemes then they get free advertising, no postage=
> >>> anyhow.
> >>=20
> >> Sure, but how would they trick you into saying =93I wanted this a=
dvertising=94 once you=92ve actually seen that it is advertising.
> >=20
> > I dunno, but they trick people all the time, isn't that what the
> > entire phishing industry is based on?
> >=20
> > I guess the real point is that this idea that one would be sorting=
> > through their email saying don't charge for this one I want it, ch=
arge
> > for this one, I don't, etc is not a good idea.
>=20
> I was envisioning a system more where you white-listed your known co=
ntacts up front,
> then only needed to say =93refund this one and add to white-list=94 =
or =93refund this one=94 when
> confronted with one that wasn=92t already white-listed that you didn=
=92t feel was spam.
Introducing a refunding system adds a lot of complexity for not much
advantage.
Think through the mechanics of this whitelisting system, i.e., the
bookkeeping and msgs back and forth.
(eliding some stuff we mostly agree on)
> >=20
> > What about the costs of anti-spam technology? And all the other
> > problems spam incurs? I thought that's why we were here.
>=20
> Reality is those costs are pretty much sunk at this point as well, m=
ostly embedded into the price of internet access and mail services as t=
hey exist today. Sure, there might be some long term reductions in thos=
e costs if this worked out, but at what relative price?
What about the "attention" costs, when nobody for example looks at an
Amazon mail or even a useful msg from their bank because they're too
busy deleting everything that isn't absolute top-priority (like from a
relative or lover.) They're just swamped.
Anyhow, I guess either spam is a big problem or it isn't.
Everything I say is based on the premise that spam is a big problem.
If it isn't then we are truly wasting our time here.
>=20
> >> Please present your definition of SPAM. I don=92t see how a shipp=
ing notification, a transaction receipt, etc. could possibly be conside=
red SPAM.
> >=20
> > My whole point is I don't WANT to have a definition of spam, excep=
t as
> > a bad memory.
> >=20
> > I'm trying to figure out how to change the ecology/economics so sp=
am
> > is difficult, a minor problem.
>=20
> I get what you want, but I don=92t see it as a solution due to the n=
egative consequences described elsewhere in the thread.
Well, if you don't see spam as much of a problem then surely most
anti-spam proposals are going to seem too costly, right?
> >=20
> > That's sort of like saying my car can drive down the road perfectl=
y
> > well with some gasoline etc, why do I need to pay taxes for police=
?
>=20
> I often find myself wondering exactly that=85 Usually after trying t=
o get some service or other that the police are supposed to be providin=
g.
>=20
> Nonetheless, I get your point. OTOH, the city council, as a body, do=
esn=92t pay taxes for police. Neither does the city, which owns quite a=
fleet of vehicles. So, what is your equivalent in this regime to the =93=
tax exempt organization=94?
Maybe I haven't had enough coffee yet but I truly don't understand
what you're asking here.
> >=20
> > Recipients wouldn't pay in my scheme.
>=20
> OK, turn it around and you aren=92t paying a separate fee for the ma=
ilman to drive by your place each day to see if you have any outgoing m=
ail, either.
You must live in some low-density population area, here in Boston the
letter carriers won't take outgoing mail. I tried one day and the guy
just sneered "put it in a box, that's all I'd do with it!"
Obviously there are people emptying those mailboxes but it's...where
are we going with this?
>=20
> > If you mean that legitimate senders have to pay and somehow recove=
r
> > that cost, well, we all pay for police and other security. Securit=
y is
> > often like that. When you pay for a prison you pay to house prison=
ers,
> > any benefit to you is at best abstract (they're not on the streets=
> > etc.)
>=20
> I don=92t pay the USPS any separate taxes to support the postal insp=
ectors. That=92s rolled up into the postage.
>=20
> >> Further, if someone sends me something I don=92t want, I can mark=
it =93refused, return to sender=94 and the post office is obliged to d=
o so and I don=92t pay anything for it.
> >=20
> > This is probably getting off-track, but are you sure about that wi=
th
> > the USPS?
>=20
> Yes. For most mail, you can. Third Class and Bulk, not so much, they=
=92ll tell you to throw it away. I don=92t pay anything for that, eithe=
r.
Ok, nothing stops you in this scheme from returning an email to the
sender. Maybe it could even be made free, probably just like any
Mailer-Daemon bounce.
What I don't think is a good idea is the sender getting their postage
back. That's a lot of bookkeeping and I don't see any reason to
bother.
>=20
> If I really want to get rid of a junk mailer (at least one who is du=
mb enough to send me postage-paid reply mechanisms), I=92ll package up =
a brick, attach the reply label they provided and send it off. (lead we=
ights, shot-bags, etc. can also be effective candidates). I=92ve only u=
sed this tactic a few times, but it=92s never taken more than two heavy=
replies to get the flow of crap to stop abruptly.
I believe the USPS now throws those away. The return postage only
covers a first-class letter or whatever.
>=20
> > You can mark it NSA (no such addressee) or NFA (no forwarding addr=
ess)
> > or NSA/NFA or even put a forwarding address which may or may not d=
o
> > anything since the recipient is supposed to set that up with the p=
ost
> > office (e.g., when they move.)
>=20
> Yep. They=92ll take it back and either forward it if they can or sen=
d it to the dead letter office.
If it's first-class mail, that's one reason first-class costs more.
>=20
> > But I never heard of taking all my junk mail for example and handi=
ng
> > it back to a letter carrier saying "Here, I don't want this!" I th=
ink
> > they'd say "throw it in the trash!=94
>=20
> Specifically doesn=92t work with third-class and bulk. They are the =
only exceptions.
Big exception since that's almost all of what bulk paper mailers use!
> > "Related to that transaction"? Is that in CAN-SPAM? Where did that=
> > limitation come from? How is that defined?
>=20
> Forget current law. I=92m talking about the criteria I would want to=
set if we were to overhaul the system and do this right.
I think it's very important to eliminate any definition of spam from
the system. That's just a rat hole.
You stop spam by making it too expensive for spammers to operate in
any effective manner.
True story:
I remember when I was about 16 years old I went into this place in
Greenwich Village, still there I believe, "The Cafe Wha?". They didn't
serve alcohol so it was someplace a 16 year old could get out of the
rain and hear some live music.
At the door was a guy with a coffee can, "Cover Charge: 25c"
Even way back then 25c wasn't much money, about the price of a couple
of packs of gum.
I asked the guy: Why a 25c cover charge?
He said: It keeps out the riff-raff.
It keeps out the RIFF-RAFF???? 25 CENTS?
He yelled back: YOU'D BE SURPRISED!
Well, surely he knew his business.
We're trying to keep out the riff-raff while not overburdening the
honest.
Maybe I should dub this the "Cafe Wha? Proposal" in their honor.
>=20
> > You mean when Network Solutions bombards me with email about each =
new
> > TLD they're violating CAN-SPAM? I never asked for that. I do have =
some
> > domains with them, I think they're using that for a "legitimate
> > business relationship=94.
>=20
> No, I never brought CAN-SPAM into this, that=92s your idea. I=92m ta=
lking about the criteria that could easily be used to define SPAM consi=
stently in a way that isn=92t fuzzy, doesn=92t have the problems curren=
tly created by CAN-SPAM (a law written by spammers for spammers), etc.
Permission to speak frankly:
You want a moral component, you want this to identify the good from
the bad. You keep coming back to that.
I LONG AGO STOPPED CARING!
I just want the spam to stop.
And I think when you make that leap and let go of the moral or
judgemental aspect solutions start to appear.
I don't want to make better people out of spammers.
I don't want to put them behind bars.
I don't want to punish them.
I don't want to reward the righteous (except by default, less spam!)
I just want to put spammers out of business!
I want to change the ecology so it makes it impossible for them to
operate in any effective manner.
I keep saying "effective" because sure you might get the occasional
spam anyhow, particularly in the beginning as they try to save their
business model, but I want to run them out of town.
>=20
> > Legitimate businesses (perhaps other than NetSol :-) do tend to
> > restrain themselves and know recipients might get annoyed if they
> > overdo their welcome and opt-out or even block them entirely.
> >=20
> > An example of the line getting fuzzy is when my frequent flyer sou=
rces
> > (airlines etc) constantly hawk credit cards at me under the excuse=
> > that I'll get 50,000 free miles or some such. So it sort of sounds=
> > related to the frequent flyer program.
>=20
> And by allowing the user to do one of:
>=20
> =09Whitelist the airline
> =09Accept each message they want (refunded, others airline pays)
> =09Decline all messages (airline pays)
Whitelist shmitelist.
You're turning this into a two-way system with active feedback which
is EXACTLY what I say is to be avoided.
> You could decide for yourself which messages from the airline you do=
n=92t consider SPAM, with the added benefit that you get a small amount=
of money for each message you don=92t actively claim isn=92t SPAM.
Easier to just toss the ones you don't want.
Think this thru, you really want to look at each msg and decide if
it's spam or not and if so perform some function...?
Sure, some people do that sometimes, report spam, but really life is
too short.
I say put the spammers out of business.
>=20
> > But I think they're just hawking Amex cards and getting a commissi=
on
> > for each one they sell.
>=20
> Of course they are, and I would not mark any of those messages as =93=
accepted=94 and it would cost them for each one they sent.
Active feedback, bookkeeping, unnecessary.
>=20
> > As I said, I'm trying to come up with a spam-definition-neutral
> > approach.
>=20
> I know, but I believe that approach to be fundamentally flawed and I=
am trying very hard to propose an alternative I believe could be more =
functional.
Ya know, I can't go thru these supposed fundamental flaws one by one,
show they arise from misunderstandings etc, and then come back to "I
believe your approach to be fundamentally flawed".
Doesn't leave me much to respond to.
>=20
> Ah, but BofA didn=92t hire them to break the law. BofA hired them to=
send the SPAM to the list they promised BofA was entirely opt-in users=
who chose to receive their mails. The fact that they lied to BofA mean=
s BofA doesn=92t have any liability. The fact that BofA profits from th=
is lie without consequences means that BofA has no incentive to go afte=
r them for a refund or avoid using their services in the future.
Actually, that's not true, speak to someone who understands agency law.=
BoA might be able to in turn sue them for breaching a contract but BoA
can still be held liable. Those aren't mutually exclusive.
Really, that's agency law 101.
I realize people think about it for a minute and say "that's
ridiculous!" but that's exactly how it works. And why business
liability insurance covers events like that, or should.
Intent is not a factor which tends to be the source of a lot of "folk"
law beliefs like this.
> > Well, there are all sorts of hard cases, but laying it out sometim=
es
> > surprises people (like, yes you can be held responsible for the
> > actions of a hired bodyguard, even if their behavior was way out o=
f
> > line. They sell insurance for that kind of thing.)
>=20
> Sure, but the spammers happily cover BofA=92s ass contractually and =
then say =93oops=94 or =93we lied=94 or whatever they have to in order =
to get BofA off the hook. Then, nobody gets punished and business as us=
ual.
Review agency law.
BoA can be held liable. BoA can in turn sue the spammer, if they like,
to recover.
That avoids precisely what you're suggesting, transferring liability
to a judgement-proof entity.
Yes that can still be done in many cases but not as you describe.
But why are we here exactly?
>=20
> >>> Maybe something would happen, I can't say for sure.
> >>>=20
> >>> But I suspect they'd round file it because hey that's BANK OF AM=
ERICA
> >>> not SPAMMERS and you're just a KOOK!
> >>=20
> >> No, more likely they=92d review the headers and point out to me t=
hat there=92s no evidence it was actually sent BY BofA, because most li=
kely it wasn=92t sent by BofA, but by someone they may or may not have =
contracted.
> >=20
> > Well, now we're really just moving the goalpost and changing the
> > scenario.
>=20
> No, I=92m pointing out how organizations like BofA actually do this =
and you=92re talking about some fictitious scenario that doesn=92t happ=
en in real life.
>=20
> Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, b=
ut that=92s also why most telco-contracted backhoe operating companies =
have numbers in their name=85 Ho-Co #1 cut someone=92s fiber, so they s=
old their substantial assets to Ho-Co #2 for a song to pay their legal =
fees, then went chapter 13 before the case could make it to court.
Chapter 13 is personal bankruptcy.
> >=20
> > Of course it is. If your email won't be accepted without proper
> > postage attached then that's the cost of having your email deliver=
ed.
>=20
> No, that=92s a protection racket/extortion scheme.
Oh c'mon, then so is every other situation where you have to pay for
something, including credentials.
Are SSL certs a protection racket/extortion scheme?
>=20
> > Ok, I think a lot of the rest of this could be answered by:
> >=20
> > It would be interesting to ask a spammer or ex-spammer what they
> > thought about the scheme.
>=20
> LoL
I'm serious!
I wouldn't consider investing a dime without talking to some spammers
or ex-spammers of note.
There're a few of them who'd probably be glad to talk for some prison
canteen credits.
--=20
-Barry Shein
The World | bzs@TheWorld.com | http://www.TheWor=
ld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, =
Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *o=
o*
