Date: Tue, 28 Sep 1999 21:23:19 -0500 (CDT) From: Jay Nelson <jdn@acp.qiv.com> To: Terry Lambert <tlambert@primenet.com> Cc: chat@FreeBSD.ORG Subject: Re: On hub.freebsd.org refusing to talk to dialups Message-ID: <Pine.BSF.4.05.9909282012440.769-100000@acp.qiv.com> In-Reply-To: <199909290043.RAA15943@usr07.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Sep 1999, Terry Lambert wrote: [snip] >Granted, and you have the right to not listen to illegitimate traffic. > >I think it's stupid to say that traffic from a dialup server is >definitionally illegitimate. That's a valid point. I generally block entire domains, if the abuse continues. >I think it's much more reasonable to say that traffic from a dialup >server with a valid, current certificate is legitimate. I still don't see how this type of certification accomplishes anything except validating that the address isn't spoofed. [snip] >Non-"fancy" technology (are you aware when X.509 was standardized?) >tends to tar everyone with the same brush. It's indiscrimant between >diabolical offendors and legitimate users. Well... there are good ideas and bad;) >Only an idiot shoots people to prevent them from drinking untreated >water "for their own protection". True -- but we're not talking about protecting the spammers. With intruders, you shoot first and ask later. >Dynamic IP addresses are a legitimate cost control technology. In >some areas of the world, i.e. Europe, they are mandatory, or close >enough that it doesn't matter. Also true. This is, I think where IPV6 will improve things, but it also allows more spammers to spm more than ever before with some rather serious security implications. >> If that is what you consider "balkanization", then so be it. I see no >> reason to be "unified" with _any_ source of spam. In fact, I would >> submit that the spammers and skript kiddies have reasonably well >> corrupted whatever the original design goals may have been. > >Actually, the implementation of technically inferior approaches >to "solving" the problem is what has corrupted the original >design goals, to with: to be able to survive a national or global >catastrophe, and continue to function (i.e. the mail gets delivered). That presupposes that the world will end if email doesn't get through. In such a catastrophe, I doubt people will be checking their email. The more relevant problem now is stopping abuse. As technology gets more sophisticated, so do the abusers. We use what we have now to stop the abuse we have now. >> The question now is: what do we do about it? > >We implement apropriate technology, and we speak up in public >forums when "script kiddies" use "scripts" that are supposedly >somehow morally superior due to their stopping abuse, while at >the same time damaging the Internet. Terry, speaking out on topics accomplishes nothing but give idle women things to do. In my experience, most ISPs have trouble standing up and talking at the same time (no flames, please -- my experience only;). I respectfully submit that if you cut off a domain and increase the level of complaint, you get a more willing response from whomever is responisble. >We get technical people who actually _know what the hell they >are doing_ to implement technological soloutions that are designed >to prevent pervision from their intended purpose. At an ISP? They'll have to pay more than $2.00/Hr. for staff;) [snip] >> Besides -- how is your credential notion any different than the RBL in >> preventing abuse? If I've identified the machine responsible for >> sending the abuse and can easily block it, what's the value of >> verifying that the name I'm blocking is, in fact, the name that >> I'm blocking? > >Because that name could move to a different IP address and SPAM >you again. If you block by IP, then you have to do technologically >stupid things, like assume the guilt of an entire class of IP >addresses merely because they _might_ be abused without you >knowing the true identity of the sender (something you didn't >know because you implemented a technically inferior soloution >based on an assumption of guilt). You're right -- but how do I increase the pain for the responsible domain to stop. It appears that, that is the only thing that will have much effect. If enough subscribers complain, good things seem to happen -- if the subscribers don't complain, the status quo stays inplace. >If, on the other hand, you have a certificate on hand, you can >say "please revoke this certificate, and cost this SPAM'mer real >money". This also makes it so you don't have to do stupid things >like complain to an ISP, and have the complaint "handled" with "all >due process", all the time the SPAM'mer is continuing to SPAM >other people. This would only work if it were universally implemented. But, your right about the ISP droids. Talking to them seems to be nothing more than verbal masturbation. I'm not sure what's worse -- the spammers or the ISPs;) >Putting the control in the hands of a central authority (or >authorities; you could choose to respect multiple certificate >signatories; try to do an exclusion list with ORBS, the DUL, >or the RBL) negates this latency, and negates the possiblity of >a "rogue ISP" requiring multiple latencies to clean up after a >SPAM. Ah... but who is the central authority? Life on the streets has taught me to not trust a "central authority." There's good that can come of it -- but also abuse. Specifically, when will "business reasons" compel a "change" in policy and we suddenly find previously blocked domains back on-line? I think that spam control is ultimately left to each of us to decide as we see fit. I think that's the way it should be. >> >If the government wants this information, it can run "nslookup" >> >against the RBL database, using any of the millions of machines the >> >governemnt owns, after doing a "getpeername()". >> >> Hmm... again, you've missed the point. I doubt the govt cares about >> the spammers;) > >Your point was that somehow, a certificate scheme requires an >equation with personal identity, rather than merely DNS identity. No -- the point was that it provides one more trackable datum. One that develops a "profile" and one adds one more "legal" proof of whatever. True, there is little difference between your authentication suggestions and what is currently available for such tracking, but why add to it when there appears to be so little gained? I'm not an ISP -- I'm an end-point. My ISP is usless as tits on a boar hog in protecting me from the abuse of the net -- and ultimately, that's the way it should be. I pay for a connection -- not protecton. If I pay for the freedom to manage my net the way I choose, then I I expect to have the freedom to do that, DUL or not. MHO only. -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9909282012440.769-100000>