Date: Wed, 29 Sep 1999 18:39:58 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: jdn@acp.qiv.com (Jay Nelson) Cc: tlambert@primenet.com, chat@FreeBSD.ORG Subject: Re: On hub.freebsd.org refusing to talk to dialups Message-ID: <199909291839.LAA19783@usr06.primenet.com> In-Reply-To: <Pine.BSF.4.05.9909282012440.769-100000@acp.qiv.com> from "Jay Nelson" at Sep 28, 99 09:23:19 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> >I think it's much more reasonable to say that traffic from a dialup
> >server with a valid, current certificate is legitimate.
>
> I still don't see how this type of certification accomplishes anything
> except validating that the address isn't spoofed.
It operates by incorporating a field:
"UCE:" <token>
Where <token> can be:
token = "yes" / "no"
One potential rule would be:
IF the certificate has not expired && "UCE:" == "no" THEN
accept
ELSE
reject
Pretty simple.
> >Only an idiot shoots people to prevent them from drinking untreated
> >water "for their own protection".
>
> True -- but we're not talking about protecting the spammers. With
> intruders, you shoot first and ask later.
Is "bob593@aol.com" sending mail to "fred@example.com" an intruder
on "example.com"'s server, or is he a legitimate sender of email?
On that note, since all of AOL is dialup, why aren't all AOL
source addresses blocked by the DUL?
I think that it's probably not because they didn't "opt in", but
because AOL has bought a large number of the infrastructure
companies, and owns a majority (22 million) of all Internet users.
> >Dynamic IP addresses are a legitimate cost control technology. In
> >some areas of the world, i.e. Europe, they are mandatory, or close
> >enough that it doesn't matter.
>
> Also true. This is, I think where IPV6 will improve things, but it
> also allows more spammers to spm more than ever before with some
> rather serious security implications.
Which is why a technological soloution which can survive the IPv6
transition needs to be deployed _now_.
> >Actually, the implementation of technically inferior approaches
> >to "solving" the problem is what has corrupted the original
> >design goals, to with: to be able to survive a national or global
> >catastrophe, and continue to function (i.e. the mail gets delivered).
>
> That presupposes that the world will end if email doesn't get through.
You mean like the formula for an antidote to a nervegas, or an
antidote for a bioweapon?
> In such a catastrophe, I doubt people will be checking their email.
You mean like when the Internet worm was stopped by people who
collaborated using email?
> The more relevant problem now is stopping abuse. As technology gets
> more sophisticated, so do the abusers. We use what we have now to stop
> the abuse we have now.
And preclude future abuse. The DUL fails to do that.
> >> The question now is: what do we do about it?
> >
> >We implement apropriate technology, and we speak up in public
> >forums when "script kiddies" use "scripts" that are supposedly
> >somehow morally superior due to their stopping abuse, while at
> >the same time damaging the Internet.
>
> Terry, speaking out on topics accomplishes nothing but give idle women
> things to do. In my experience, most ISPs have trouble standing up and
> talking at the same time (no flames, please -- my experience only;). I
> respectfully submit that if you cut off a domain and increase the
> level of complaint, you get a more willing response from whomever is
> responisble.
You mean "from the ISP of whomever is responsible".
If you really mean "whomever is responsible", then I submit that
tying the ability to send email without a relay to a requirement
that you have a registered domain name is more likely to do what
you intend than attacking the ISP of an abusive user.
This conversation reminds me of the scene in "Trinity is Still My
Name", where the banditos rode in and started beating up the Mormon
settlers. When the bandit leader got to "Bambino" ("Trinity"'s
brother), and belted him in the mouth, it had no effect except to
make him mad, and he belted the bandit leader back, _hard_. So
the bandit leader ordered one of his men to hit "Bambino". The
man afraid for his life, slapped "Bambino", not too hard. "Bambino"
reacted by belting the bandit leader again. The bandit leader got
the point.
The whole issue of using an IP address as a key for SPAM control,
or threating an ISP with the RBL, should they not implement and
enforce an AUP, is analogous to the actual bandit leader (SPAM'mer)
ordering one of his men (throw-away ISP account) to hit you (send
SPAM).
The effective defense is not to hit the man "ordered" to do the
dirty work, but to belt the bandit leader in the mouth, _hard_.
The RBL and the DUL do not effectively do this.
> >We get technical people who actually _know what the hell they
> >are doing_ to implement technological soloutions that are designed
> >to prevent pervision from their intended purpose.
>
> At an ISP? They'll have to pay more than $2.00/Hr. for staff;)
No. To build the software systems that ISPs then use.
> >> Besides -- how is your credential notion any different than the RBL in
> >> preventing abuse?
[ ... ]
> >Because that name could move to a different IP address and SPAM
> >you again. If you block by IP, then you have to do technologically
> >stupid things, like assume the guilt of an entire class of IP
> >addresses merely because they _might_ be abused without you
> >knowing the true identity of the sender (something you didn't
> >know because you implemented a technically inferior soloution
> >based on an assumption of guilt).
>
> You're right -- but how do I increase the pain for the responsible
> domain to stop. It appears that, that is the only thing that will have
> much effect. If enough subscribers complain, good things seem to
> happen -- if the subscribers don't complain, the status quo stays
> inplace.
You charge them $70 an instance for their efforts, by invalidating
the ability of their domain to send email.
When the ROI drops below $70, or when they find themselves unable
to register new domains, the SPAM stops.
What are you charging people who SPAM you now?
Do you think they have a net zero or net negative ROI now, or do you
think that they are being positively reinforced to send SPAM by a
net positive ROI?
> >If, on the other hand, you have a certificate on hand, you can
> >say "please revoke this certificate, and cost this SPAM'mer real
> >money". This also makes it so you don't have to do stupid things
> >like complain to an ISP, and have the complaint "handled" with "all
> >due process", all the time the SPAM'mer is continuing to SPAM
> >other people.
>
> This would only work if it were universally implemented. But, your
> right about the ISP droids. Talking to them seems to be nothing more
> than verbal masturbation. I'm not sure what's worse -- the spammers or
> the ISPs;)
The same is true of the RBL and the DUL. They can not be effective
in eliminating SPAM unless they are universally implemented. It's
like swimming in contaminated water, but having a strong immune
system; you don't get rid of the germs that way.
> >Putting the control in the hands of a central authority (or
> >authorities; you could choose to respect multiple certificate
> >signatories; try to do an exclusion list with ORBS, the DUL,
> >or the RBL) negates this latency, and negates the possiblity of
> >a "rogue ISP" requiring multiple latencies to clean up after a
> >SPAM.
>
> Ah... but who is the central authority? Life on the streets has taught
> me to not trust a "central authority." There's good that can come of
> it -- but also abuse. Specifically, when will "business reasons"
> compel a "change" in policy and we suddenly find previously blocked
> domains back on-line? I think that spam control is ultimately left to
> each of us to decide as we see fit. I think that's the way it should
> be.
This is why you can intentionally pick the authorities who you
respect in my system, and can respect multiple authorities idea
as to who is a valid sender, or insist that multiple authorities
vet the message before you accept it.
You want to accept certificates from "The Christian Coalitiion",
fine; you get ads, but you don't get porno SPAM.
You want to accept certificates from "The Responsible UCE Group",
hey, you can do that too.
> >> >If the government wants this information, it can run "nslookup"
> >> >against the RBL database, using any of the millions of machines the
> >> >governemnt owns, after doing a "getpeername()".
> >>
> >> Hmm... again, you've missed the point. I doubt the govt cares about
> >> the spammers;)
> >
> >Your point was that somehow, a certificate scheme requires an
> >equation with personal identity, rather than merely DNS identity.
>
> No -- the point was that it provides one more trackable datum. One
> that develops a "profile" and one adds one more "legal" proof of
> whatever. True, there is little difference between your authentication
> suggestions and what is currently available for such tracking, but why
> add to it when there appears to be so little gained?
It doesn't add to it. I fail to see the addtional data point.
Terry Lambert
terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909291839.LAA19783>