--On Tuesday, 13 August, 2002 23:11 -0400 Bill Sommerfeld
<sommerfeld@orchard.arlington.ma.us> wrote:
> One possibly hairbrained half-technical idea which I haven't
> seen suggested elsewhere..
>
> Defines a SMTP connect banner token which is the moral
> equivalent of a "no soliciting" sign. It indicates
> "unsolicited commercial email not welcome at this server".
>
> Now, lobby for the creation of laws which subjects someone who
> sends spam despite the "no soliciting" sign to a significant
> fine ($1000.00/message?), payable to the recipient.
>
> I suspect that anti-spam organizations would quickly evolve
> into collection agents (for a cut of the fine, of course).
Just to demonstrate that, as others have pointed out, this isn't
an easy problem...
Suppose I'm an ISP or some other entity running an SMTP server
for some large number of users. Just to make it really
complicated, suppose I've got a de facto monopoly for those
users given other business or technical constraints (think about
an IP-over-cable modem operator as one example). Now suppose I
have one user who, perhaps in the pay of some spammer, insists
that he wants to receive the stuff. What do you propose I put
in the SMTP banner?
"220 big-isp.net SMTP service, no spam here unless it is
addressed to joe.ninny" ??
Ok, forget the SMTP banner and look at the RCPT commands, at
which point the server knows which users the message is being
addressed to? At that stage, it is certainly possible to verify
the user, do a database lookup for preferences, and then return
250 ok recipient mary.jones but no spam
250 ok recipient joe.ninny send anything you like
ot
550 no recipient foo.bar and we don't accept spam
as appropriate. But the mind boggles at the processing
involved, especially if the SMTP server is really some sort of
firewall/ proxy who doesn't have a clue about "internal" user
names.
And, if there is any real relaying going on (with permission or
not), the spam-originator can claim that _he_ didn't see a "no
spam" message, so the fault for delivering the bad stuff rests
with the unlucky operator of the open relay. As others have
suggested, if that operator is in Korea or China, good luck
getting contact information (with apparently-perfectly-good
Whois information down the the ISP level and fairly small
blocks, I have _never_ gotten a response from an ISP or registry
in either country when I have asked for help in tracking down an
abuser or apparent would-be cracker), much less collecting that
$1000.
It seems to me, as several others have suggested, that better
tracking and identification tools of one flavor or another would
be useful, but that the real remedies involving making it
illegal to send UCE, to causing UCE to be sent, and to lie about
whether something was "requested" or "opted in" to... and then
putting serious, criminal-law, teeth into whatever statutes are
enacted. If provisions like that were supplemented with some
meaningful inter-governmental agreements such that a spammer in
country X would be prosecuted in country X even if all of his or
her victims/targets were in country Y, I think the problem would
disappear fairly quickly. But that requires much more
political will than I'm seeing (anywhere !), and technical quick
fixes aren't going to help a whole lot other than with tracing,
IMO.
john