> From: "Mike O'Dell" <mo@ccr.org> > i think you'll find that port 25 is blocked going anywhere except > the operator's outgoing MTA Only by the slumlord ISPs. > this is to require authentication to send email, exercise rate > limiting, and other anti-spam-sending strategies Or so they say. > if the ISP is going to be held responsible for the behavior of > their clients, then the ISPs are going to take some action to > police that behavior > ... Blocking port 25 is equivalent to replacing glass windows with Lexan and putting razor wire fences around your tenement in order to control bad tenents instead of policing them. Both are a lot cheaper than enforcing good behavior including making enough examples to deter it. UUNet in particular has demonstrated this sad syndrome. For years, instead of ejecting its spamming and spam-friendly resellers, it lied. Then it lied for years about installing port 25 filtering. Finally, it got port 25 filtering working, and reduced the amount of dial-up spam it was spewing. All of that was instead of enforcing an anti-spam AUP and genuinely cracking down on spammers. (By "lies" I mean official public statements in news.admin.net-abuse.email and to individuals that the UUnet spokesmen could not possibly have failed to know were false.) Of course, UUNet is far from the only example. Another good one is Sprint, which had the audacity to claim to not know how to use ANI to find spammers running up 5-figure bills on stolen credit numbers or how to interest law enforcement agencies....this from a telco! > there is a huge disconnect here. one camp claims that mail sending > should not be allowed by just "anyone", since that ability is > instantly abused by Bad Guys. another camp claims that forcing email > through alien MTAs is a violation of the end-to-end principle, > privacy, assorted other good ideas. > > both are right at some level That first is how it is seen by spam-friendly ISPs, ISPs that want to cram the Internet back into the ancient AOL/Genie/etc users-with-dumb- terminals model, and assorted people who like to fight with spammers. All three groups have reasons for ignoring the fact that outgoing spam is not a major problem among ISPs that honestly enforce anti-spam AUPs. > ... > this means that actions on the Internet are inherently anonymous, or > at least unaccountable because the only "identity" arises from a > contractual business relationship between a person and an access > provider. the access provider is therefore held to be a proxy for > the individual since he does (or at least should, at some level) > have a role in allowing that individual to take various actions. And it is cheaper for service providers to prohibit SMTP than to break some financial kneecaps to convince spammers to use spam-friendly ISPs. > ... > so if a Bad Guy acquires access, he can do a lot in the amount of > time required for the business feedback loop to deny access and > cancel the account. in the mean time, the Bad Guy has acquired > numerous other accounts and when one fails, he just starts using > a new one. Yes, and if the ISP does no more than cancel the account, we have examples such as Netcom's special spam-for-a-day rates. Of course, Netcom was not the first and certainly won't be the last to cater to the spam-for-a-day business. > This is essentially a "disposable identity". The identity is the > binding inherent in the business relationship with an access provider, > and when it becomes worthless, it is discarded and a new one is used. That's what the slumlord ISPs claim, but we all know it's false. Except for stolen credit cards, the identities associate with credit cards are not that disposable or anonymous. > A consequence of the ease with which credentials can be acquired is > the ease with which new accounts, and hence new identities, can > be acquired. > > To fix this at the "source", so to speak, it would require > making access *much* harder to get. simply matching credit cards, > etc, is insufficient (credit cards are easy to get), so this leads > to a world where some kind of background check would be required. > ... If that were true, then credit card purchases of merchandise would be hopeless. Even "bricks-and-mortar" credit card transactions would involve too much fraud to be tolerable. There's no reason ISPs cannot use the same sort of fraud prevention mechanisms used by other online merchants. For example, there are equilvents to matching credit card shipping and billing addresses such as requiring a new customer to sign a contract and return it by paper mail (including terms of service that impose significant penalties for abuse). The problem with such measures is that the are not free. It's cheaper to put up the razor wire fences around the tenements. Vernon Schryver vjs@rhyolite.com