On Sat, 24 May 2003, Bill Cunningham wrote: > http://story.news.yahoo.com/news?tmpl=story&u=/nm/20030524/wr_nm/tech_spam_d > c_3 > > Is this what we want? The legal system taking over something that should > be done by IETF. This new legislation isn't supposed to stop e-mail > marketing, but stop deception. Will it work? :-s There are 3 types of email that we generally call spam: Type 1: Bonafide Messaging with a real Commercial or non-profit(ie political) purpose. This includes people selling contraband (eg drugs) illegally, so long as they intend to deliver the illegal goods. Type 2: Bonafide fraudulent activity. Someone is really trying to get your money, but has no intentions of honoring their obligations to the purchase contract. This includes bonafide attempts at identify theft. Type 3: Annoyance activity. This has no bonafide intention of getting money or even personal information, even though at a casual glance it may appear so. Type 3 is broken into 2 subtypes: Type 3A is a relatively harmless disgruntled person, who is not terribly sophisticated in their abuse, or in hiding their tracks. This type can be handled by warnings or account termination. Besides spam, this type is also involved in small DOS attacks and other unsophisticated abuse. Type 3B is a career criminal using viruses and rooted machines to conduct annoyance, which is frequently just another type of DOS attack, but targeted perhaps at an email address, or perhaps at a domain. This type of attacker is already a career criminal, having broken into many, often hundreds of computers, illegally. This type cannot be dealt with effectively by ISPs, because they are reasonable adept at hiding their tracks. Usually, the ISP only detects the infected computer, but does not identify or catch the cracker. Of these types of spam, Type 1 and Type 2 can be dealt with by law, and through the actions of the FTC and other regulatory agencies. Once something has been determined to be contraband, then the appropriate enforcement agency is called in. Type 3A can be handled by the ISP or their employer. Type 3B is much more difficult to handle. What is unclear is how much of the total spam is due to each of these types. A lot of the spam that I recieve, and I have kept all this for some time now, appears to be from type 3B. It is possible that my previous conflicts with radical anti-spammers may affect the type and proportion of spam that I get. My testing and logging of a large block of IP address space over a period of years, has indicated that much abuse is supported and promoted by certain open relay blacklists which scan for, and then advertise open relays and open proxies to abuse. Relays scanned by such organizations have shown up on commercial sites selling this information. such as helllabs.com.ua. The question of whether this activity is merely exploited or done with active participation seems to be prejudicially answered by the fact that the "blacklists" advertise input addresses even though these have no utility to "normal" users of the blacklist. This type of abuse (Type 3B) is often done with their ISPs ignoring both their illegal scanning, and their solicitation of abuse, false advertising,and other issuses. It is becoming more common for such activities to try to operately completely anonymously, or to use false out-of-country addresses to avoid prosecution[1]. It is unclear how much this type of abuse contributes to the total spam volume. I note that helllabs.com.ua makes false and misleading claims that relays and proxies are free. The anonymity claimed by a customer's product (www.ghostsender.com) is also false. And of course, if the spam is of Type 1 or Type 2, there is no anonymity at all. Frauds (Type 2) that obtain money are easy to track via mail fraud or wire fraud. Only abuse of Type 3 is hard to track, and requires law enforcement powers to obtain the required information. Legislation of the type we have seen is not going to any affect on Type 3B, as this type is already committing federal felonies, and the equivalent in many countries. But we don't need additional legislation for this activity since it is already a federal felony with a 5 year jail term. The problem is catching the culprit. This is partly an issue of law enforcement interest in catching these "harmless" criminals. Whether the legislation has any affect on total spam will depend on the proportion of the various types of spam. With that in mind, we can consider what the IETF can do: The IETF can specify protocols. But what protocols can be specified to reduce or eliminate spam? Dr. Claude Shannon, one of the founders of the science of Information Theory, proved that it is impossible to prove the non-existance of a covert channel. In terms of spam, this means that it is impossible to construct a protocol that cannot be abused, since one cannot prove that it is impossible (the channel can't exist) to send abuse (a covert channel). No protocol can ever be constructed that is spam-free. Radical anti-spammers often try to couch their arguments as though the spammers are "outsiders" who have been let in. This isn't true. All abusers are the customer of some ISP, somewhere. There are no outsiders. The spammers are in fact authorized users of some ISP that are authorized to send email. They remain authorized to send email until they lose service with that ISP. Once this is understood, it is completely obvious even without the formality of Shannon's theorem that protocols such as SMTP AUTH will have no effect whatsoever. So IETF efforts in this area are limited to finding means of identifying the abuser, once the abuser has been detected. There is also the technical task of detecting abuse. Once law enforcement becomes involved to make the appropriate requests of different ISPs, it has not been a technically difficult matter to track down abusers. Though the technical know-how seems to elude the Law Enforcement Authorities (e.g. Kevin Mitnick) until a technically knowledgeable person becomes involved (Shimomura)[2]. There are many examples of persons who have been arrested for using the internet to make bomb threats, as well as persons who have released particularly dangerous viruses, and persons who have cracked computers belonging to financial institutions. Once there is a law enforcement interest in finding the identity of the people involved, there seems to be little technical obstacle other than technical competence to finding the people. So I think there is little to be done technically so far as identification goes. The issue of detecting abuse was the focus of the MIT anti-spam conference. There are many paths presently being pursued: Blacklists, header analysis, and various kinds of content analysis. I think the general consensus was that content analysis offers the most promising means of detecting and blocking abuse. I think it is too early to tell how protocols can be helpful in this area, or if new protocols are necessary. One scheme, used by MSN, gives the user a button to submit a message as spam. Their system then tracks the number of complaints involving characteristics of the message, and blocks messages accordingly, and on per-user control. Of course, this requires no change to any protocols, just to applications. --Dean [1] SPEWS has attemtped to avoid prosecution and legal responsibility by remaining completely anonymous. ORBZ.ORG was criminally investigated for crashing the City of Battle Creek's computer system. The City dropped the investigation after ORBZ announced it would end operations. However, simultaneously or before the City's announcement, ORBZ operator Ian Gulliver registered DSBL.ORG with a Brazilian address. Quite obviously, he had no intention of halting operations, but merely to disguise their jurisdiction. [2] Even though Kevin Mitnick was on the FBI's most wanted list, the FBI was unable to track him down. Only after one of his victims became involved, was Mitnick finally located and arrested.