On Mon, 1 Mar 2004, Robert G. Brown wrote: > On Mon, 1 Mar 2004, Paul Vixie wrote: > > > > And everyone else needs to move from the generic reference to > > > "consent" on to something that is more concrete, as well as being > > > integrated into a full range of human uses for email. > > > > i'm pretty comfortable with www.dictionary.com's definition of "consent". > > Ah, are we about to develop psmtp (psychic simple mail transport > protocol)? The first mail protocol that can read my mind and see if I > "consent" to a particular communication before I (or rather, my mail > agent, since that's where one part of the abuse occurs) receive it? > > That's a neat trick... It seems that many of the people who consider themselves to be sitting at the "grownup-table" really have a child-like ignorance of causality constraints in their schemes. I am always amused when people naively critcize SMTP for permitting spam, as though changing the protocol would make people not want break the rules. I am also impressed by the people who think that people just aren't taking the problem very seriously. The list of the "Principles of Spam-abatement" is itself very naive. It assumes that spammers are people who make money selling products. Certainly, there are some who would prefer people believed this. Unfortunately, the (January) results coming back from the CAN-SPAM show that 56% of the 95 top spammers are _fully_ compliant with the CAN-SPAM act. Yet few messages in my inbox are even partially compliant. This gives one some idea of how much spam is being sent by viruses and "fake" spammers: Quite a lot. The genuine spammers are permission based, and have honest opt-out facilities and aren't annoying anyone except the radicals who can't abide their existance. Any "solution" to spam has to stop the viruses that have no genuine products or services to sell, no interest in finding out if they reach real addresses, no concern for taxes, nor any regard for civil or criminal law. > <extract> > *** Anonymous Bulk Email Software > > *** is a super fast bulk email software that sends out at speeds greater > than 1,000,000 emails per hour* on a dedicated mailing server. > > *** has the capability to use Proxies and Relays and also to send > directly. > > Some of the features include: > Anonymous Mailing using Proxies > Message Randomization to bypass Spam Filters > Speeds over 850-950K emails per hour on Turbo Mode > Up to 1000 Threads > Unlimited Email List Size (up to 100 Million per file) > HTML and Plain Text Emails > Tag Macros to personalize and randomize emails > Custom Headers ....... more on > </extract> The above description is for a product that violates the CAN-SPAM act, which prohibits deceptive practices. But wait, it also claims to advertise proxies and relays--that's something I know about: Analysis of our logs over a long period have only found anti-spammers scanning for relays. We know this because for one to scan for a relay, they have to include an email address that recieves email. Setting up an "unused" mailserver allows easy collection of the email addresses of those scanning relays. So far, all such scanning has been by anti-spam sites. So, this "spamware" is not a truly genuine product--it is either a complete fraud (no product), or a deception sold by "anti-spammers" to identify potential spammers, or it is a group of people (anti-spammers) helping spammers spam--presumably hoping to annoy people into helping their cause. While it is harder to identify the people scanning for proxies, it is still easy to detect such scanning, and stop the scanning. After stopping the scanning, we are left with the technique of having the virus-infected computer "phone home". However, this can also be used to identify the operator. Clearly, there are people out there trying to make the spam problem worse. Paul Vixie told me (in email) back in 1997 that it was his "goal to make things worse", that anything that makes the spam problem worse, makes it more likely that spam will be banned. Undoubtedly, there are people who have taken that goal too literally. He's also said recently that he's been in contact with the "script kiddies" (who operate viruses) and that they are mostly anti-spam. Yet almost all viruses send spam. Any realistic measure needs to consider how to stop those radical antispammers and script kiddies who just want to annoy people until they "take spam seriously". Someone else wrote: > Something along the lines of 'Know your enemy' comes to mind; get hold > of such a product, reverse engineer it, find its weaknesses and nullify > it. People have been doing this for many years. Probably since 1994, but certainly in earnest since 1996 or 1997. No luck for a permanent solution. It is just a whack-a-mole operation. Someone else wrote: > I am thinking that spam is and will remain a long-term battleground > and it needs serious effort to counter, perhaps a Cert-like > organisation, and we are just not putting in enough serious effort yet; > perhaps the cost to us is not yet high enough to stir us to action. Well, there have been very serious efforts, for a very long time, by very smart people. These efforts are just not enough, and as information theory shows, will never be "enough". It is interesting that the same people who promised a technical solution many years ago, and have failed after 7 or 8 years of trying to create a permanent technical solution to spam, are still saying things like "we need to change the protocol", or (essentially) "we need to have time travel to block spam." It is also interesting that the IEMCC proposal made in 1997, and now basically implemented in the CAN-SPAM act, has shown that commercial spammers are not the abusers. This is more than the radicals have come up with in the intervening 7 or 8 years. Its also apparent that we could have had the IEMCC proposal implemented 7 years earlier, were it not for a group of radical anti-spammers that attacked AGIS and Cyberpromo with Distributed Denial of Service attacks. Had we done that, we would be focused on stopping the criminals operating viruses and conducting abuse for the sake of abuse. If we had spent the last 7 years doing that, then we would have far less junk that we call spam. Those radicals did "make it worse". We have them to thank for our spam. The radicals were wrong years ago, are wrong now, and have been making the problem worse, not better. The first "Spam Abatement Principle" needs to acknowledge that radical anti-spammers are a source of the problem, and that these radicals shouldn't be "at the grownup table". --Dean