Re: Yahoo breaks every mailing list in the world including the IETF's

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Several people have replied to the tone of your email. Let me reply with a bit of somewhat-technical commentary.

In their defense, Microsoft has taken a pretty strong approach to software quality over the past decade plus. Frankly, poor software quality has hurt them. It is in their interest to fix it for several reasons, not just this one. That is perhaps one of the best arguments for their current campaign to move their users from Windows XP-and-older to their latest operating systems - it reduces their support costs and improves the quality of their brand.

You may be interested in the outcome of a research project run by Stefan Savage of UCSD. In 2007, he broke into the Storm Botnet, and learned a bit about it, which he published in a paper in 2009. In 2010, he put a small quantum of money on a disposable credit card and started responding to spam (“yes, please sell me your little blue pills”), and published a paper about that in 2011. That enabled him to follow the money flow - fourth level attribution, if you will. His work came to the attention of US DOJ, which is now recommending it as an approach to investigating spam-related crime, and to the Microsoft Digital Crimes Unit, which has been using legal proceedings against the folks who pay botmasters for their craft, with deadly effectiveness.

I think it’s fair to say, from Microsoft’s actions, that they agree that getting their old software off the net would be a good thing. They want their customers to upgrade to their new-and-presumably-improved software, and are proactively dealing with the business side of spam.

On May 18, 2014, at 10:30 PM, Eric Dynamic <ecsd@xxxxxxxxxxxx> wrote:

Meanwhile I notice that hundreds of IT professionals spin their wheels over
standards and practices for dealing with spam, which is otherwise preventable,
namely, let's cut the crap and go to first casuses: why there is spam/crime to
the extent that there is: bad software running user PCs worldwide.

Get rid of Microsoft software connected to the Internet and the worldwide
"bot-net" problem will go away in a few months, as the criminal bots are
tracked down and eliminated but NOT replaced.

Do not even begin to bother the issue of whether Unix/Linux can or cannot be
invaded/compromised. Yes, it can, but to at most four orders of magnitude a
lesser extent. Microsoft's mean time to the next exploit is 15 days (two weeks.)
Unix's mean time to the next exploit is 2700 days (7.5 years.)
Microsoft users are just recovering from any given virus when the next one hits.

There is just no excuse to keep using such awful software and then have to
pretend that all the extra attendant nonsense ("anti-spamscience") is meaningful
and necessary. I suggest we worldwide quit wasting man-hours and intelligence
doing scutwork on an arms-race basis to keep Bill Gates's company looking
at best adequate. The spam is their fault and they can't fix the reasons why.

So put their code in the garbage where it belongs and retire Microsoft into
the Dustbin of History where it belonged 20 years ago.

This will free an enormous amount of now-wasted manpower to start doing more
useful things. This would also greatly benefit the economy and the development
of new PC technology, by the way, without regard to spam/crime.

===

S Moonesamy wrote:
Hi Phillip,
At 10:04 17-05-2014, Phillip Hallam-Baker wrote:
Yet more special pleading.

[snip]

A legitimate argument against DMARC would be 'Here is a research study
based on empirical evidence that shows DMARC does not help'', it might
not be persuasive but it would be a valid argument to have. I am

Yes.

I find the arguments that IETF should ignore the impact of DMARC
unpersuasive. We have changed email repeatedly in response to non
standards compliant actions taken by the spam senders. So there is a
precedent for responding to malicious actions, why would we treat
non-malicious actions differently?

The significant change I can think of is the MSA/MTA split.  That was in 1998.  There is a specification violation in response to a DMARC policy as implementers do have to decide whether to provide a fix or ignore the issue.  There are also operational issues, e.g. http://www.it.cornell.edu/services/guides/email/issues.cfm  Should the IETF ignore the impact of all this?  Frankly, I don't know.  It is a significant amount of work to assess how much of a problem this is.

Regards,
S. Moonesamy


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]