On Wed, Oct 28, 2015 at 08:34:50AM -0700, Dave Crocker wrote: > Yet I'm pretty sure that that kind of transition from simplicity to > complexity that requires staffing and expertise is the hallmark of many > (all?) infrastructure services in all technologically developed cultures. > > Few consumers operate their own telephone exchange or their own air > traffic control center or their own water purification center or... And how many of those other services are "free", subsidized by a surveillance opt-in? Almost all my spam is of the 419 variety, It is economical for the scammer in large part because account creation at the large providers has no cost, and because the 419 scammers don't use those accounts to send email, rather the gmail, yahoo, ... mailboxes are often just "Reply-To" mailboxes, and it is exceedingly difficult to report that type of abuse to the very same reply mailbox providers. (The abuse reporting web forms are atrocious and too tedious to bother). So, from where I site, the real problem is that mailboxes are cost free, and the large providers have it uneconomical to run a mail service that is accountable for abuse by its users, and yet are "too large to block". So the similarity to other services that require specialized skills is real, but does not tell the whole story. The email ecosystem has rather peculiar economic externalities. Imposing the costs on the sources of the costs might only be possible with disruptive regulation that I don't see happening any time soon. (Crazy rules like mandatory account creation fees for publically provided email? Mandatory abuse desk SLAs? ...) There are of course other abuse vectors, the above is not the whole story, but it should be clear that the problems are very far removed from protocols, they are mostly problems of economic externalities. Should the makers of products hawked by affiliate marketing networks be liable for spam? Should banks be in part liable for the losses of customers scammed by 419 victims (which might quickly lead to banks requiring branch manager risk approvals to wire large sums of money to Lagos). The financial system resorts to "hacks" to contain the costs of fraud, because the costs of fraud management are lower than the costs of imposing tighter controls. Why should we expect the email network to be more secure than the credit card networks, the cheque clearing networks, ... Many large networks have externalities, fraud and abuse. Radical redesigns to address the externalities are rare, in most cases once the network is established, it responds to attacks with workarounds, not disruptive fundamental design changes. -- Viktor.