On Wed, 19 Mar 2003 09:33:29 PST, Hadmut Danisch <***@danisch.de> said:

> I see strong interests to spoil any success of this group
> to find a technical solution. This group is under a
> certain kind of attack: The commercial attack.

Hmm.. I can't speak for the commercial people, I'm about as non-commercial
as it gets, being both civil service *AND* academia. A big chunk of
the "spoil the success" is really just those of us who have tried the same
things before pointing out the problems that were encountered the last time.
(For instance, I don't think I've come out and said "this can't possibly work"
too often - though I'll admit I've tossed my share of "but first you have to
fix this...")

> Why are so many people strictly against anything what could prevent
> spam at the sender side? Because the sender wouldn't pay for a
> solution. Why do so many people insist on the freedom of the sender
> to send whatever the sender wishes to send with a sender address the
> sender can randomly choose? Simple answer: That's the only way to make
> the recipient buy anti-spam-software or anti-spam-services.

Actually, the problem is that there are *3* places we can stop the
problem: the several hundred spammers, 100K ISPs, or 400M end users.

Anybody who's tried to deploy software to end users (especially software
that involves retraining) knows 400M is the wrong place to attack. And
even a well-hidden Proof-Of-Work doesn't help here - your phone WILL ring
when people ask why it's taking 3 minutes to send mail.

I've never said I'm *STRICTLY* against a sender-side solution. My generic
criteria for a sender-side solution is: It has to be something that my
mother the Hotmail user can deploy without me or my brother having to
make a trip home to install for her. Windows 98 on a several-year-old PC.

And this is a very real constraint, and imposes significant barriers to
entire classes of solutions.

> I wouldn't be surprised at all if most of the spammers turned out
> to be the same people selling anti-spam-software and services, and
> trying to put through recipient-only solutions.

The interesting thing is that this list seems to contain neither spammers
nor people who make a living selling anti-spam solutions. It is however
full of people who have an interest in protecting their systems from spam.

> And maybe that's why the mailing list is flooded with so much
> rubbish and babble. That's some kind of denial of service attack.

Actually, I was attributing that to the well-known fact that the effective
IQ of a committee is given by "minimum IQ on the committee, divided by the
number of heads". ;)

> Spam is a business with growing revenue. The small business
> is sending spam. The big business is selling anti-spam-solutions.
> Obviously those, who's business is either one of these, try to prevent
> a simple and effective solution.

So every fireman is an arsonist and every policeman a theif.

A ubiquitous and pervasive authentication mechanism has value even if there
is no more spam.

Spam provides a means to get to critical mass, once a critical mass is
established it will have value in its own right.

Phill

Hadmut Danisch wrote:

>Hi,
>
>I meanwhile came to the conclusion that this
>working/research group's will certainly fail.
>
>I see strong interests to spoil any success of this group
>to find a technical solution. This group is under a
>certain kind of attack: The commercial attack
>

Ah, but we are here now (on the list, in SF, whatever), and there is a
real problem to solve. Like usual in the internet as we know it, there
are people/businesses who will try to commercialize the problem, provide
boxed and shrink-wrapped 'solutions', etc. This is nothing new, it has
been happening for years. Fortunately, these people and businesses do
not run the IETF (and related organizations). If we want to reach a
concensus on how to solve the spam-problem, the IETF is the place to do
that. We will just have to make sure that we do not get lured into
someone's business plan, just like all research/working groups. RFC2026
is one tool to keep proprietary "solutions" out of the standards
process. People who are vigilant against attempts to decommodotize
protocols and infrastructure are another guard against this.

It was to be expected that those who stand to gain by spam (either by
spamming themselves or by sellling anti/spam-related services) would try
to secure their interests. This should not keep us from attempting to
solve the problem in the 'traditional' way (rough consencus, running
code, at least two interoperable implementations). It is premature to
spell the demise of this initiative IMHO.

To paraphrase Churchill, 'we shall go on to the end... we shall fight
them... we shall never surrender...'

Frank

From: Hadmut Danisch <***@danisch.de>

> I wouldn't be surprised at all if most of the spammers turned out
> to be the same people selling anti-spam-software and services, and
> trying to put through recipient-only solutions.

Full-disclosure: I make a living selling anti-spam software.

Nevertheless, I am not a spammer. I also give away the core of my
product for free under the GPL. And I offer for free anti-spam ideas
that anyone (including my competitors) can use or not as they see fit---
I don't go for dumb patents or stupid trade secret protection.

The bottom line is that I also think this research group will fail,
if by "fail" you mean "find an effective standard solution that stops
almost all spam, and is implementable within the next decade."

I think my business model is realistic: I don't expect a real
solution to spam without massive reworking of Internet protocols, and
I don't expect that reworking to take place in under a decade. In the
meantime, I see an opportunity.

If you do not like my business model, don't buy my products, or else
just use the GPL'd subset.

--
David.

On Wed, 19 Mar 2003, Hadmut Danisch wrote:

> Spam is a business with growing revenue. The small business
> is sending spam. The big business is selling anti-spam-solutions.
> Obviously those, who's business is either one of these, try to prevent
> a simple and effective solution.
>
> The situation is similar to the virus/worm threat: Some parties make
> huge revenues with selling anti-virus-solutions. It would be their
> sudden death if application software and operating systems became
> virus proof. Some of the anti-virus-software manufacturers are
> suspected to viruses themselves in order to keep their business
> alive.
>
> I am under the impression that there is the very same situation with
> Spam: It's business, it's revenue, it's profits, and thus it must not be
> spoiled. Anti-spam efforts are welcome as long as they strengthen the
> public awareness of spam and make people purchase
> anti-spam-solutions.

I take real offense to this tone. As someone who works at a successful
anti-virus company (we named Klez) I can tell you quite clearly - there is
no attempt or motivation here to put out viruses or even keep virus
writers working. To suggest otherwise is insulting to those who work in
this business.

Yesterday I told a customer I was trying to get involved in the IETF's
efforts to "fix" the spam problem, however that may turn out. He was
surprised we would work to put ourselves out of business. But at the end
of the day this is going to happen whether we're involved or not, so
better to be involved than not. And any solution is going to involve a
long transition period for our customers, and we can hopefully be there to
ease that transition.

I want to see an end to spam as much as the next guy. I'm shit scared of
striker, and I'm an email user too. But the solution has to be practical,
and it has to have tangible benefits or my boss and my boss's boss are not
going to buy into it. And if they don't buy into it they won't sell it to
our customers, and you get a large section of the internet not interested
in using your scheme.

The last thing *I* want to do is prevent an answer to the spam problem
happening.

At 01:13 PM 3/19/2003 -0500, you wrote:
>Anybody who's tried to deploy software to end users (especially software
>that involves retraining) knows 400M is the wrong place to attack. And
>even a well-hidden Proof-Of-Work doesn't help here - your phone WILL ring
>when people ask why it's taking 3 minutes to send mail.

Not if they don't have my phone number. Which they probably don't if they
haven't contacted me before.


>I've never said I'm *STRICTLY* against a sender-side solution. My generic
>criteria for a sender-side solution is: It has to be something that my
>mother the Hotmail user can deploy without me or my brother having to
>make a trip home to install for her. Windows 98 on a several-year-old PC.

This is not necessary for initial deployment. After all the web didn't
seem like it was ready for my grandmother 10 years ago.

steve

Hi,

Hadmut Danisch a écrit:
> I meanwhile came to the conclusion that this
> working/research group's will certainly fail.

If we get focalized on the technical aspects of the spam problem, the
trafic will lower and the signal/noise ratio will get higher. Moderation ?

> Anti-spam efforts are welcome as long as they strengthen the
> public awareness of spam and make people purchase
> anti-spam-solutions.

I don't agree :
Outside the mail-abuse.org blacklists, most are free blacklists. How do
you explain it ? The Spamassassin content filter is free. TMDA(tmda.net)
is free. And so on.

> But a solution which effectively prevents spam
> at zero costs is deprecated. Zero costs means zero revenue.

It means we will all stop loosing our time handling spam and do
something more constructive with the time it helped us free.

> Why are so many people strictly against anything what could prevent
> spam at the sender side? Because the sender wouldn't pay for a
> solution.

There is a customer-provider relation that makes it difficult for ISP to
unilateraly redefine the rules.
They fear too much loosing their customers in case their AUP gets too
restrictive or the sending process got too much complicated compared to
other ISPs.

> Why do so many people insist on the freedom of the sender
> to send whatever the sender wishes to send with a sender address the
> sender can randomly choose?

With the RMX proposal you made, the sender will be limited to his domain
(easy to stop him from spamming then) or to the others customers of
their ISP domains (easy to complain to them too).

Which means a domain owner can/will complain to his ISP in case his
domain gets abused by spammers also customers of the same ISP.

This will put the financial pressure back on the ISP side (customer
complaining about another customer), and I am quite enthusiastic with
such a scheme.

> Spam doesn't sell significant numbers of penis enlargement devices.
> Spam sells Anti-Spam-software. That's the business.

Don't give spammers such ideas ;-)

> I wouldn't be surprised at all if most of the spammers turned out
> to be the same people selling anti-spam-software and services, and
> trying to put through recipient-only solutions.

Maybe. Who knows. The solution is to use free software anti-spam
solutions only (maybe talking for my church here), so you will avoid to
feed the spammers anyway.

> And maybe that's why the mailing list is flooded with so much
> rubbish and babble. That's some kind of denial of service attack.

That's what I though at first when I subscribed.
But I think the problem is different.

I think people are too much sensitive about spam, and they need to talk
about it, like when you talk with the psychiatric people because you
want to punch your neighbour making too much noise and you cannot get
him to lower the volume politely.

I must admit I am a little bit like that, too, after having suffered
from the spam cancer for years like most people.

Most subscribers seem to seek the holy grail, a global mean to stop spam.

They have already though a lot about what could be done, eventually
tried to develop some personnal-crafted solutions that didn't work or
not efficiently enough.

I suggest that this group gets moderated for a few weeks/monthes, so we
can get on track to the real work efficiently.

For my part, I will vote for the moderation if someone propose it.


This working/research group lacks at least a FAQ containing what concern
it and what does not. Until we get that, and subscribed people to
respect it, we will go nowhere : the topic is too hot and too broad, and
even good willing people will have difficulties to help things advance
without any guidance.

I propose to consider inadequate the following topics to begin with :

* country laws related to spam topics
We are designing a technical system, and due to the differences of the
spam laws among countries, it is useless to discuss that here.
If we get a reasonably efficient system to stop spam, it would be up the
the users/administrators to check if they can apply it safely in their
country and keep legal or if they need to change the country laws first.

* content filtering systems topics (aka spamassassin and the like)
The basis of those systems is to evolve and mutate to accomodate the
mutation of the spams. This contradicts completely a RFC-like
standardization process like the asrg list intends to do.
Not to say that standard content filters are not interesting, but it
should be handled on a separate list.

* hacking topics
The fact that protocol implementations like the DNS ones or others are
currenctly hackable are not our problem. If hardening of protocols are
needed, it has to be handled at the protocol layer by the related
protocol working group.

* "we will completely broke the smtp protocol to begin with" topics
The Internet is a big beast and cannot move like that. Proposals must be
able to cope with a running internet during several years at least, and
people thinking about redesigning it to the ground should create a
separate list to discuss about their own ideas on this topic, and come
back when they get something at least a bit realistic.

Frank de Lange said :
> To paraphrase Churchill, 'we shall go on to the end... we shall
> fight them... we shall never surrender...'


Pierre
--
PARALLINE /// Parallelism & GNU/Linux
///
71,av des Vosges Phone:+33 388 141 740
F-67000 STRASBOURG Fax:+33 388 141 741 http://www.paralline.com

>A ubiquitous and pervasive authentication mechanism has value even if
there
>is no more spam.
>
>Phill


.....and in most places it still doesn't work. ( ask the French
Gendarmerie where ID cards are mandatory )

And when it doesn't exist the Police are not rendered ineffective ( ask
the Police in the U.K. where ID cards are not used at all )

Any authentication mechanism has holes - check out the problems with DNA
identification. (... and yes I do know the difference between
authentication and identification. I just happen to believe that the
nomral 1:1 between legitimate email users and their addresses blurs the
distinction here )

Yes, there are processes where proving your identity to the satisfaction
of "the authorities" is mandatory e.g. drivers licence, gun licence etc.
etc.

But none of these has the ubiquity, utility or pervasiveness of email and
so will never hit the issues of scaling that trying to enforce strong
authentication on email users would meet.

I believe spam is a social evil and requires a social cure. There are not
Technical answers to all problems. Spam is a case in point.

OK, we may be able to do Technical things which can help in the short
term, but in the long term figuring out a way to get legislators in a
global context to harmonise the legal context for misuse of public
Services is likely to be the only solution.

And adapting "junk mail" laws probably won't cut it - extradited for
sending unsolicited leaflets?

Anyone remember E. E. Smith? The context here is very similar to the
reasons given in "Triplanetary" - but watch out! We could end up with
Judge Dredd instead of the Lensmen..... ;-)

Regards,

tom.
__________________________________________________
Security Consultant/Analyst
CSC
Ph: +61 8 9429 6478 Email: ***@csc.com.au
----------------------------------------------------------------------------------------
This email, including any attachments, is intended only for use by the
addressee(s) and may contain confidential and/or personal information and
may also be the subject of legal privilege. Any personal information
contained in this email is not to be used or disclosed for any purpose
other than the purpose for which you have received it. If you are not the
intended recipient, you must not disclose or use the information contained
in it. In this case, please let me know by return email, delete the
message permanently from your system and destroy any copies.
----------------------------------------------------------------------------------------



Sent by: asrg-***@ietf.org
To: Hadmut Danisch <***@danisch.de>, ***@ietf.org
cc:
Subject: RE: [Asrg] This research group will fail

> And when it doesn't exist the Police are not rendered
> ineffective ( ask
> the Police in the U.K. where ID cards are not used at all )

UK law requires every business to list on its letterhead its
registered office at which service can be effected.

> I believe spam is a social evil and requires a social cure.
> There are not
> Technical answers to all problems. Spam is a case in point.

It is a purely technical problem, the email infrastructure
was designed to be used by a small number of people most of
whom were highly expert and almost none of whom would attack
the network.

Today the network is vast, approaching a billion users. Almost
all of whom are clueless technically and a very large number
of whom are malicious if not outright evil.

You go off and try solving the social problems if you like.
I believe you will find that they are far less tractable than
technical approaches that face the reality of the social
constraints.

I don't care whether you are a slave to a right wing ideology
like the sender pays people for whom a market is the solution
to every ill or a slave to a left wing ideology like the
anti-corporativists for whom the problem is always a corporate
interest and the solution always to eliminate the corporations.
If you are a slave to an ideology you become an idiot.

Phill

>UK law requires every business to list on its letterhead its
>registered office at which service can be effected.

But ( and you'll correct me if I'm wrong ) not all spammers are
businesses, and even when they are, setting up a business for the Xmas
season and closing it in January is still legal. Where's your process
server when the goods fall apart in two months, despite Consumer
Protection laws?

>If you are a slave to an ideology you become an idiot.
>
>Phill

Mate, I couldn't agree more.

I still get this feeling that altering the behaviour of spammers in the
long term won't happen by changing the RFCs, however much I'm willing to
try it because I have to hope it is possible to improve on what we have.

But I'd be willing to bet my $.02 that "judging intent" of email whether
by content or "authorised source" will turn out to be beyond a Computer,
particularly without mucking things up for the billion clueless users who
WANT to send anything anywhere quickly.

On with the show!

Regards,

tom.
__________________________________________________
Security Consultant/Analyst
CSC
Ph: +61 8 9429 6478 Email: ***@csc.com.au
----------------------------------------------------------------------------------------
This email, including any attachments, is intended only for use by the
addressee(s) and may contain confidential and/or personal information and
may also be the subject of legal privilege. Any personal information
contained in this email is not to be used or disclosed for any purpose
other than the purpose for which you have received it. If you are not the
intended recipient, you must not disclose or use the information contained
in it. In this case, please let me know by return email, delete the
message permanently from your system and destroy any copies.
----------------------------------------------------------------------------------------

Anonymous email is pretty easy to support if we have a mechanism that allows
us to control spam.

Then we can bring up the pnet gateway and its ilk again.

Phill

> -----Original Message-----
> From: John Morris [mailto:***@cdt.org]
> Sent: Wednesday, March 19, 2003 10:12 PM
> To: Ian Wilson; Kee Hinckley
> Cc: ***@ietf.org
> Subject: Re: [Asrg] This research group will fail
>
>
> Not to drag us into an extended legal debate, but
>
> At 10:36 PM 3/19/03 -0400, Ian Wilson wrote:
> ><snip>
> >
> >I'm not sure *anonymous speech* is worth protecting. I'm
> not saying Free
> >Speech isn't worth protecting, but I should not have the
> protection to say
> >whatever I want, and the protection of doing it under cover.
>
> Lots and lots of anonymous speech is very valuable and some important
> speech would not take place without anonymity (we can discuss
> that more
> off-list if desired). But there are lots of situations in
> which anonymity
> will fall to other interests, and courts will likely agree that false
> return addresses and headers in UCE will not be protected.
>
> >While I'm no
> >lawyer isn't there a distinction between *Free Speech* and
> *Freedom of the
> >Press* and what the framers of the Constitution wanted to
> protect was my
> >right to get on my soapbox down on the corner and launch
> into a diatribe on
> >the government, or any other topic I wanted to. Seems to me
> that what I
> >write on the Internet isn't *Speech*
>
> In the US, FWIW, the opposite of this is true. A key
> conclusion of the US
> Supreme Court's decision in 1997 in Reno v. ACLU, is that in fact the
> Internet is the modern day embodiment of the soap box of old.
> When the
> First Amendment was written, the town commons was important
> in community
> life and a soapbox was an effective way to raise a public
> concern. By the
> late 20th Century, an actual soapbox in a park had become absolutely
> irrelevant. Internet communications are definitely viewed as
> protected
> speech by US courts.
>
> The bottom line for this group is that (at least in the US) the First
> Amendment is likely to impose some constraints on anti-spam
> legislation,
> making technical approaches to reduce spam all the more important.
>
> John
>
> _______________________________________________
> Asrg mailing list
> ***@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
>

This proposition really depends on how you define fail. If you mean the
solution does not eliminate *ALL* spam I'd say I have to agree. However my
requirement is not a 100% solution...I just want some relief, for my users,
for my servers and for me. A number of list members have mentioned that it
appears folks are looking for the "magic bullet" There is not one so
looking for it is a waste of time. I suspect that there will be a number of
different measures that solve small parts of the problem and when combined
make a real difference. My ideal solution is something that takes place
during the SMTP handshake...if the mail gets to the DATA phase then my mail
server is committed to doing the work of virus scanning the mail, marching
it around the various queues and either delivering it to the user's mailbox
or having to bounce it back to the (probably fictitious) sender. That is a
loss for me. I have philosophical issues with whitelists/blacklists mainly
due to the fact that I don't want my mail servers to have to keep track of a
lot of stuff and/or turn over control of who I will/will not accept mail
from to an external party. I may have to get over this in order to get to a
solution that works. If I really thought this group was going to fail this
would be an unsubscribe...the mail volume on this list is, well,
significant. I'm still here because I'm convinced the collective wisdom of
the list will come up with *SOMETHING* If nothing else the humor of some of
the posters gives me a chuckle on a regular basis and that is definitely
worth reading.

Regards
Mike

On Wed, Mar 19, 2003 at 09:33:29AM -0800, Hadmut Danisch wrote:
>
> Spam doesn't sell significant numbers of penis enlargement devices.

After hearing Steve Atkins' talk I have to admit that my
assumption was wrong...

Hadmut

> Spam is a business with growing revenue. The small business
> is sending spam. The big business is selling anti-spam-solutions.
> Obviously those, who's business is either one of these, try to prevent
> a simple and effective solution.
>
> The situation is similar to the virus/worm threat: Some parties make
> huge revenues with selling anti-virus-solutions. It would be their
> sudden death if application software and operating systems became
> virus proof. Some of the anti-virus-software manufacturers are
> suspected to viruses themselves in order to keep their business
> alive.

Companies in the Anti-Virus industry are so cut-throat that they can't
afford to spend valuable research dollars actually *writing* viruses.
McAffe got in major deep doo-doo when they tried something like that:

<http://vmyths.com/rant.cfm?id=279&page=4>

Wether McAfee actually wrote a virus or not isn't relevant. The relevance
comes from Symantec outright accusing McAfee of doing so. And Symantec
isn't any better:

<http://vmyths.com/rant.cfm?id=282&page=4>

As many of the same companies produce anti-spam software, I don't believe
they can afford to do anything stupid, like sell, produce, develop or even
sponsor spamming in the name of selling more anti-spam software. They would
pounce on each other so hard you'd hear it from Tuktaiuktuk, never mind
anywhere on the Internet.

Besides, I'm not having delusions that we can come up with anti-spam
solutions that would eliminate something from these companies. I for one am
interested in solving a particular problem. Others are interested in
solving other particular problems, and I wish them all good luck.

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/***@pan-am.ca.asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>