why IPv6 isn't ready for prime time, SMTP edition
Barry Shein
bzs at world.std.com
Sun Mar 30 17:59:35 UTC 2014
On March 29, 2014 at 23:26 owen at delong.com (Owen DeLong) wrote:
>
> On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs at world.std.com> wrote:
>
> >
> > On March 29, 2014 at 08:28 owen at delong.com (Owen DeLong) wrote:
> >>> So if a spammer or junk mailer could, say, trick you into accepting
> >>> mail in those schemes then they get free advertising, no postage
> >>> anyhow.
> >>
> >> Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising.
> >
> > I dunno, but they trick people all the time, isn't that what the
> > entire phishing industry is based on?
> >
> > I guess the real point is that this idea that one would be sorting
> > through their email saying don't charge for this one I want it, charge
> > for this one, I don't, etc is not a good idea.
>
> I was envisioning a system more where you white-listed your known contacts up front,
> then only needed to say “refund this one and add to white-list” or “refund this one” when
> confronted with one that wasn’t already white-listed that you didn’t feel was spam.
Introducing a refunding system adds a lot of complexity for not much
advantage.
Think through the mechanics of this whitelisting system, i.e., the
bookkeeping and msgs back and forth.
(eliding some stuff we mostly agree on)
> >
> > What about the costs of anti-spam technology? And all the other
> > problems spam incurs? I thought that's why we were here.
>
> Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price?
What about the "attention" costs, when nobody for example looks at an
Amazon mail or even a useful msg from their bank because they're too
busy deleting everything that isn't absolute top-priority (like from a
relative or lover.) They're just swamped.
Anyhow, I guess either spam is a big problem or it isn't.
Everything I say is based on the premise that spam is a big problem.
If it isn't then we are truly wasting our time here.
>
> >> Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.
> >
> > My whole point is I don't WANT to have a definition of spam, except as
> > a bad memory.
> >
> > I'm trying to figure out how to change the ecology/economics so spam
> > is difficult, a minor problem.
>
> I get what you want, but I don’t see it as a solution due to the negative consequences described elsewhere in the thread.
Well, if you don't see spam as much of a problem then surely most
anti-spam proposals are going to seem too costly, right?
> >
> > That's sort of like saying my car can drive down the road perfectly
> > well with some gasoline etc, why do I need to pay taxes for police?
>
> I often find myself wondering exactly that… Usually after trying to get some service or other that the police are supposed to be providing.
>
> Nonetheless, I get your point. OTOH, the city council, as a body, doesn’t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the “tax exempt organization”?
Maybe I haven't had enough coffee yet but I truly don't understand
what you're asking here.
> >
> > Recipients wouldn't pay in my scheme.
>
> OK, turn it around and you aren’t paying a separate fee for the mailman to drive by your place each day to see if you have any outgoing mail, either.
You must live in some low-density population area, here in Boston the
letter carriers won't take outgoing mail. I tried one day and the guy
just sneered "put it in a box, that's all I'd do with it!"
Obviously there are people emptying those mailboxes but it's...where
are we going with this?
>
> > If you mean that legitimate senders have to pay and somehow recover
> > that cost, well, we all pay for police and other security. Security is
> > often like that. When you pay for a prison you pay to house prisoners,
> > any benefit to you is at best abstract (they're not on the streets
> > etc.)
>
> I don’t pay the USPS any separate taxes to support the postal inspectors. That’s rolled up into the postage.
>
> >> Further, if someone sends me something I don’t want, I can mark it “refused, return to sender” and the post office is obliged to do so and I don’t pay anything for it.
> >
> > This is probably getting off-track, but are you sure about that with
> > the USPS?
>
> Yes. For most mail, you can. Third Class and Bulk, not so much, they’ll tell you to throw it away. I don’t pay anything for that, either.
Ok, nothing stops you in this scheme from returning an email to the
sender. Maybe it could even be made free, probably just like any
Mailer-Daemon bounce.
What I don't think is a good idea is the sender getting their postage
back. That's a lot of bookkeeping and I don't see any reason to
bother.
>
> If I really want to get rid of a junk mailer (at least one who is dumb enough to send me postage-paid reply mechanisms), I’ll package up a brick, attach the reply label they provided and send it off. (lead weights, shot-bags, etc. can also be effective candidates). I’ve only used this tactic a few times, but it’s never taken more than two heavy replies to get the flow of crap to stop abruptly.
I believe the USPS now throws those away. The return postage only
covers a first-class letter or whatever.
>
> > You can mark it NSA (no such addressee) or NFA (no forwarding address)
> > or NSA/NFA or even put a forwarding address which may or may not do
> > anything since the recipient is supposed to set that up with the post
> > office (e.g., when they move.)
>
> Yep. They’ll take it back and either forward it if they can or send it to the dead letter office.
If it's first-class mail, that's one reason first-class costs more.
>
> > But I never heard of taking all my junk mail for example and handing
> > it back to a letter carrier saying "Here, I don't want this!" I think
> > they'd say "throw it in the trash!”
>
> Specifically doesn’t work with third-class and bulk. They are the only exceptions.
Big exception since that's almost all of what bulk paper mailers use!
> > "Related to that transaction"? Is that in CAN-SPAM? Where did that
> > limitation come from? How is that defined?
>
> Forget current law. I’m talking about the criteria I would want to set if we were to overhaul the system and do this right.
I think it's very important to eliminate any definition of spam from
the system. That's just a rat hole.
You stop spam by making it too expensive for spammers to operate in
any effective manner.
True story:
I remember when I was about 16 years old I went into this place in
Greenwich Village, still there I believe, "The Cafe Wha?". They didn't
serve alcohol so it was someplace a 16 year old could get out of the
rain and hear some live music.
At the door was a guy with a coffee can, "Cover Charge: 25c"
Even way back then 25c wasn't much money, about the price of a couple
of packs of gum.
I asked the guy: Why a 25c cover charge?
He said: It keeps out the riff-raff.
It keeps out the RIFF-RAFF???? 25 CENTS?
He yelled back: YOU'D BE SURPRISED!
Well, surely he knew his business.
We're trying to keep out the riff-raff while not overburdening the
honest.
Maybe I should dub this the "Cafe Wha? Proposal" in their honor.
>
> > You mean when Network Solutions bombards me with email about each new
> > TLD they're violating CAN-SPAM? I never asked for that. I do have some
> > domains with them, I think they're using that for a "legitimate
> > business relationship”.
>
> No, I never brought CAN-SPAM into this, that’s your idea. I’m talking about the criteria that could easily be used to define SPAM consistently in a way that isn’t fuzzy, doesn’t have the problems currently created by CAN-SPAM (a law written by spammers for spammers), etc.
Permission to speak frankly:
You want a moral component, you want this to identify the good from
the bad. You keep coming back to that.
I LONG AGO STOPPED CARING!
I just want the spam to stop.
And I think when you make that leap and let go of the moral or
judgemental aspect solutions start to appear.
I don't want to make better people out of spammers.
I don't want to put them behind bars.
I don't want to punish them.
I don't want to reward the righteous (except by default, less spam!)
I just want to put spammers out of business!
I want to change the ecology so it makes it impossible for them to
operate in any effective manner.
I keep saying "effective" because sure you might get the occasional
spam anyhow, particularly in the beginning as they try to save their
business model, but I want to run them out of town.
>
> > Legitimate businesses (perhaps other than NetSol :-) do tend to
> > restrain themselves and know recipients might get annoyed if they
> > overdo their welcome and opt-out or even block them entirely.
> >
> > An example of the line getting fuzzy is when my frequent flyer sources
> > (airlines etc) constantly hawk credit cards at me under the excuse
> > that I'll get 50,000 free miles or some such. So it sort of sounds
> > related to the frequent flyer program.
>
> And by allowing the user to do one of:
>
> Whitelist the airline
> Accept each message they want (refunded, others airline pays)
> Decline all messages (airline pays)
Whitelist shmitelist.
You're turning this into a two-way system with active feedback which
is EXACTLY what I say is to be avoided.
> You could decide for yourself which messages from the airline you don’t consider SPAM, with the added benefit that you get a small amount of money for each message you don’t actively claim isn’t SPAM.
Easier to just toss the ones you don't want.
Think this thru, you really want to look at each msg and decide if
it's spam or not and if so perform some function...?
Sure, some people do that sometimes, report spam, but really life is
too short.
I say put the spammers out of business.
>
> > But I think they're just hawking Amex cards and getting a commission
> > for each one they sell.
>
> Of course they are, and I would not mark any of those messages as “accepted” and it would cost them for each one they sent.
Active feedback, bookkeeping, unnecessary.
>
> > As I said, I'm trying to come up with a spam-definition-neutral
> > approach.
>
> I know, but I believe that approach to be fundamentally flawed and I am trying very hard to propose an alternative I believe could be more functional.
Ya know, I can't go thru these supposed fundamental flaws one by one,
show they arise from misunderstandings etc, and then come back to "I
believe your approach to be fundamentally flawed".
Doesn't leave me much to respond to.
>
> Ah, but BofA didn’t hire them to break the law. BofA hired them to send the SPAM to the list they promised BofA was entirely opt-in users who chose to receive their mails. The fact that they lied to BofA means BofA doesn’t have any liability. The fact that BofA profits from this lie without consequences means that BofA has no incentive to go after them for a refund or avoid using their services in the future.
Actually, that's not true, speak to someone who understands agency law.
BoA might be able to in turn sue them for breaching a contract but BoA
can still be held liable. Those aren't mutually exclusive.
Really, that's agency law 101.
I realize people think about it for a minute and say "that's
ridiculous!" but that's exactly how it works. And why business
liability insurance covers events like that, or should.
Intent is not a factor which tends to be the source of a lot of "folk"
law beliefs like this.
> > Well, there are all sorts of hard cases, but laying it out sometimes
> > surprises people (like, yes you can be held responsible for the
> > actions of a hired bodyguard, even if their behavior was way out of
> > line. They sell insurance for that kind of thing.)
>
> Sure, but the spammers happily cover BofA’s ass contractually and then say “oops” or “we lied” or whatever they have to in order to get BofA off the hook. Then, nobody gets punished and business as usual.
Review agency law.
BoA can be held liable. BoA can in turn sue the spammer, if they like,
to recover.
That avoids precisely what you're suggesting, transferring liability
to a judgement-proof entity.
Yes that can still be done in many cases but not as you describe.
But why are we here exactly?
>
> >>> Maybe something would happen, I can't say for sure.
> >>>
> >>> But I suspect they'd round file it because hey that's BANK OF AMERICA
> >>> not SPAMMERS and you're just a KOOK!
> >>
> >> No, more likely they’d review the headers and point out to me that there’s no evidence it was actually sent BY BofA, because most likely it wasn’t sent by BofA, but by someone they may or may not have contracted.
> >
> > Well, now we're really just moving the goalpost and changing the
> > scenario.
>
> No, I’m pointing out how organizations like BofA actually do this and you’re talking about some fictitious scenario that doesn’t happen in real life.
>
> Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, but that’s also why most telco-contracted backhoe operating companies have numbers in their name… Ho-Co #1 cut someone’s fiber, so they sold their substantial assets to Ho-Co #2 for a song to pay their legal fees, then went chapter 13 before the case could make it to court.
Chapter 13 is personal bankruptcy.
> >
> > Of course it is. If your email won't be accepted without proper
> > postage attached then that's the cost of having your email delivered.
>
> No, that’s a protection racket/extortion scheme.
Oh c'mon, then so is every other situation where you have to pay for
something, including credentials.
Are SSL certs a protection racket/extortion scheme?
>
> > Ok, I think a lot of the rest of this could be answered by:
> >
> > It would be interesting to ask a spammer or ex-spammer what they
> > thought about the scheme.
>
> LoL
I'm serious!
I wouldn't consider investing a dime without talking to some spammers
or ex-spammers of note.
There're a few of them who'd probably be glad to talk for some prison
canteen credits.
--
-Barry Shein
The World | bzs at TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
More information about the NANOG
mailing list