IETF SMTP Working Group Proposal at smtpng.org

batz batsy at vapour.net
Wed Aug 21 20:44:36 UTC 2002


On Wed, 21 Aug 2002, Gary E. Miller wrote:

:Then how do you account for all the lawsuits?  MAPS would love to hear
:you say they have no legal problems.  The CA and WA legislatures that
:passed laws defineing and banning spam would love to hear you as well.

The lawsuits were against the solution providers, not against the spammers.
In the few cases where there were lawsuits against spammers, it was 
a civil suit, as there isn't an existing legislative solution that 
spans more than a few jurisdictions. 

California and Washington may seem like important jurisdictions, 
but not compared to .kr, .cn, .ru, .br, .mx, or even .ca.   

:I set up a lot of help desks, online shopping carts, etc.  White lists
:do not work in those roles.  The mail is just too all over the place
:and telling a boss that he is only losing a few orders or losing a
:few customers due to a white list is not an option.

I do IT secuirity incident response for about 60k 
people, 45k hosts, their AV gateways, IDS's and firewalls and
I can assure you, spam is a security problem. Security as
a discipline is uniquely positioned to articulate solutions  
to spam. 

Read the tmda.net site. Read the FAQ and the README files. Mail 
isn't lost, it is queued. See myprivacy.ca for an example of
how it operates. 

The system works as follows:

Sender sends message to recipient.
Recipients MTA/MUA checks to see if they are a registered recipient.
If yes, mail is delivered.
If no, mail is queued, and a confirmation asking if they they are a 
legitimate corespondant is sent to the sender. 
The sender responds with the confirmation ticket, and is whitelisted. 
Queued mail is delivered. 

Now, the confirmation message will also include a policy stating
that UCE, solicitations and all the other crap that people associate
with spam are not to be sent to this address and by returning
this message you accept this policy.

It doesn't matter if even if someone comes up with a way to 
autorespond to this message, as if they violate the recipients
policy, they are commiting unauthorized access, theft of 
services etc.. 

What TMDA-like systems do is escalate a problem that engineering
and regular expressions do not have the adequate breadth 
to comprehensively express, and into a question of policy, where 
the conceptual and legal tools already exist. 

What this doesn't cover is everything that AV gateway filters do, 
but that's another story. 

:Policies do not define crimes, Common Law and Written Law do.

There is a reason why there have to be notices that unauthorized 
access to systems is prohibited in /etc/motd in any government 
system you access. It is so that there is no legal ambiguity 
when someone gets caught hacking and the case shows up in court. 

Ask any CISA, CISSP, computer forensics specialist, or 
anyone else who deals professionaly in information security, 
and they will tell you, that if you don't have a policy, you 
will have trouble convincing anyone a crime has been committed. 





--
batz




More information about the NANOG mailing list