How do you stop outgoing spam?

• Previous message (by thread): How do you stop outgoing spam?
• Next message (by thread): How do you stop outgoing spam?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, it's clear that the real point I was trying to make was entirely 
missed by everyone, so let me try again.

Dealing with problems, by focusing on absolute outbound port control, 
restricts legitimate use, as well as problematic use.  For a group that is 
largely dominated by libertarian thinking, opting for blanket, outbound 
port control is odd.  Very odd.

Security mechanisms can choose between a default-yes or a default-no 
mode.  Choosing to restrict outbound ports is a default-no.  Think of this 
as the difference between democracy and totalitarianism.  You get to do 
things until you try to do something wrong, versus you are not allowed to 
do anything until you first prove that it is ok.

Spamming is a serious problem, and it needs serious responses, but we need 
to be very careful that dealing with the problem does not kill the net.


At 03:34 PM 9/10/2002 -0400, Barry Shein wrote:
>On September 10, 2002 at 10:16 dhc2 at dcrocker.net (Dave Crocker) wrote:
>  > One of the basic problems with discussions about spam control is that it
>  > focuses entirely on spam.  Blocking output SMTP from individual dial-ups
>  > has a serious negative consequence:
>
>Yeah, well, too late, that battle was fought and settled years
>ago. The spammers are driving the standards at this point, not
>reasonable people trying to make things work.

There are no standards for these practises.  There are component 
mechanisms, but no integrated solution that is documented in a standard. 
That's part of the problem.  In reality what is being done is entirely ad 
hoc and inconsistent.  Otherwise we could at least know what will work for 
all "conforming" sites.  And we could migrate everyone over to it.

And, again, let me stress that I am not saying spamming isn't a 
problem.  But rather that dealing with spamming simplistically carries very 
serious side-effects.


>At this point your easy-to-agree-with point is kinda like saying
>   "I pay taxes, I damned well ought to be able to walk any street in any
>    city at any time of the day or night and be safe!"

No.  It is like saying that because there is some street crime, in some 
places, let's make it illegal to walk anywhere, ever.

And it is like saying that because some people make obscene phone calls, 
all phone calls will now be monitored.

That really is what these blanket outbound controls are like.



At 07:40 PM 9/10/2002 +0000, Paul Vixie wrote:
> >          Laptop mobile users cannot use their home SMTP server.
>in the business, we call this "tough noogies."

I had hoped that my reference to wireless hot-spot implications would make 
the scale and import of this approach adequately clear.

That it does not nicely demonstrates why techies must not be in charge of a 
business that makes any claim to serving their customers.

Broad-sweep, large-scale crippling of legitimate activity is not a 
realistic way to deal with a problem, even one as serious as spam.


> >          At best, they must reconfigure for each venue -- goodbye wireless
> > hotspot convenience -- and that is IF they know the SMTP server address 
> for
> > the local access.
>
>i've gotten very good mileage out of ssl-smtp, and out of "port forwarding"
>so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a
>(ssh-borne) tunnel to my home smtp server.

There are always technical solutions that techies can follow.  A more 
relevant question is what it will take for 100 million average users.  As 
everyone on this list knows, the Internet is about scaling.

So it is entirely irrelevant what any one of the people on this list can do 
to make things work.  It is ONLY relevant what the impact is on 100 million 
other folks.  Folks who are not sysadmins.  Folks who cannot constantly 
reconfigure their systems.

And ultimately it does not matter that a particular hack can be propagated, 
such as mapping 25 to a local ssl redirect.

What matters is that the model that leads to that hack is broken even worse 
than spamming, because it says that the way to respond to a problem by some 
folks is to block all folks.  Today, port 25.  Tomorrow -- and in some 
places, today -- all ports except a precious few and even those are mediated.


>be hurt now.  but the design calls for a polite population, and while
>that was true of the internet in 1983, it is absolutely not true today.

Since I never said anything against adding security mechanisms, I'll just 
assume that you missed my point.  In order not to bog down too far on that 
point, let me just ask:

         And the BCP that specifies the "correct" set of technologies, 
configurations, and use is...?

However the danger of going down this path is to miss the larger point 
about the problem with wholesale outbound port blocking.

d/


----------
Dave Crocker <mailto:dave at tribalwise.com>
TribalWise, Inc. <http://www.tribalwise.com>
tel +1.408.246.8253; fax +1.408.850.1850

• Previous message (by thread): How do you stop outgoing spam?
• Next message (by thread): How do you stop outgoing spam?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]