[Re: Fun new policy at AOL]

joshua sahala joshua.ej.smith at usa.net
Wed Nov 12 01:47:42 UTC 2003

"Dr. Jeffrey Race" <jrace at attglobal.net> wrote:
> The proposal at <http://www.camblab.com/misc/univ_std.txt> provides that
> mail from compromised sources shall be rejected.  This forces the host 
> sysadmin to secure his system if he wants to communicate with the rest 
> of the internet.   Presently the penalty for negligence is borne by the
> victim, not the perpetrator.   The unique aspect of the proposal is to
> attach consequences to actions, a principle which is used everywhere in
> society except the Internet.
> Jeffrey Race

i'm still curious to know how this mail will be automagically rejected...
is there a black list of compromised hosts (beyond the black lists that
already exist) that i don't know about?  if so, i would love to be able
to use it

i'm sorry dr race, but i still do not see much in your proposal (no 
matter how many times you submit it to the list) that i cannot already
do, or that is not already being done (albeit not universally), but if 
you cannot compell someone to behave a certain way with current laws and
best practices, a new law/best practice will not mean much.  spammers 
will hijack/infect new computers, the blocklists will grow larger and
larger, vendors will release insecure operating systems, etc, etc ,etc

arbitrary black/white-lists are a mildly effective method of combatting
spam now, but not everyone has one.  not everyone has their own 
bayes-based filter on their servers.  you can try to make the 
'perpetrator' pay, but, as microsoft will tell you, not even big cash awards
will help you.  you still end up punishing the often ignorant end
user, and they don't really learn how to do it better, even if they do
manage to patch up a level or two.

spam is big money - consumerism is big money - bad operating systems are
big money - user stupidity is often more painful for the tech support rep
than the [l]user

my solution?  education of the end user would be a good place to start.
securing their 'favorite' o/s would be another.  neither however, is a
function of the service provider.  we all spend a lot of time chasing
down hackers and spammers already, then we get to do the rest of our 
'normal' work.

my $0.02

* and yes, i just put on my flame-retardant suit ;)

**i wonder what the probabilities are regarding your emails - every one
contains the same link...maybe when i get my new server setup and 
trained, i will find out

"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -

More information about the NANOG mailing list