Points on your Internet driver's license (was RE: Even you can

Etaoin Shrdlu shrdlu at deaddrop.org
Sun Jun 13 19:11:59 UTC 2004


[edited to fix top posting; snipped for bandwidth]

John Curran wrote:
> At 4:50 PM +0000 6/13/04, Paul Vixie wrote:
> >owen at delong.com (Owen DeLong) writes:
> >
> >> Perhaps what is needed is a reporting agency, similar to the credit
> >> reporting agencies, where ISPs can register chronic problem-customers.
> >> Eventually, your internet credit rating deteriorates to the point that no
> >> ISP will offer you service.
> >
> > ... the reason the above analogy fails to hold ... is that credit
> > reporting agencies have an established standard
> >for what "bad" is -- days overdue on payments.

True enough, but there is even a more important point on credit agencies,
one I suspect applies here as well. Credit agencies can show that you have
good to excellent credit, and they certainly show many of those that don't,
but they cannot protect against anyone who is willing to break the law.
Identity theft is all about masquerading as someone with good credit
(spoofing).

>    Actually, credit agencies don't have a single standard for what
>    "bad" is; they are obligated to only keep factual data (as can
>    be best determined) in the files.   When you cause a credit
>    report to be checked, one or more algorithms are used to
>    score your credit, but the algorithm used is up to the particular
>    inquirer and credit bureau.

In addition, they are known to keep inaccurate data, and it is HARD to
correct inaccurate data (think various DNS/Email blacklists here). They
also don't have all the data. Do you rent or lease an apartment? Whether or
not you pay on time is not sent in. Evictions may or may not be sent in.
They're called "Credit" bureaus for a reason. The data they keep is narrow.

>    It's not that hard to make this one work for spammers, but you
>    need some key pieces to all be in place:

It'll be very hard, and there's no good business model for doing so. If
you're proposing yet another SORBS or MAPS, please don't. Otherwise, you
have to decide how someone can profit from maintaining this data. I don't
know about the others, but I can GUARANTEE that the profit margin within
Experian (formely known as TRW) is very, very, very slim. If it's slim for
someone successful, how do you propose that the business model for this
will work?

>    ... Spammers already figured out
>         that some ISPs do D&B credit checks, and have gotten
>         very good at appearing as a new "startup" a week later.

Absolutely. Just like criminals visit graveyards and county records,
spammers and other miscreants are happy to create new, fake identification,
and don't really care if they have to keep doing it. The real problem, is
how to you make the business model of spamming unproductive?

--
Life at university, with its intellectual and inconclusive discussions
at a postgraduate level is on the whole a bad training for the real
world. Only men of very strong character surmount this handicap. 
                        (Paul Chambers)



More information about the NANOG mailing list