Problems sending mail to yahoo?

Rich Kulawiec rsk at
Mon Apr 14 03:48:31 UTC 2008

On Sun, Apr 13, 2008 at 08:04:12PM -0400, Barry Shein wrote:

A number of things that are true, including:

> I say the core problem in spam are the botnets capable of delivering
> on the order of 100 billion msgs/day.

But I say the core problem is deeper.  Spam is merely a symptom of an
underlying problem.  (I'll admit that I often use the phrase "spam
problem" but that's somewhat misleading.)

The problem is pervasive poor security.  Those botnets would not exist
were it not for nearly-ubiquitous deployment of an operating system that
cannot be secured -- and we know this because we've seen its own vendor
repeatedly try and repeatedly fail.  But a miserable excuse for an OS is
just one of the causes; others have been covered by essays like Marcus
Ranum's "Six Dumbest Ideas in Security", so I won't attempt to enumerate
them all.

That underlying security problem gives us many symptoms: spam, phishing,
typosquatting, DDoS attacks, adware, spyware, viruses, worms, data
loss incidents, web site defacements, search engine gaming, DNS cache
poisoning, and a long list of others.  Dealing with symptoms is good:
it makes the patient feel better.  But it shouldn't be confused with
treatment of the disease.  Even if we could snap our fingers and stop
all spam permanently tomorrow (a) it wouldn't do us much good and
(b) some other symptom would evolve to fill its niche in the abuse ecosystem.

A secondary point that actually might be more important:

We (and I really do mean 'we" because I've had a hand in this too)
have compounded our problems by our collective response -- summed up
beautifully on this very mailing list a while back thusly:

	If you give people the means to hurt you, and they do it, and
	you take no action except to continue giving them the means to
	hurt you, and they take no action except to keep hurting you,
	then one of the ways you can describe the situation is "it isn't
	scaling well".
		--- Paul Vixie on NANOG

We need to hold ourselves accountable for the security problems in
our own operations, and then we need to hold each other accountable.
This is very different from our strategy to date -- which, I submit,
has thoroughly proven itself to be a colossal failure.


More information about the NANOG mailing list