Problems sending mail to yahoo?
jgreco at ns.sol.net
Mon Apr 14 04:06:33 UTC 2008
> On Sun, Apr 13, 2008, Joe Greco wrote:
> > I believe this is functionally equivalent to the "block 25 and consider
> > SMTP dead" FUSSP.
> > It's worth noting that each "newer" system is being systematically attacked
> > as well. It isn't really a solution, it's just changing problem platforms.
> > The abuse remains.
> Yes, but the ownership of the problem is better defined for messages -inside-
> a system.
> If you've got tens of millions of users on your IM service, you can start
> using statistical techniques on your data to identify likely spam/ham,
> and (very importantly) you are able to cut individual users off if they're
> doing something nasty. Users can't "fake" their identity like they can
> with email. There's no requirement for "broadcasting" messages a la email
> lists (which btw is touted as one of those "things that break" when various
> anti-spam verify-sender proposals come up.)
> Besides - google has a large enough cross section of users' email to do
> these tricks. I'd love to be a fly on the wall at google for just this
> reason ..
Few of these systems have actually been demonstrated to be invulnerable
to abuse. As a matter of fact, I just saw someone from LinkedIn asking
about techniques for mitigating abuse. When it's relatively cheap (think:
economically attractive in excessively poor countries with high
unemployment) to hire human labor, or even to engineer CAPTCHA evasion
systems where you have one of these wonderful billion-node-botnets
available, it becomes feasible to get your message out. Statistically,
there will be some holes. You only need a very small success rate.
The relative anonymity offered by e-mail is a problem, yes, but it is only
one challenge to the e-mail architecture. For example, given a realistic
way to revoke permission to mail, having an anonymous party send you a
message (or even millions of messages) wouldn't be a problem, because you
could stop the flow whenever you wanted. The problem is that there isn't
a commonly available way to revoke permission to mail.
I've posted items in places where e-mail addresses are likely to be
scraped or otherwise picked up and later spammed. What amazed me was
how cool it was that I could actually post a usable e-mail address and
receive comments from random people, and then when the spam began to
roll in, I could simply turn off the address, and it doesn't even hit
the mailservers. That's the power of being able to revoke permission.
The cost? A DNS query and answer anytime some spammer tries to send
to that address. But a DNS query was happening anyways...
The solution I've implemented here, then, has the interesting quality
of moving ownership of the problem of permission within our systems,
without also requiring that all correspondents use our local messaging
systems (bboard, private messaging, whatever) or having to do ANY work
to figure out what's spam vs ham, etc. That's my ultimate reply to
your message, by the way.
Since it is clear that many other networks have no interest in stemming
the flood of trash coming from their operations, and clearly they're
not going to be interested in permission schemes that require their
involvement, I'd say that solutions that do not rely on other networks
cooperating to solve the problem bear the best chance of dealing with
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG