why IPv6 isn't ready for prime time, SMTP edition

Barry Shein bzs at world.std.com
Fri Mar 28 05:31:00 UTC 2014


On March 27, 2014 at 12:14 owen at delong.com (Owen DeLong) wrote:
 > 
 > On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs at world.std.com> wrote:
 > 
 > > 
 > > On March 26, 2014 at 22:25 owen at delong.com (Owen DeLong) wrote:
 > >> 
 > >> Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
 > >> 
 > >> Thoughts?
 > > 
 > > It's a fine idea but too complicated.
 > > 
 > > Look, the (paper) post office doesn't say "oh, you WANTED that mail,
 > > ok, then we'll return the cost of postage to the sender!"
 > > 
 > > Why? Because if they did that people would game the system, THEY'D
 > > SPAM!
 > 
 > How would they benefit from that?

>From what, being able to send free paper mail? I think that would be
considered a benefit by most junk mail advertisers. But see next...

 > SPAM — Pay, say $0.10/message.
 > Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself.
 > Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the
 > original provider keeps the other $0.05.
 > 
 > > And it would take way too much bookkeeping and fraud identification etc.
 > 
 > Please explain in detail where the fraud potential comes in.
 > 
 > By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way.

Well, it's advertising, so they do.

Advertising is a valuable commodity.  Free advertising is particularly
valuable, ROI with I close to zero.

Look, we can get lost in metaphors, but the point is that by the time
the post office gets your mail to your doorstep virtually all the cost
is sunk.

So offering to not charge you because you wanted that mail makes no
sense, right?

 > > Let's take a deep breath and re-examine the assumptions:
 > > 
 > > Full scale spammers send on the order of one billion msgs per day.
 > > 
 > > Which means if I gave your account 1M free msgs/day and could
 > > reasonably assure that you can't set up 1,000 such accts then you
 > > could not operate as a spammer.
 > 
 > Not sure how you enforce these user account requirements or how you avoid duplicative accounts.

If you want to attach e-postage you have to go get some and that can
be a contract which says you don't do that, if you have multiple
accounts you split it among your accounts or buy more. And if you do
what you describe you understand that it is criminal fraud. Click
Agree [ ] before proceeding, or similar.

 > 
 > > Who can't operate with 1M msgs/day?
 > > 
 > > Well, maybe Amazon or similar.
 > > 
 > > But as I said earlier MAYBE THEY SHOULD PAY ALSO!
 > 
 > I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.

That assumes that spam is free for them, and you. Including "free" as
in "stealing your time".

Also, companies like Amazon probably wouldn't mind being able to
out-capitalize spammers and others in competing for your eyeballs.

They could probably put a price on that.

They're well aware that when they send you an email that says that
some new book related to one you bought is available that the ad is
surrounded by dozens if not hundreds of spam messages and likely
you'll delete them all without reading.

So that's already a cost to them in terms of wasted advertising effort
and lost sales.

I'd say we need to ask Amazon et al whether they'd see it as an
economic plus if by paying a small amount of e-postage they could wipe
out or seriously reduce all the chaff?  Would that be a net positive
or net negative to their bottom line?

Although I can certainly understand skepticism about whether this
approach would deliver effectively I don't think the business case,
the dollar value of reducing spam significantly, is disputable.

You'd always rather be the only billboard on the highway rather than
just one in a hundred. Even if it costs you more (obviously up to a
point.)

 > 
 > > We really need to get over the moral component of spam content (and
 > > senders' intentions) and see it for what it is: A free ride anyone
 > > would take if available.
 > 
 > I disagree. I see it as a form of theft of service that only immoral thieves would take if available.

How can it be a theft of service if we're not charging anything?

Well, if they use others' resources it's a theft of those resources,
such as botnets, is that what you mean?

But by morality I mean that we tend to define spam in terms of
generally agreed to be undesirable email content such as questionable
herbal cures or other apparent fraud or near-fraud -- I dunno, maybe
someone hiring a spammer really believes their herbal hair re-growth
tonic works.

I assert that the line is getting fuzzier all the time.

Even if the product is completely legitimate and maybe there's some
business relationship someone can draw it doesn't mean I like being
pummeled with hundreds of ads per day (some of that is projection,
remember.)

But, just as importantly, the people who want to send me an ad would
like to see me pummeled with less junk so maybe I pay attention to
their ad or communication.

Heck, I alreadly almost never read email from what appears to be my
bank because it's just too much time and effort to verify that it's
legitimate.

It'd be just as much effort under this, perhaps, but at least maybe I
won't feel like I'm desperately trying to sort through 300 msgs that
came in while I was asleep.

 > > Ok, a million free per acct might be too high but whatever, we can all
 > > go into committee and do studies and determine what the right number
 > > should be.
 > > 
 > > I'd tend towards some sort of sliding scale myself, 100K/day free,
 > > 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like
 > > that.
 > > 
 > > Why would it work?
 > > 
 > > Because that's how human society works.
 > > 
 > > People who are willing to pay their $10K/mo will demand something be
 > > done about freeloaders, enforcement has to be part of the cost
 > > overhead.
 > 
 > But who charges these fees and how do they enforce those charges against miscreants that are sending from stolen hosts, bots, fraudulent IP addresses, etc.?

I think it would have some parallels to selling SSL certificates, as a
business model.

Sending from stolen hosts etc doesn't help them unless they have also
broken into your e-postage stash.

Which might happen of course but at that point we've reduced it to
something like using your user SSL cert.

For example if you had to enter a passphrase (other methods are
possible) to enable mail sending with e-postage from your email
client, to decrypt your e-postage cert, then they'd have to get into
that also, not just use your cycles.

That's possible but it's another hill for them to climb.

Since you probably would value your e-postage at the very least there
should be a little widget on your screen (or similar) with something
like you have used 323 out of an allocation of 300,000 this month and
if that suddenly says 32,323 out of 300,000 and you can't imagine why
maybe you'll do something, call someone, some recommended response
could be laid out like if that's way out of line then click here.

That's not that different from how modern Windows systems pop-up a
dialogue which says "XYZ wants to use administrator privilege to
install software".

That is, encourage the user to be aware of how much email they are
sending and give them some reasonable course of action if something
doesn't look right.

Think of bandwidth caps on mobile phones. If you hit your cap and you
don't have a clue why you become interested. If it's due to a virus or
similar, even a misbehaving app you downloaded (it happens), you are
interested because you're now being charged for bandwidth or whatever
happens when you exceed your cap.

One reason few are currently interested in their system being botted
is because they don't hit a cap, nothing really happens. And there's
certainly little support infrastructure to help them fix the problem.

If there was some money on the table, like with mobile phone caps,
then perhaps there would be some infrastructure for that.

Right now there's just excuses from ISPs et al that if someone gets
botted oh well, block them or something, or in many cases do nothing
because you don't want to annoy a paying customer and it just would
increase your support costs when they call demanding to speak to
someone.

If there were a profitable e-postage infrastructure whose livelihood
depended on all this working then maybe that wouldn't be the case.

 > 
 > > And it'd create an economy for hunting down miscreants.
 > 
 > So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well).
 > 
 > My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.

I think you're skipping the point about how they'd have to
successfully attach e-postage to every piece of email they sent from
your system.

So it's not the resources, it's the authorization which we're trying
to control.

Right now every piece of email they send from your botted system is
the same as any email you'd send.

If there were some sort of e-postage system with some basic security
and tracking that becomes much more difficult for the spammer.

Or they can use your system to send out a million msgs with no
e-postage which, one hopes, will be rejected by receiving systems
without delivery, much like fraudulent DKIM or SPF credentials.

Which, one hopes, won't be profitable for them any more.

 > 
 > > P.S. And in my vision accepting only email with valid e-postage would
 > > be voluntary though I suppose that might be "voluntary" at the
 > > provider level. For example someone like gmail at some point (of
 > > successful implementation of this scheme) might decide to just block
 > > invalid e-postage because hey your gmail acct is free! Let someone
 > > else sell you rules you prefer like controlling acceptance of invalid
 > > e-postage yourself.
 > 
 > Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them.

I agree, but I hope my efforts indicate it's not entirely half-baked
or off the cuff.

I don't think it's inherently much more difficult than the SSL
certificate ecology thought it has some differences.

And it introduces some actual economy in fighting fraud because fraud
becomes more like counterfeiting money or real life postage stamps,
someone loses money, someone is getting a free ride, and there's money
at that point to investigate and prosecute just like we do with
counterfeiting.

One problem with the current anti-spam economy is that it doesn't
particularly encourage fighting spam. If someone makes a living
selling anti-spam software or appliances the sudden and complete
disappearance of spam is not really good news, unless it's entirely
due to their product. But I mean putting spammers out of business
big-time.

In my model it is good news, it means the model is working so keep
buying that e-postage because it's the only thing keeping the
barbarians outside the gates.

 > 
 > Owen
 > 

-- 
        -Barry Shein

The World              | bzs at TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*



More information about the NANOG mailing list