why IPv6 isn't ready for prime time, SMTP edition

Barry Shein bzs at world.std.com
Fri Mar 28 21:15:25 UTC 2014


On March 28, 2014 at 00:06 owen at delong.com (Owen DeLong) wrote:
 > > Advertising is a valuable commodity.  Free advertising is particularly
 > > valuable, ROI with I close to zero.
 > 
 > But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free.

I thought the suggestion was that a recipient (email, or by analogy
postal) could indicate they wanted an email which would cancel the
postage attached, that is, no charge to sender if they wanted it.

So if a spammer or junk mailer could, say, trick you into accepting
mail in those schemes then they get free advertising, no postage
anyhow.

We're getting lost in the metaphors methinks.

 > 
 > > So offering to not charge you because you wanted that mail makes no
 > > sense, right?
 > 
 > But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.

FIRST: There's a typo/thinko in my sentence!

Should be:

  So offering to not charge THE SENDER because THE RECIPIENT wanted
  that mail makes no sense, right?

SECOND:

In response, someone has to scale resources to match volume.

But maybe my typo/thinko confused this because you know that, sorry.

 > 
 > This is an effort to provide a financial disincentive for spamming.

Did I say that or you? I agree!

Possibly with myself. Which judging by my just previous comments is
not always a given.

 > > If you want to attach e-postage you have to go get some and that can
 > > be a contract which says you don't do that, if you have multiple
 > > accounts you split it among your accounts or buy more. And if you do
 > > what you describe you understand that it is criminal fraud. Click
 > > Agree [ ] before proceeding, or similar.
 > 
 > Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right?

I'm trying to create an economics around enforcement.

But it's helpful to convince the relatively honest public that what
you describe is a serious crime tantamount to counterfeiting.

And we don't want to be in a situation like we were in 1996 where we
were debating whether Spam is even a crime.

Enforcement is your usual avoidance, detection, recovery, sort of
affair. But there has to be an economics pushing it or it gets mostly
ignored (except for people complaining about spam.)

Compare and contrast for example spamming vs RIAA style enforcement of
copyright violations.

Spamming? The occasional shutdown of a botnet tho those may be more
motivated by DDoS and phishing.

Copyright? Megaupload, wham, Bit torrents, wham, site takedowns, RIAA
lawsuits, wham wham wham. Lawyers, guns, and money.

What's the difference? Clear monied interests in the latter.

 > 
 > >>> Who can't operate with 1M msgs/day?
 > >>> 
 > >>> Well, maybe Amazon or similar.
 > >>> 
 > >>> But as I said earlier MAYBE THEY SHOULD PAY ALSO!
 > >> 
 > >> I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.
 > > 
 > > That assumes that spam is free for them, and you. Including "free" as
 > > in "stealing your time”.
 > 
 > No, it assumes that most of the messages I get from Amazon are NOT SPAM.

And I'm arguing we need to change our attitudes on this.

This whole idea that because the recipient wants it it isn't "spam" is
wearing thin.

Just like my analogy with the post office, they wouldn't deliver mail
for free just because the recipient wanted it.

It's a fundamentally broken idea and spam is its bastard offspring.

 > The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.

The vast majority of paper mail I get from my bank accounts is useful
and informative and often legally important.

But every one of them has postage attached.

But maybe there could be some way to reverse charges like you can with
fedex and similar.

When you sign up with Amazon et al you also enter your (free)
e-postage cert (whatever, some cookie) giving them permission to
charge against it for some list of mutually agreeable emailings like
order confirms and maybe even marketing materials.

There are some implementation details involved but it doesn't strike
me as a crazy idea.

 > 
 > >>> We really need to get over the moral component of spam content (and
 > >>> senders' intentions) and see it for what it is: A free ride anyone
 > >>> would take if available.
 > >> 
 > >> I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
 > > 
 > > How can it be a theft of service if we're not charging anything?
 > 
 > I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.

Do you mean sending (making you a bot) or receiving spam?

I'm saying the notion of who you did authorize to send you email is
getting fuzzier and fuzzier and may no longer be a completely useful
distinction.

That should have been predictable. Create a fuzzy hurtle and it will
get hurtled.

Accept that "it's not spam if I have a business relationship with the
sender" and that "business relationship" definition will get
stretched.

For example, Buy an auto insurance policy from Liberty Mutual and you
just gave permission for every Liberty Mutual insurance agent in the
world to hawk you life insurance, home owner's insurance, etc etc etc.
over email.

I don't think merely tightening the definition fixes that.

Money talks, bull**** walks.

The main reason dump trucks filled with paper mail don't back up to
your house every morning is because that would cost the SENDERs too
much real money, so they have to focus and target.

But email? That's free, for all practical purposes.

 > > Well, if they use others' resources it's a theft of those resources,
 > > such as botnets, is that what you mean?
 > 
 > Botnets, my mail server, my disk storage, my network, etc. where my mail is processed… All of the above.
 > 
 > > But by morality I mean that we tend to define spam in terms of
 > > generally agreed to be undesirable email content such as questionable
 > > herbal cures or other apparent fraud or near-fraud -- I dunno, maybe
 > > someone hiring a spammer really believes their herbal hair re-growth
 > > tonic works.
 > 
 > I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, it’s SPAM.

Yeah, well, if you ever get an unexpected email (truly) from Bank of
America for example offering great CD rates and can't imagine why they
sent it have a ball calling the FTC and filing a CAN-SPAM violation.

Maybe something would happen, I can't say for sure.

But I suspect they'd round file it because hey that's BANK OF AMERICA
not SPAMMERS and you're just a KOOK!

Extrapolate to any company the FTC has heard of and respects.

That's what I mean by a moralistic component.

But if BoA was fudging their postal meters and the post office noticed
it'd be Book 'Em Dan-O before the next commercial break.

 > 
 > > I assert that the line is getting fuzzier all the time.
 > 
 > Yep. If you try to define it on content, the fuzz grows out of control.
 > 
 > > Even if the product is completely legitimate and maybe there's some
 > > business relationship someone can draw it doesn't mean I like being
 > > pummeled with hundreds of ads per day (some of that is projection,
 > > remember.)
 > 
 > If you ask the sender to stop and they don’t, then their further messages are SPAM.

In theory.

Ever try to enforce that if you got a subsequent email?

Particularly against a well known company?

No. Because no one has even tried (oh there must be one I suppose.)

 > If you can’t find the sender in order to ask them to stop, then their messages are fraudulent SPAM.

I've read CAN-SPAM.

 > 
 > > But, just as importantly, the people who want to send me an ad would
 > > like to see me pummeled with less junk so maybe I pay attention to
 > > their ad or communication.
 > 
 > The spammers would like to see you pummeled with less “junk” so you can pay attention to their ad, too. Difference is in your definition of “junk” vs. their definition of “junk”.

Well, the difference I'm advocating is that Amazon (e.g.) can pay real
do-re-mi for postage, the spammers can't.

Beyond that I don't really need a definition of "spam" per se, at
least that's what's hoped.

We the people just have to make sure that anyone sending me an email
follows the e-postage rules.

No spammer can afford to pay even minimal e-postage.

The best they can hope for is to fraud any e-postage system.

Viola, it removes the moral judgement component of whether or not I
really wanted this email.

Or reduces the issue probably into the noise.

(some elision...)

 > >> 
 > >> So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well).
 > >> 
 > >> My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.
 > > 
 > > I think you're skipping the point about how they'd have to
 > > successfully attach e-postage to every piece of email they sent from
 > > your system.
 > 
 > Why would you assume that once they bot a system, they would be unable to steal the e-postage from said system?

I think we can make that too difficult.

But at least we'd have a trail in that case, like when the user's
e-postage meter runs out and they can't send any more email this month
and might pursue that if unexpected.

 > 
 > > 
 > > So it's not the resources, it's the authorization which we're trying
 > > to control.
 > > 
 > > Right now every piece of email they send from your botted system is
 > > the same as any email you'd send.
 > 
 > I’m not really seeing how this would make a difference in that.

Make it difficult to use your e-postage meter even if they get some
(virus) software on to your system.

For example, maybe you have to enter a passphrase to enable the
e-postage meter with an idle-timeout, or any similar method, we've all
seen many.

Heck you could use a USB or similar dongle which has to be plugged in
to send email.

Sure, people would leave them in, until their e-postage meter was run
out unexpectedly and they can't send any more email for the rest of
the month, or actually would have to buy further allocation for real
$$$.

 > 
 > > 
 > > If there were some sort of e-postage system with some basic security
 > > and tracking that becomes much more difficult for the spammer.
 > 
 > Given how most bots become bots, I tend to doubt it. They just have to
 > keystroke log your MUA in a two-step process instead of the one-step
 > process of days of yore.
 > 
 > Further, since they’re sending lots and lots of the same spam with identical
 > envelope contents and the only differences are in the SMTP exchange, not the
 > internal contents of the envelope, a replay attack against the same postage
 > would seem pretty trivial.

But now it's running down your e-postage meter.

And it's positively id'd on the receiving end, it has your e-postage
meter id on it.

It does add a lot of hoops to jump through and evade.

 > 
 > > 
 > > Or they can use your system to send out a million msgs with no
 > > e-postage which, one hopes, will be rejected by receiving systems
 > > without delivery, much like fraudulent DKIM or SPF credentials.
 > > 
 > > Which, one hopes, won't be profitable for them any more.
 > > 
 > >> 
 > >>> P.S. And in my vision accepting only email with valid e-postage would
 > >>> be voluntary though I suppose that might be "voluntary" at the
 > >>> provider level. For example someone like gmail at some point (of
 > >>> successful implementation of this scheme) might decide to just block
 > >>> invalid e-postage because hey your gmail acct is free! Let someone
 > >>> else sell you rules you prefer like controlling acceptance of invalid
 > >>> e-postage yourself.
 > >> 
 > >> Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them.
 > > 
 > > I agree, but I hope my efforts indicate it's not entirely half-baked
 > > or off the cuff.
 > 
 > Intrigued, but not convinced.

That's progress!

And I thank you! Many in this community hear the word "e-postage" and
just mentally shut down.

 > 
 > Owen
 > 

-- 
        -Barry Shein

The World              | bzs at TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*



More information about the NANOG mailing list