why IPv6 isn't ready for prime time, SMTP edition

• Previous message (by thread): why IPv6 isn't ready for prime time, SMTP edition
• Next message (by thread): why IPv6 isn't ready for prime time, SMTP edition
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 28, 2014, at 2:15 PM, Barry Shein <bzs at world.std.com> wrote:

> 
> On March 28, 2014 at 00:06 owen at delong.com (Owen DeLong) wrote:
>>> Advertising is a valuable commodity.  Free advertising is particularly
>>> valuable, ROI with I close to zero.
>> 
>> But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free.
> 
> I thought the suggestion was that a recipient (email, or by analogy
> postal) could indicate they wanted an email which would cancel the
> postage attached, that is, no charge to sender if they wanted it.

Yes, but you’d have to say “I wanted this” effectively after receiving and opening the mail, knowing what was inside, not before.

> So if a spammer or junk mailer could, say, trick you into accepting
> mail in those schemes then they get free advertising, no postage
> anyhow.

Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising.

> We're getting lost in the metaphors methinks.

I don’t think so, I think we’re having differing visions of how it would work in detail.

>>> So offering to not charge you because you wanted that mail makes no
>>> sense, right?
>> 
>> But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.
> 
> FIRST: There's a typo/thinko in my sentence!
> 
> Should be:
> 
>  So offering to not charge THE SENDER because THE RECIPIENT wanted
>  that mail makes no sense, right?
> 
> SECOND:
> 
> In response, someone has to scale resources to match volume.
> 
> But maybe my typo/thinko confused this because you know that, sorry.

Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process.

>> This is an effort to provide a financial disincentive for spamming.
> 
> Did I say that or you? I agree!
> 
> Possibly with myself. Which judging by my just previous comments is
> not always a given.

I said it, but I’m glad we are in agreement.

>>> If you want to attach e-postage you have to go get some and that can
>>> be a contract which says you don't do that, if you have multiple
>>> accounts you split it among your accounts or buy more. And if you do
>>> what you describe you understand that it is criminal fraud. Click
>>> Agree [ ] before proceeding, or similar.
>> 
>> Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right?
> 
> I'm trying to create an economics around enforcement.
> 
> But it's helpful to convince the relatively honest public that what
> you describe is a serious crime tantamount to counterfeiting.

Yes, that would be very helpful.

> And we don't want to be in a situation like we were in 1996 where we
> were debating whether Spam is even a crime.

Sadly, we seem to be in a situation where we have no good legal definition of
the crime and where the criminal definition of SPAM has been so badly watered
down by regulators as to neuter any attempts to regulate it out of existence or
prosecute it criminally.

Worse, even if it is a crime in jurisdiction A, it becomes very difficult to prosecute
a spammer in jurisdiction B for sending SPAM to a recipient in jurisdiction A.

> Enforcement is your usual avoidance, detection, recovery, sort of
> affair. But there has to be an economics pushing it or it gets mostly
> ignored (except for people complaining about spam.)

Yep.

> Compare and contrast for example spamming vs RIAA style enforcement of
> copyright violations.

I would not say that RIAA is the shining example to emulate, but, yes for this
particular concept, I think you have the right idea.

>> No, it assumes that most of the messages I get from Amazon are NOT SPAM.
> 
> And I'm arguing we need to change our attitudes on this.
> 
> This whole idea that because the recipient wants it it isn't "spam" is
> wearing thin.

Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.

> Just like my analogy with the post office, they wouldn't deliver mail
> for free just because the recipient wanted it.

That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning.

>> The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.
> 
> The vast majority of paper mail I get from my bank accounts is useful
> and informative and often legally important.
> 
> But every one of them has postage attached.

Yes, but you aren’t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly don’t want to start double-paying for spam (or legitimate email for that matter).

Further, if someone sends me something I don’t want, I can mark it “refused, return to sender” and the post office is obliged to do so and I don’t pay anything for it.
>> I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
> 
> Do you mean sending (making you a bot) or receiving spam?

Receiving.

> I'm saying the notion of who you did authorize to send you email is
> getting fuzzier and fuzzier and may no longer be a completely useful
> distinction.

How so? If I actually signed up with you to receive your mail, then I opted in and you have my permission on record.
If I bought something from you, then I signed up to receive emails RELATED TO THAT TRANSACTION and you have that permission on record.
If I checked the box to receive other emails from you, then you have that permission on record.
If you don’t have my permission on record, then you don’t have my permission. Seems pretty simple and clear and predictable to me.

Now, you might be able to get my retroactive permission by paying to ask, and if I agree, your “permission fee” is refunded. OTOH, if I say “no”, then you don’t get your money back.

> That should have been predictable. Create a fuzzy hurtle and it will
> get hurtled.

I’m not seeing the fuzziness you claim is present.

> Accept that "it's not spam if I have a business relationship with the
> sender" and that "business relationship" definition will get
> stretched.

See above. I have a _MUCH_ narrower definition of what should be accepted.

> For example, Buy an auto insurance policy from Liberty Mutual and you
> just gave permission for every Liberty Mutual insurance agent in the
> world to hawk you life insurance, home owner's insurance, etc etc etc.
> over email.

No, I didn’t.  See above.

>> I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, it’s SPAM.
> 
> Yeah, well, if you ever get an unexpected email (truly) from Bank of
> America for example offering great CD rates and can't imagine why they
> sent it have a ball calling the FTC and filing a CAN-SPAM violation.

If such a thing happened and it actually came from BofA, then, yes, it would.

However, BofA is smart enough to keep such SPAMvertising at arms length and you have to track down the spammer that actually sent the email under contract to BofA, not BofA themselves. It would be nice if CAN-SPAM were expanded to affect the advertiser and/or advertised product instead of just the entity actually sending the SPAM, but so far, that has not happened.

> 
> Maybe something would happen, I can't say for sure.
> 
> But I suspect they'd round file it because hey that's BANK OF AMERICA
> not SPAMMERS and you're just a KOOK!

No, more likely they’d review the headers and point out to me that there’s no evidence it was actually sent BY BofA, because most likely it wasn’t sent by BofA, but by someone they may or may not have contracted.

> Extrapolate to any company the FTC has heard of and respects.

Really more a matter of how those companies keep their SPAM at arms length and circumvent the intent of the law than their reputation with the FTC.

> That's what I mean by a moralistic component.
> 
> But if BoA was fudging their postal meters and the post office noticed
> it'd be Book 'Em Dan-O before the next commercial break.

Indeed, the mailing agency that BofA hires to send out their postal spam pays full postage and can’t really avoid that.

But postage is related to the cost of delivering the mail. What you are proposing as e-postage isn’t.

> 
>> 
>>> I assert that the line is getting fuzzier all the time.
>> 
>> Yep. If you try to define it on content, the fuzz grows out of control.
>> 
>>> Even if the product is completely legitimate and maybe there's some
>>> business relationship someone can draw it doesn't mean I like being
>>> pummeled with hundreds of ads per day (some of that is projection,
>>> remember.)
>> 
>> If you ask the sender to stop and they don’t, then their further messages are SPAM.
> 
> In theory.
> 
> Ever try to enforce that if you got a subsequent email?
> 
> Particularly against a well known company?
> 
> No. Because no one has even tried (oh there must be one I suppose.)

See above.

>> If you can’t find the sender in order to ask them to stop, then their messages are fraudulent SPAM.
> 
> I've read CAN-SPAM.

I wasn’t specifically talking about CAN-SPAM, but it does include provisions like this, yes.

>>> But, just as importantly, the people who want to send me an ad would
>>> like to see me pummeled with less junk so maybe I pay attention to
>>> their ad or communication.
>> 
>> The spammers would like to see you pummeled with less “junk” so you can pay attention to their ad, too. Difference is in your definition of “junk” vs. their definition of “junk”.
> 
> Well, the difference I'm advocating is that Amazon (e.g.) can pay real
> do-re-mi for postage, the spammers can’t.

I think you underestimate the available budget for SPAMming.

> Beyond that I don't really need a definition of "spam" per se, at
> least that's what's hoped.
> 
> We the people just have to make sure that anyone sending me an email
> follows the e-postage rules.

Now you need to ask, am I going to pay a fee to participate actively in the IETF or the policy development process at ARIN for each and every message I send?

> No spammer can afford to pay even minimal e-postage.

You are dreaming.

> The best they can hope for is to fraud any e-postage system.

More than likely they will be able to do so, yes.

> Viola, it removes the moral judgement component of whether or not I
> really wanted this email.

True, but it also creates many negative unintended consequences.

> Or reduces the issue probably into the noise.

Unlikely to reduce any issue, IMHO.

>> Why would you assume that once they bot a system, they would be unable to steal the e-postage from said system?
> 
> I think we can make that too difficult.
> 
> But at least we'd have a trail in that case, like when the user's
> e-postage meter runs out and they can't send any more email this month
> and might pursue that if unexpected.

Not sure how that constitutes a trail so much as an increased workload for the users and their ISPs.

Might help reduce the bots, but I tend to doubt it.

>>> So it's not the resources, it's the authorization which we're trying
>>> to control.
>>> 
>>> Right now every piece of email they send from your botted system is
>>> the same as any email you'd send.
>> 
>> I’m not really seeing how this would make a difference in that.
> 
> Make it difficult to use your e-postage meter even if they get some
> (virus) software on to your system.

> 
> For example, maybe you have to enter a passphrase to enable the
> e-postage meter with an idle-timeout, or any similar method, we've all
> seen many.

That’s what key loggers are for. You can’t protect a booted system from itself.
Dreaming that you can is kind of amusing.

> Heck you could use a USB or similar dongle which has to be plugged in
> to send email.

That might work, but how long before those are compromised?

> Sure, people would leave them in, until their e-postage meter was run
> out unexpectedly and they can't send any more email for the rest of
> the month, or actually would have to buy further allocation for real
> $$$.

Actually, rolling code dongles that simulate keyboards for authentication codes
might be a good choice here… Hit the button each time you need to enter postage.
That might actually be a secure solution.

But you’re still left with the chilling effect on voluntary participation in governance and
other activities through email.
> 
>> 
>>> 
>>> If there were some sort of e-postage system with some basic security
>>> and tracking that becomes much more difficult for the spammer.
>> 
>> Given how most bots become bots, I tend to doubt it. They just have to
>> keystroke log your MUA in a two-step process instead of the one-step
>> process of days of yore.
>> 
>> Further, since they’re sending lots and lots of the same spam with identical
>> envelope contents and the only differences are in the SMTP exchange, not the
>> internal contents of the envelope, a replay attack against the same postage
>> would seem pretty trivial.
> 
> But now it's running down your e-postage meter.

How so? I’m just replaying the original e-postage. Reusing the same stamp over and over again as it were.

> And it's positively id'd on the receiving end, it has your e-postage
> meter id on it.

Yes, the spammer is able to use one of my stamps a few million times and then what?

> It does add a lot of hoops to jump through and evade.

Not really, no.

> That's progress!
> 
> And I thank you! Many in this community hear the word "e-postage" and
> just mentally shut down.

Meh… I try to keep an open mind.

Owen

• Previous message (by thread): why IPv6 isn't ready for prime time, SMTP edition
• Next message (by thread): why IPv6 isn't ready for prime time, SMTP edition
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]