why IPv6 isn't ready for prime time, SMTP edition
owen at delong.com
Sun Mar 30 06:26:25 UTC 2014
On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs at world.std.com> wrote:
> On March 29, 2014 at 08:28 owen at delong.com (Owen DeLong) wrote:
>>> So if a spammer or junk mailer could, say, trick you into accepting
>>> mail in those schemes then they get free advertising, no postage
>> Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising.
> I dunno, but they trick people all the time, isn't that what the
> entire phishing industry is based on?
> I guess the real point is that this idea that one would be sorting
> through their email saying don't charge for this one I want it, charge
> for this one, I don't, etc is not a good idea.
I was envisioning a system more where you white-listed your known contacts up front,
then only needed to say “refund this one and add to white-list” or “refund this one” when
confronted with one that wasn’t already white-listed that you didn’t feel was spam.
>>> We're getting lost in the metaphors methinks.
>> I don’t think so, I think we’re having differing visions of how it would work in detail.
> Well, that's always the problem at some point. Lacking a specific,
> detailed proposal one tries to work out how it might work, look for
> inherent flaws in the idea, show stoppers.
> This is basically brainstorming.
Yep… Wasn’t a criticism, merely an effort to home in on a more accurate problem description for the communications failures so we weren’t trying to solve the incorrect cause.
>>>>> So offering to not charge you because you wanted that mail makes no
>>>>> sense, right?
>>>> But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.
>>> FIRST: There's a typo/thinko in my sentence!
>>> Should be:
>>> So offering to not charge THE SENDER because THE RECIPIENT wanted
>>> that mail makes no sense, right?
>>> In response, someone has to scale resources to match volume.
>>> But maybe my typo/thinko confused this because you know that, sorry.
>> Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process.
> What about the costs of anti-spam technology? And all the other
> problems spam incurs? I thought that's why we were here.
Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price?
>> Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.
> My whole point is I don't WANT to have a definition of spam, except as
> a bad memory.
> I'm trying to figure out how to change the ecology/economics so spam
> is difficult, a minor problem.
I get what you want, but I don’t see it as a solution due to the negative consequences described elsewhere in the thread.
>>> Just like my analogy with the post office, they wouldn't deliver mail
>>> for free just because the recipient wanted it.
>> That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning.
> Again, we're talking about spam and the harm it does, the costs it
> incurs. And phishing etc.
> That's sort of like saying my car can drive down the road perfectly
> well with some gasoline etc, why do I need to pay taxes for police?
I often find myself wondering exactly that… Usually after trying to get some service or other that the police are supposed to be providing.
Nonetheless, I get your point. OTOH, the city council, as a body, doesn’t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the “tax exempt organization”?
>>>> The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.
>>> The vast majority of paper mail I get from my bank accounts is useful
>>> and informative and often legally important.
>>> But every one of them has postage attached.
>> Yes, but you aren’t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly don’t want to start double-paying for spam (or legitimate email for that matter).
> Recipients wouldn't pay in my scheme.
OK, turn it around and you aren’t paying a separate fee for the mailman to drive by your place each day to see if you have any outgoing mail, either.
> If you mean that legitimate senders have to pay and somehow recover
> that cost, well, we all pay for police and other security. Security is
> often like that. When you pay for a prison you pay to house prisoners,
> any benefit to you is at best abstract (they're not on the streets
I don’t pay the USPS any separate taxes to support the postal inspectors. That’s rolled up into the postage.
>> Further, if someone sends me something I don’t want, I can mark it “refused, return to sender” and the post office is obliged to do so and I don’t pay anything for it.
> This is probably getting off-track, but are you sure about that with
> the USPS?
Yes. For most mail, you can. Third Class and Bulk, not so much, they’ll tell you to throw it away. I don’t pay anything for that, either.
If I really want to get rid of a junk mailer (at least one who is dumb enough to send me postage-paid reply mechanisms), I’ll package up a brick, attach the reply label they provided and send it off. (lead weights, shot-bags, etc. can also be effective candidates). I’ve only used this tactic a few times, but it’s never taken more than two heavy replies to get the flow of crap to stop abruptly.
> You can mark it NSA (no such addressee) or NFA (no forwarding address)
> or NSA/NFA or even put a forwarding address which may or may not do
> anything since the recipient is supposed to set that up with the post
> office (e.g., when they move.)
Yep. They’ll take it back and either forward it if they can or send it to the dead letter office.
> But I never heard of taking all my junk mail for example and handing
> it back to a letter carrier saying "Here, I don't want this!" I think
> they'd say "throw it in the trash!”
Specifically doesn’t work with third-class and bulk. They are the only exceptions.
>>>> I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
>>> Do you mean sending (making you a bot) or receiving spam?
> Well, truth be told you didn't really authorize many people who send
> you email to use your resources.
If I wanted the email, then I retroactively authorize(d) them, authorized them by implication, or authorized them through other mechanisms.
> So we're back to the definition of spam problem.
Again, I don’t see that as a hard problem.
> Which is exactly what I'm trying to get away from.
I’m aware of that. However, I don’t see you getting around several rather nasty unintended consequences that way.
>>> I'm saying the notion of who you did authorize to send you email is
>>> getting fuzzier and fuzzier and may no longer be a completely useful
>> How so? If I actually signed up with you to receive your mail, then I opted in and you have my permission on record.
>> If I bought something from you, then I signed up to receive emails RELATED TO THAT TRANSACTION and you have that permission on record.
>> If I checked the box to receive other emails from you, then you have that permission on record.
>> If you don’t have my permission on record, then you don’t have my permission. Seems pretty simple and clear and predictable to me.
>> Now, you might be able to get my retroactive permission by paying to ask, and if I agree, your “permission fee” is refunded. OTOH, if I say “no”, then you don’t get your money back.
> "Related to that transaction"? Is that in CAN-SPAM? Where did that
> limitation come from? How is that defined?
Forget current law. I’m talking about the criteria I would want to set if we were to overhaul the system and do this right.
> You mean when Network Solutions bombards me with email about each new
> TLD they're violating CAN-SPAM? I never asked for that. I do have some
> domains with them, I think they're using that for a "legitimate
> business relationship”.
No, I never brought CAN-SPAM into this, that’s your idea. I’m talking about the criteria that could easily be used to define SPAM consistently in a way that isn’t fuzzy, doesn’t have the problems currently created by CAN-SPAM (a law written by spammers for spammers), etc.
> Legitimate businesses (perhaps other than NetSol :-) do tend to
> restrain themselves and know recipients might get annoyed if they
> overdo their welcome and opt-out or even block them entirely.
> An example of the line getting fuzzy is when my frequent flyer sources
> (airlines etc) constantly hawk credit cards at me under the excuse
> that I'll get 50,000 free miles or some such. So it sort of sounds
> related to the frequent flyer program.
And by allowing the user to do one of:
Whitelist the airline
Accept each message they want (refunded, others airline pays)
Decline all messages (airline pays)
You could decide for yourself which messages from the airline you don’t consider SPAM, with the added benefit that you get a small amount of money for each message you don’t actively claim isn’t SPAM.
> But I think they're just hawking Amex cards and getting a commission
> for each one they sell.
Of course they are, and I would not mark any of those messages as “accepted” and it would cost them for each one they sent.
>>> That should have been predictable. Create a fuzzy hurtle and it will
>>> get hurtled.
>> I’m not seeing the fuzziness you claim is present.
>>> Accept that "it's not spam if I have a business relationship with the
>>> sender" and that "business relationship" definition will get
>> See above. I have a _MUCH_ narrower definition of what should be accepted.
> Wait. Are we talking about what you think should be ok, or what the
> current law (as it were, but CAN-SPAM for example) thinks is ok, or
> what common practice seems to think is ok, or how it should work under
> the regime I'm describing?
How it should work under the alternative regime I am describing.
> As I said, I'm trying to come up with a spam-definition-neutral
I know, but I believe that approach to be fundamentally flawed and I am trying very hard to propose an alternative I believe could be more functional.
>>> For example, Buy an auto insurance policy from Liberty Mutual and you
>>> just gave permission for every Liberty Mutual insurance agent in the
>>> world to hawk you life insurance, home owner's insurance, etc etc etc.
>>> over email.
>> No, I didn’t. See above.
> Again, I think CAN-SPAM etc would agree with my description within
I’m sure it would, but I’m not talking about CAN-SPAM and I’m not sure why you brought it into the discussion.
>>>> I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, it’s SPAM.
>>> Yeah, well, if you ever get an unexpected email (truly) from Bank of
>>> America for example offering great CD rates and can't imagine why they
>>> sent it have a ball calling the FTC and filing a CAN-SPAM violation.
>> If such a thing happened and it actually came from BofA, then, yes, it would.
> And I'm saying good luck getting whoever it is enforces CAN-SPAM to
> agree, unless it just happens to be on their radar for some reason.
CAN-SPAM is a rathole. Please drop it. It’s not furthering our discussion.
>> However, BofA is smart enough to keep such SPAMvertising at arms length and you have to track down the spammer that actually sent the email under contract to BofA, not BofA themselves. It would be nice if CAN-SPAM were expanded to affect the advertiser and/or advertised product instead of just the entity actually sending the SPAM, but so far, that has not happened.
> There are limits to Agency Law. You can't hire someone to break the
> law and then say it's entirely their problem.
Ah, but BofA didn’t hire them to break the law. BofA hired them to send the SPAM to the list they promised BofA was entirely opt-in users who chose to receive their mails. The fact that they lied to BofA means BofA doesn’t have any liability. The fact that BofA profits from this lie without consequences means that BofA has no incentive to go after them for a refund or avoid using their services in the future.
> Well, there are all sorts of hard cases, but laying it out sometimes
> surprises people (like, yes you can be held responsible for the
> actions of a hired bodyguard, even if their behavior was way out of
> line. They sell insurance for that kind of thing.)
Sure, but the spammers happily cover BofA’s ass contractually and then say “oops” or “we lied” or whatever they have to in order to get BofA off the hook. Then, nobody gets punished and business as usual.
>>> Maybe something would happen, I can't say for sure.
>>> But I suspect they'd round file it because hey that's BANK OF AMERICA
>>> not SPAMMERS and you're just a KOOK!
>> No, more likely they’d review the headers and point out to me that there’s no evidence it was actually sent BY BofA, because most likely it wasn’t sent by BofA, but by someone they may or may not have contracted.
> Well, now we're really just moving the goalpost and changing the
No, I’m pointing out how organizations like BofA actually do this and you’re talking about some fictitious scenario that doesn’t happen in real life.
Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, but that’s also why most telco-contracted backhoe operating companies have numbers in their name… Ho-Co #1 cut someone’s fiber, so they sold their substantial assets to Ho-Co #2 for a song to pay their legal fees, then went chapter 13 before the case could make it to court.
>>> Extrapolate to any company the FTC has heard of and respects.
>> Really more a matter of how those companies keep their SPAM at arms length and circumvent the intent of the law than their reputation with the FTC.
>>> That's what I mean by a moralistic component.
>>> But if BoA was fudging their postal meters and the post office noticed
>>> it'd be Book 'Em Dan-O before the next commercial break.
>> Indeed, the mailing agency that BofA hires to send out their postal spam pays full postage and can’t really avoid that.
>> But postage is related to the cost of delivering the mail. What you are proposing as e-postage isn’t.
> Of course it is. If your email won't be accepted without proper
> postage attached then that's the cost of having your email delivered.
No, that’s a protection racket/extortion scheme.
I’m talking about the cost of moving the mail from point A to point B. You’re talking about the cost of not having my nice email meet with an accident on the information superhighway.
> Just because the work can't be expressed in Newtons over Distance
> doesn't mean it's not valuable.
> Ok, I think a lot of the rest of this could be answered by:
> It would be interesting to ask a spammer or ex-spammer what they
> thought about the scheme.
> Beyond that we're just guessing as to whether what's proposed would
> alter their behavior.
True, but first we have to get past “would the community accept it generally” and I think your proposal (and probably mine) fail the smell test there. If it can’t get implemented, it doesn’t matter how much the spammers would hate it.
> And I gotta go eat some lunch!
More information about the NANOG