Home page logo
/

nanog logo nanog mailing list archives

Re: why IPv6 isn't ready for prime time, SMTP edition
From: Owen DeLong <owen () delong com>
Date: Sat, 29 Mar 2014 23:26:25 -0700


On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs () world std com> wrote:


On March 29, 2014 at 08:28 owen () delong com (Owen DeLong) wrote:
So if a spammer or junk mailer could, say, trick you into accepting
mail in those schemes then they get free advertising, no postage
anyhow.

Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is 
advertising.

I dunno, but they trick people all the time, isn't that what the
entire phishing industry is based on?

I guess the real point is that this idea that one would be sorting
through their email saying don't charge for this one I want it, charge
for this one, I don't, etc is not a good idea.

I was envisioning a system more where you white-listed your known contacts up front,
then only needed to say “refund this one and add to white-list” or “refund this one” when
confronted with one that wasn’t already white-listed that you didn’t feel was spam.

We're getting lost in the metaphors methinks.

I don’t think so, I think we’re having differing visions of how it would work in detail.

Well, that's always the problem at some point. Lacking a specific,
detailed proposal one tries to work out how it might work, look for
inherent flaws in the idea, show stoppers.

This is basically brainstorming.

Yep… Wasn’t a criticism, merely an effort to home in on a more accurate problem description for the communications 
failures so we weren’t trying to solve the incorrect cause.

So offering to not charge you because you wanted that mail makes no
sense, right?

But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of 
receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.

FIRST: There's a typo/thinko in my sentence!

Should be:

So offering to not charge THE SENDER because THE RECIPIENT wanted
that mail makes no sense, right?

SECOND:

In response, someone has to scale resources to match volume.

But maybe my typo/thinko confused this because you know that, sorry.

Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already 
paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage 
between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process.

What about the costs of anti-spam technology? And all the other
problems spam incurs? I thought that's why we were here.

Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access 
and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked 
out, but at what relative price?

Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could 
possibly be considered SPAM.

My whole point is I don't WANT to have a definition of spam, except as
a bad memory.

I'm trying to figure out how to change the ecology/economics so spam
is difficult, a minor problem.

I get what you want, but I don’t see it as a solution due to the negative consequences described elsewhere in the 
thread.

Just like my analogy with the post office, they wouldn't deliver mail
for free just because the recipient wanted it.

That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that 
your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning.

Again, we're talking about spam and the harm it does, the costs it
incurs. And phishing etc.

That's sort of like saying my car can drive down the road perfectly
well with some gasoline etc, why do I need to pay taxes for police?

I often find myself wondering exactly that… Usually after trying to get some service or other that the police are 
supposed to be providing.

Nonetheless, I get your point. OTOH, the city council, as a body, doesn’t pay taxes for police. Neither does the city, 
which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the “tax exempt organization”?

The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages 
related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind 
seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message 
they send.

The vast majority of paper mail I get from my bank accounts is useful
and informative and often legally important.

But every one of them has postage attached.

Yes, but you aren’t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive 
mail or not and neither is your bank. I certainly don’t want to start double-paying for spam (or legitimate email 
for that matter).

Recipients wouldn't pay in my scheme.

OK, turn it around and you aren’t paying a separate fee for the mailman to drive by your place each day to see if you 
have any outgoing mail, either.

If you mean that legitimate senders have to pay and somehow recover
that cost, well, we all pay for police and other security. Security is
often like that. When you pay for a prison you pay to house prisoners,
any benefit to you is at best abstract (they're not on the streets
etc.)

I don’t pay the USPS any separate taxes to support the postal inspectors. That’s rolled up into the postage.

Further, if someone sends me something I don’t want, I can mark it “refused, return to sender” and the post office 
is obliged to do so and I don’t pay anything for it.

This is probably getting off-track, but are you sure about that with
the USPS?

Yes. For most mail, you can. Third Class and Bulk, not so much, they’ll tell you to throw it away. I don’t pay anything 
for that, either.

If I really want to get rid of a junk mailer (at least one who is dumb enough to send me postage-paid reply 
mechanisms), I’ll package up a brick, attach the reply label they provided and send it off. (lead weights, shot-bags, 
etc. can also be effective candidates). I’ve only used this tactic a few times, but it’s never taken more than two 
heavy replies to get the flow of crap to stop abruptly.

You can mark it NSA (no such addressee) or NFA (no forwarding address)
or NSA/NFA or even put a forwarding address which may or may not do
anything since the recipient is supposed to set that up with the post
office (e.g., when they move.)

Yep. They’ll take it back and either forward it if they can or send it to the dead letter office.

But I never heard of taking all my junk mail for example and handing
it back to a letter carrier saying "Here, I don't want this!" I think
they'd say "throw it in the trash!”

Specifically doesn’t work with third-class and bulk. They are the only exceptions.

I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my 
authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for 
this, I would gladly do so.

Do you mean sending (making you a bot) or receiving spam?

Receiving.

Well, truth be told you didn't really authorize many people who send
you email to use your resources.

If I wanted the email, then I retroactively authorize(d) them, authorized them by implication, or authorized them 
through other mechanisms.

So we're back to the definition of spam problem.

Again, I don’t see that as a hard problem.

Which is exactly what I'm trying to get away from.

I’m aware of that. However, I don’t see you getting around several rather nasty unintended consequences that way.

I'm saying the notion of who you did authorize to send you email is
getting fuzzier and fuzzier and may no longer be a completely useful
distinction.

How so? If I actually signed up with you to receive your mail, then I opted in and you have my permission on record.
If I bought something from you, then I signed up to receive emails RELATED TO THAT TRANSACTION and you have that 
permission on record.
If I checked the box to receive other emails from you, then you have that permission on record.
If you don’t have my permission on record, then you don’t have my permission. Seems pretty simple and clear and 
predictable to me.

Now, you might be able to get my retroactive permission by paying to ask, and if I agree, your “permission fee” is 
refunded. OTOH, if I say “no”, then you don’t get your money back.

"Related to that transaction"? Is that in CAN-SPAM? Where did that
limitation come from? How is that defined?

Forget current law. I’m talking about the criteria I would want to set if we were to overhaul the system and do this 
right.

You mean when Network Solutions bombards me with email about each new
TLD they're violating CAN-SPAM? I never asked for that. I do have some
domains with them, I think they're using that for a "legitimate
business relationship”.

No, I never brought CAN-SPAM into this, that’s your idea. I’m talking about the criteria that could easily be used to 
define SPAM consistently in a way that isn’t fuzzy, doesn’t have the problems currently created by CAN-SPAM (a law 
written by spammers for spammers), etc.

Legitimate businesses (perhaps other than NetSol :-) do tend to
restrain themselves and know recipients might get annoyed if they
overdo their welcome and opt-out or even block them entirely.

An example of the line getting fuzzy is when my frequent flyer sources
(airlines etc) constantly hawk credit cards at me under the excuse
that I'll get 50,000 free miles or some such. So it sort of sounds
related to the frequent flyer program.

And by allowing the user to do one of:

        Whitelist the airline
        Accept each message they want (refunded, others airline pays)
        Decline all messages (airline pays)

You could decide for yourself which messages from the airline you don’t consider SPAM, with the added benefit that you 
get a small amount of money for each message you don’t actively claim isn’t SPAM.

But I think they're just hawking Amex cards and getting a commission
for each one they sell.

Of course they are, and I would not mark any of those messages as “accepted” and it would cost them for each one they 
sent.

That should have been predictable. Create a fuzzy hurtle and it will
get hurtled.

I’m not seeing the fuzziness you claim is present.

Accept that "it's not spam if I have a business relationship with the
sender" and that "business relationship" definition will get
stretched.

See above. I have a _MUCH_ narrower definition of what should be accepted.

Wait. Are we talking about what you think should be ok, or what the
current law (as it were, but CAN-SPAM for example) thinks is ok, or
what common practice seems to think is ok, or how it should work under
the regime I'm describing?

How it should work under the alternative regime I am describing.

As I said, I'm trying to come up with a spam-definition-neutral
approach.

I know, but I believe that approach to be fundamentally flawed and I am trying very hard to propose an alternative I 
believe could be more functional.

For example, Buy an auto insurance policy from Liberty Mutual and you
just gave permission for every Liberty Mutual insurance agent in the
world to hawk you life insurance, home owner's insurance, etc etc etc.
over email.

No, I didn’t.  See above.

Again, I think CAN-SPAM etc would agree with my description within
reason.

I’m sure it would, but I’m not talking about CAN-SPAM and I’m not sure why you brought it into the discussion.

I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. 
If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in 
most cases, it’s SPAM.

Yeah, well, if you ever get an unexpected email (truly) from Bank of
America for example offering great CD rates and can't imagine why they
sent it have a ball calling the FTC and filing a CAN-SPAM violation.

If such a thing happened and it actually came from BofA, then, yes, it would.

And I'm saying good luck getting whoever it is enforces CAN-SPAM to
agree, unless it just happens to be on their radar for some reason.

CAN-SPAM is a rathole. Please drop it. It’s not furthering our discussion.

However, BofA is smart enough to keep such SPAMvertising at arms length and you have to track down the spammer that 
actually sent the email under contract to BofA, not BofA themselves. It would be nice if CAN-SPAM were expanded to 
affect the advertiser and/or advertised product instead of just the entity actually sending the SPAM, but so far, 
that has not happened.

There are limits to Agency Law. You can't hire someone to break the
law and then say it's entirely their problem.

Ah, but BofA didn’t hire them to break the law. BofA hired them to send the SPAM to the list they promised BofA was 
entirely opt-in users who chose to receive their mails. The fact that they lied to BofA means BofA doesn’t have any 
liability. The fact that BofA profits from this lie without consequences means that BofA has no incentive to go after 
them for a refund or avoid using their services in the future.

Well, there are all sorts of hard cases, but laying it out sometimes
surprises people (like, yes you can be held responsible for the
actions of a hired bodyguard, even if their behavior was way out of
line. They sell insurance for that kind of thing.)

Sure, but the spammers happily cover BofA’s ass contractually and then say “oops” or “we lied” or whatever they have to 
in order to get BofA off the hook. Then, nobody gets punished and business as usual.

Maybe something would happen, I can't say for sure.

But I suspect they'd round file it because hey that's BANK OF AMERICA
not SPAMMERS and you're just a KOOK!

No, more likely they’d review the headers and point out to me that there’s no evidence it was actually sent BY BofA, 
because most likely it wasn’t sent by BofA, but by someone they may or may not have contracted.

Well, now we're really just moving the goalpost and changing the
scenario.

No, I’m pointing out how organizations like BofA actually do this and you’re talking about some fictitious scenario 
that doesn’t happen in real life.

Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, but that’s also why most telco-contracted backhoe 
operating companies have numbers in their name… Ho-Co #1 cut someone’s fiber, so they sold their substantial assets to 
Ho-Co #2 for a song to pay their legal fees, then went chapter 13 before the case could make it to court.

Extrapolate to any company the FTC has heard of and respects.

Really more a matter of how those companies keep their SPAM at arms length and circumvent the intent of the law than 
their reputation with the FTC.

That's what I mean by a moralistic component.

But if BoA was fudging their postal meters and the post office noticed
it'd be Book 'Em Dan-O before the next commercial break.

Indeed, the mailing agency that BofA hires to send out their postal spam pays full postage and can’t really avoid 
that.

But postage is related to the cost of delivering the mail. What you are proposing as e-postage isn’t.

Of course it is. If your email won't be accepted without proper
postage attached then that's the cost of having your email delivered.

No, that’s a protection racket/extortion scheme.

I’m talking about the cost of moving the mail from point A to point B. You’re talking about the cost of not having my 
nice email meet with an accident on the information superhighway.

Just because the work can't be expressed in Newtons over Distance
doesn't mean it's not valuable.

See above.

Ok, I think a lot of the rest of this could be answered by:

It would be interesting to ask a spammer or ex-spammer what they
thought about the scheme.

LoL

Beyond that we're just guessing as to whether what's proposed would
alter their behavior.

True, but first we have to get past “would the community accept it generally” and I think your proposal (and probably 
mine) fail the smell test there. If it can’t get implemented, it doesn’t matter how much the spammers would hate it.

And I gotta go eat some lunch!

Bon apetit.

Owen




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault