Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[Barry Shein via NANOG <nanog () lists nanog org>]

On July 5, 2025 at 20:59 johnl () iecc com (John R. Levine) wrote:
> https://taugh.com/epostage.pdf

It's a fine paper but it has one problem which is it sets up a
strawman: It proposes a particular architecture for e-postage (ok,
granted, more than one, but similar) and proceeds to knock it down.

1. Professional spammers send O(1B) msgs per day per each.

I assume they need to send roughly that many to be economically
viable. So if one could limit them significantly one hopes their
endeavors become economically unviable and they disappear from the
face of the earth.

The big point is that we're in a statistical space, not an engineering
space where a solution has to be mathematically perfect or nearly
perfect to be acceptable.

Like marketing in general, which is basically what most spam is (I'd
call phishing a perverse form of marketing), it relies on statistical
modeling. Sending a billion spam messages might yield .01% success
rate which is roughly true of any mass marketing.

Unfortunately we've made it essentially free.

Internet behemoths (Google, Facebook, et al) make literally trillions
per year selling marketing, but we give it away free.

That's a problem.

2. Unfortunately the thundering "spam" hoofsteps we hear also include
an increasing amount of "ham". Why not? It's free!

Some of it one can block, some one can partially opt out of, but some
you can't, practically.

Block your utility company from sending you several promos per day and
you also won't see your bills or actually important notices about
outages etc, for example. What's their motivation to help you manage
that? Not much.

I know I seem to get sometimes dozens of such ham msgs per day,
complete a survey! call before you dig! we're having a sale! new
product! etc etc etc.

That tide is rising as their marcom people are figuring out the
fantastic leverage they have.

3. We only need to increase the costs to the sort of people who send
O(1B) messages per day to introduce some sanity into the system.

So, to explain my strawman comment, it's like a pruning problem in a
chess program: You don't have to compute every single move, that would
be computationally prohibitive as you detail. Only compute the moves
likely to be productive.

For example give everyone the ability to send, for argument's sake,
100,000 msgs/day free. Maybe 1M/day. Spammers can't live with that
sort of limit. Neither of course can many "legitimate" bulk senders so
there has to be some way to buy more.

I know, but how?

Without trying to architect the whole thing in this mail message that
does open some more realistic possibilities by pruning the problem
space significantly.

And even if there's leakage, so what? That might offend some people's
sense of fair play but if the net result is it puts the big spammers
out of business we won, no?

A big utility company or bank, for example, might be able to budget
$100K/month for their overages, but I doubt the typical spammer can
even come close to that.

Many are probably what we used to call chicken-boners* on Usenet which
meant losers sitting up to their knees in KFC chicken bones in a
double-wide somewhere happy if they can get a coupla hundred bucks for
a spam campaign.

And the income generated could go towards enforcement.

I realize there's this net culture that wants to see an algorithmic,
preferably involving cryptography, solution to every problem but with
money other means of enforcement become possible. And where
jurisdictions won't cooperate, oh well, no more chicken bones for
them!

etc.

It's a big conversation and this is way too long already but I think
it calls for a sea change in thinking.

That is, think in terms of the actual problem and what would put the
actual miscreants out of commission rather than some utopian ideal.

* https://www.netlingo.com/word/chicken-boner.php

-- 
        -Barry Shein

Software Tool & Die    | bzs () TheWorld com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/P73T3YHUBEXYOLDPGUW252WQINTP3YDD/