Spam.

[George Toft]

Hi Bill,

Let me tell you a story of the sysadmin and the $10 hosting account
business. . .

The company I worked for had servers - over 50 of them - and we resold
some of them to other businesses, who sold $9.95 web & e-mail hosting
accounts.  We were a prime target for spammers - Joe Spammer spends $10,
tests a few e-mails, then whamo!!! out comes the deluge of spam.  

Our servers were legitimate and the mail they processed was authentic. 
It was legitimate mail (technically speaking) and should be allowed to
be processed and delivered.  We had no open relays (yes, we were tested
by about every RBL group out there).

The problem is in the content of the e-mail.  This is much like the
highway.  We pay our licensing fee to the state (fee to the ISP), and we
load up our car and drive (send e-mail).  How can you tell that the
person in the car committed some crime (violated AUP)?  You can't, until
someone else complains.  Make the roads toll-roads, like California's
private highways (require SSL), and all you've done is slow down the
system.

Granted, some spam comes from Joe home user who uses Spammer Pro(TM)
e-mail software that turns their PC into an MTA and spams away.  Your
ideas will probably stop these users dead.  If your HELO domain is
required to reverse lookup to your IP address and your Digital
Certificate must be legitimate, then this will probably stop.  Then Joe
Spammer sends his business to China - just like they do now.

Then there are the spam-friendly ISP's that cater to the spammers.  How
do you block them?  Reject their Cert?  By what criteria?  A Realtime
Black List?  Isn't that what we do now?

What I see here is the opportunity to sell an e-mail server appliance. 
We used to have Linux Firewall's on a floppy (I know we still do), now
we have little black box routers from D-Link and LinkSys.  What about a
simple mail server appliance with a web GUI where you feed it your ISP's
info, it filters your mail based on the ANTI-SPAM HOW-TO posted last
week, and your mail client receives everything through it.  How much
would you spend to avoid 99% of all spam?  $50?  $100?  Anyone think we
can fit it on a single floppy?

If anyone sells my idea to LinkSys, D-link or 3Com, I would appreciate
the approriate credit, and a kickback.

George


Bill Nash wrote:
> 
> So of late, more and more has been hitting my inbox. Being the creative
> and sometimes not nice person I am, I started thinking about ways to
> legitimately cut down on spam, while making spammers scream in pain. Doing
> some role reversal, I started
> thinking about some of what keeps spammers in business:
> 
>         - Difficult to block for various reasons
>         - Anonymity
>         - Open relays
> 
> A few beers into the whole mess, I started thinking about the good ol US
> Postal Service, mostly because some jackass forwarded me that FUD about
> the USPS taking over email services for the whole Internet. Add in the
> recent rash of discussions about key signing, and a potentially worthy
> idea was born.
> 
> This is a loose and sketchy concept. Some areas involved here I am not an
> authority on. It's intended to spark discussion, so please, pick apart and
> let me know where I'm off base, misguided, out of crack, et cetera.
> 
> First off, why aren't mail servers talking to each other over encrypted
> streams? Everyone is talking about encrypting mail to each other, and
> exchanging keys, so why not do it with the mail servers themselves as an
> additional step of security?
> 
> This leads to another step. Why not tie mail server 'identities' into a
> Certificate Authority/PKI? Better yet, why not have that CA/PKI
> administered by a Federal insitution that very few dare muck with, who can
> also make use of the revenue? That's right, our friends, the USPS. You too
> can be a USPS sysadmin, and make use of your guns!
> 
> All kidding aside, and please, suppress the knee jerk 'Government
> regulation is bad!' If you're going to argue, come prepared with a valid
> point and some sanity. I'm not talking about regulation. I'm talking about
> accountability. The internet runs on a couple of factors: packets and
> trust. The trust has been abused to the point of lunacy. All this
> considered, what sucks most about the whole concept, and what could be
> done better?
> 
> Here's an example of how I see the process working. Sample ISP A, called
> AOL, decides to save money by reducing the amount of traffic on their
> networks. They find that cutting spam will do this, by 90%. The toggle a
> bit on their mail server and say, 'OK, authenticated mail servers only, as
> identified by the USPS PKI.' Poof. All mail ceases to flow. While not what
> they wanted, they've met their goal.
> 
> However, legitimate ISPs will see this and think, "Not a bad idea. Where
> do we sign up?" They use a large stick to pry a sysadmin out of his cube,
> and say, "You will venture forth into the sunlight, to the post office,
> where things are sent on paper, and you will register our mail servers."
> Said sysadmin drives his Datsun to the post office, walks in, fills out
> appropriate paperwork, shows an ID so they have someone to pin the keys
> on, and set him up an account with which he can register keys from his
> mail servers. Just like key signing should be done, in person and
> verified.
> 
> Suddenly, mail servers are no longer anonymous. They belong to a specific
> person who had to show federally recognized identification, who can be
> prosecuted for violation, say California spam laws, or simply beaten if
> caught in a dark alley.
> 
> Ok, so I can guess right off, privacy advocates just took me off their
> Christmas lists. That, or I'm getting a metric ton of fruitcake this year.
> Even if USPS PKI/CA administration isn't viable (though for government
> agencies, it might be), why can't something like this exist independantly?
> A collaboration between major ISPs would be enough to kick it off, and
> then it's open season on spammers. The RBL becomes infinitely more
> effective, and mail servers can stop talking to strangers.
> 
> Some interesting ripple effects of this, however. What happens to free
> email suppliers like yahoo and hotmail? Conventional ISPs have a billing
> record to tie user accounts to. Hotmail has an IP address, which we all
> know isn't the most reliable thing. Yes, this kinda removes the anonymity
> aspect of email, but (oh god, here comes a can of worms) what's the point
> of anonymous email? I see the Caller ID/Call Blocking argument applying
> here.
> 
> Alright, this is getting long, so. Hm. Where's my beer?
> 
> - billn
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss