PGTips91 Posted December 20, 2005 Share Posted December 20, 2005 In spite of all that has been done to prevent the reception of spam the flood of spam being sent is still on the increase, approaching crisis proportions IMHO. There are a number of approaches to dealing with spam. Some that I am aware of include: -- Blacklists, such as that maintained by SpamCop Bayesian Filtering Domain Keys Identified Mail DKIM [http://mipassoc.org/dkim/] Sender Policy Framework SPF [http://www.openspf.org/] Authenticated Sender, such as Senderbase [http://www.senderbase.org/] IronPort Reputation Filters SURBL - spam URI Realtime Blocklists [http://www.surbl.org/] Software such as SpamAssassin US CanSpam law and other laws Internationally All of these methods are post hoc methods of removing spam. Prevention is better than cure and my question is, what will it take to prevent spam from being sent, in the first place? I suggest two areas that need to be looked at. Protocols Firstly, since the basic protocols used on the Internet were devised without taking security into account, these need to be revised with proper security designed into them. To take what was essentially an internal networking environment and open it up to the world without any checks and balances is a recipe for disaster, as the present situation proves. The redesign of protocols is way beyond my technical knowledge but I believe that it needs to be discussed by the broader Internet community so that the issues can be known and less technical people can be educated to the point where they can participate in the decision-making process. Commercial Framework Secondly, the basis of the Internet currently is, 'trust everyone until they prove untrustworthy'. This needs to be replaced with 'trust nobody until they are deemed to be trustworthy and can be held accountable for breaches of trust'. If the Internet is to be used as the basis of commercial relationships and dealings then it needs to have a secure commercial underpinning in its foundations. Just as we have the Companies Office to prevent abuse of commerce, there needs to be a similar organisation that registers, polices and imposes penalties on those who abuse the Internet. Penalties can range from fines to banning for a time or permanently and apply to providers at all levels, including ISPs, DNS providers, email servers and web hosting servers, etc. Registration fees can be used to fund this organisation and the costs imposed thereby would be a small fraction of the cost of dealing with spam. With proper penalties for spam the economic incentives would be changed so as to eliminate it. Once the penalties began to bite spam would dry up rather quickly. Question What other matters need to be addressed to make the Internet a secure environment in which communications and transactions may be made without the current risks and abuse? Paul Link to comment Share on other sites More sharing options...
turetzsr Posted December 21, 2005 Share Posted December 21, 2005 Hi, Paul, ...Very well thought-out, IMHO! <snip. Just as we have the Companies Office to prevent abuse of commerce, there needs to be a similar organisation that registers, polices and imposes penalties on those who abuse the Internet. 38235[/snapback] ...Do I presume correctly that the Companies Office is a NZ government agency? If so, I'd prefer the authority that prevents abuse and imposes penalties not be a government agency. ...The whole shebang should IMHO be as voluntary as possible and decisions as unanimous as feasible (see, for example, J.M. Buchanan & G. Tullock The Calculus of Consent: Logical Foundations of Constitutional Democracy esp section 3.1.11). Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 21, 2005 Share Posted December 21, 2005 The redesign of protocols is way beyond my technical knowledge but I believe that it needs to be discussed by the broader Internet community so that the issues can be known and less technical people can be educated to the point where they can participate in the decision-making process. I am also non-technically fluent, but I understand that changing the protocols would be very difficult to do since there are so many people using the internet. However, IMHO, getting 'less technical people educated' would make a big difference in controlling spam. The internet is run completely on netiquette; there are no laws. Offline Miss Manners says that the proper etiquette if someone is rude or misbehaves is the 'cut direct' The internet equivalent is the blocklist. If ordinary, non-technical end users understood about blocklists and the philosophy (as well as safe surfing practices), as consumers they would demand competent, responsible internet providers. They would support the use of blocklists and if someone complained about hir email being returned, would explain that hir email provider is not reliable and that they don't want to receive spam and viruses from that IP address so the *sender* needs to do something else about sending email. The whole spam problem is money driven. Until consumers demand responsible service from their email providers, not much is going to happen. Whitelists and after acceptance filtering just prolong the agony of spam, IMHO. Miss Betsy Link to comment Share on other sites More sharing options...
Merlyn Posted December 21, 2005 Share Posted December 21, 2005 After running mail servers for over 10 years I am just the opposite (which is sad). I remember the days when people could rely on an open relay (more than 10 years ago) to get their email where it was destined. There was no spam problem, the web was trustworthy and now it only takes less than 1/2 of 1 percent of the web to destroy any trust that was out there. I don't trust anyone until proven safe for an inbox. For every protocol that is created the spammers will find a way to abuse it. Link to comment Share on other sites More sharing options...
PGTips91 Posted December 21, 2005 Author Share Posted December 21, 2005 Do I presume correctly that the Companies Office is a NZ government agency? If so, I'd prefer the authority that prevents abuse and imposes penalties not be a government agency. ...The whole shebang should IMHO be as voluntary as possible and decisions as unanimous as feasible Yes, you are correct in your presumption. I haven't thought through the ramifications of 'who' would constitute the authority or authorities. Perhaps having one per country would limit their power while retaining the ability to penalise abusers. Perhaps the route to follow will be to establish a commercial model in some major participating countries and then extending it to cover the world. My thoughts are that there are similarities here between International Trade where bilateral agreements are reached and blocks are formed. The motivation for this to succeed should come from voluntary agreements with benefits that outweigh the costs of participation. It should be possible for a new level of protocols to be introduced, in conjunction with this commercial/legal structure, that would prevent Spammers [and their up-stream suppliers] from participating without exposing themselves to penalties, tipping the economic balance against them. I believe that without the commercial/legal structure the balance is weighted too much in Spammers favour. Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 21, 2005 Share Posted December 21, 2005 There has been some discussion of licensing ISPs patterned on ham operator licenses which would be something that could be international. However, one of the problems with getting governments involved is censorship. One of the great things about the internet is the complete freedom to use it. Once governments get involved, there could be all kinds of restrictions. Again, everything - including IP address allocation - is done by netiquette. The answer lies in how 'mannerly' people deal with rudeness and unsocial behavior. That's why blocklists are a 'natural' solution. They don't interfere with anything anyone wants to do; however they do not allow others to abuse 'my' server. IMHO, putting the control of spam in the realm of competence and responsibility (as in licensing) would go a long way toward educating end users and also putting pressure on those ISPs who do not take sufficient measures to prevent spammers from using their networks. spam can only be controlled from the *sending* end. The commercial measures to force that is to make *senders* (especially end users) to choose competent and responsible ISPs. Miss Betsy Link to comment Share on other sites More sharing options...
PGTips91 Posted December 21, 2005 Author Share Posted December 21, 2005 I am also non-technically fluent, but I understand that changing the protocols would be very difficult to do since there are so many people using the Internet. Protocols are under constant change already. Once changes are introduced you either adhere to them or miss out. It should not be too difficult to devise secure protocols to use within a new 'virtual network' which would not allow Spamming without penalties. This could tip the balance in favour of responsible users and make it uneconomic for Spammers. However, IMHO, getting 'less technical people educated' would make a big difference in controlling spam. The difficulties most users have in understanding the underlying technologies of the Internet leave them vulnerable to highly organised gangs of criminals. They need to be protected by an environment that is basically secure and this should be the responsibility of the providers of the services. There will always be enough gullible users to make the business of Spammers profitable while they have virtually zero costs of operations by making the rest of the Internet community pay for their usages. How many replies do they need to make sending a million spam messages worth while? No, education by itself will never stop spam. The internet is run completely on netiquette; there are no laws. Offline Miss Manners says that the proper etiquette if someone is rude or misbehaves is the 'cut direct' The internet equivalent is the blocklist. If ordinary, non-technical end users understood about blocklists and the philosophy (as well as safe surfing practices), as consumers they would demand competent, responsible internet providers. They would support the use of blocklists and if someone complained about hir email being returned, would explain that hir email provider is not reliable and that they don't want to receive spam and viruses from that IP address so the *sender* needs to do something else about sending email. The analogy of Etiquette is not accurate for the situation on the Internet. It is not a choice whether to follow the rules of the various protocols in use and they need to be so constructed as to limit abuse. Even in society where etiquette is expected there are penalties such as being not invited back - i.e. totally excluded, not just ignored but such sanctions do not exist on the Internet for Spammers in the present environment. The whole spam problem is money driven. Until consumers demand responsible service from their email providers, not much is going to happen. While I agree with the first statement, the second is not the answer. The answer must be to make it uneconomic to spam if spam is to be stopped. As I said above, there will always be enough responses to make it worth while Spamming while there is a virtually nil cost of sending. Whitelists and after acceptance filtering just prolong the agony of spam, IMHO. My concept is of a white list for those who comply with a secure email system. The penalty for breaching the conditions, once on the list, would be agreed commercial penalties with removal from the list as the final sanction. No emails for those not on the list would be delivered. Period. Therefore no spam within the secure environment. No cleaning up either, just policing to ensure that the rules are being followed. This whole concept could live side by side with the current system and just be gradually adopted as its economic value is recognised. No compulsion, no legislation, totally voluntary, just well designed with security in mind. Paul Link to comment Share on other sites More sharing options...
PGTips91 Posted December 21, 2005 Author Share Posted December 21, 2005 After running mail servers for over 10 years I am just the opposite (which is sad). I remember the days when people could rely on an open relay (more than 10 years ago) to get their email where it was destined. There was no spam problem, the web was trustworthy and now it only takes less than 1/2 of 1 percent of the web to destroy any trust that was out there. The number of Spammers is quite small, I believe, with most of them organised into highly proficient commercial enterprises. However the proportion of spam to genuine emails is a very different matter - I believe that spam out number the genuine emails already and are increasing much faster. Not only that, but all the scams out there are reliant on spam to succeed. The whole thing is raking in billions of dollars for the few involved. I don't trust anyone until proven safe for an inbox. Unfortunately the spam is trusted and passed on until it reaches your inbox or is filtered out just before it does. The cost of all that bandwidth has already been incurred. For every protocol that is created the spammers will find a way to abuse it. Which is why I suggest the need for a commercial/legal structure that can impose penalties on those who abuse the system and can even exclude them entirely if needed. Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 21, 2005 Share Posted December 21, 2005 The analogy of Etiquette is not accurate for the situation on the Internet. It is not a choice whether to follow the rules of the various protocols in use and they need to be so constructed as to limit abuse. Even in society where etiquette is expected there are penalties such as being not invited back - i.e. totally excluded, not just ignored but such sanctions do not exist on the Internet for Spammers in the present environment. The analogy of etiquette is absolutely accurate - the whole internet is based on voluntary cooperation. And that's one of the problems of changing the protocols, IIUC. It would mean a major change in hardware, software that many would not want to invest in. And if an IP address is ignored by enough servers, they are totally excluded. There is always a black market. There may be enough ISPs who don't use blocklists and cater to the criminals and their dupes, but normal internet use will never know (except in warnings) about that section of town. The answer must be to make it uneconomic to spam if spam is to be stopped. As I said above, there will always be enough responses to make it worth while Spamming while there is a virtually nil cost of sending. If enough end users objected to receiving spam (and indirectly paying for the bandwidth), then ISPs could charge less for those who agree to blocklisting known spam sources (at the expense of also blocking some legitimate email). Most dupes are too cheap to pay for the extra bandwidth to accept any email so that there would not be as many takers and less profit. In addition, if the *sending* end has to step up security to prevent being blacklisted, it will cost more for those who want to send bulk email. My concept is of a white list for those who comply with a secure email system. The penalty for breaching the conditions, once on the list, would be agreed commercial penalties with removal from the list as the final sanction. No emails for those not on the list would be delivered. Period. Therefore no spam within the secure environment. No cleaning up either, just policing to ensure that the rules are being followed. There are already Bonded Senders, SPF, and all kinds of whitelisting schemes using filters. Until the end user gets involved, there will not be enough commercial pressure for ISPs. There have been two discussions recently about not using large providers - for instance, not using sprint phone service because they provide China with connectivity to the rest of the world or not using the only broadband provider because they do nothing to stop users with infected machines from connecting. The number of Spammers is quite small, I believe, with most of them organised into highly proficient commercial enterprises. I can't document it, but although the number of successful spammers is quite small, part of the income from spam is selling spam kits to people who 'wannaberich' and they clutter up inboxes for a while before they lose interest or connectivity. Also, from the kind of spam that I get from time to time, I think, that just like virus writers, there are some people who just get a kick out of defeating filters. Which is why I suggest the need for a commercial/legal structure that can impose penalties on those who abuse the system and can even exclude them entirely if needed. Legal means never stopped the Nigerian scammers from sending snail mail and faxes; they won't stop them from sending email. And the biggest commercial lever is the end user. Miss Betsy Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 21, 2005 Share Posted December 21, 2005 The analogy of Etiquette is not accurate for the situation on the Internet. It is not a choice whether to follow the rules of the various protocols in use38271[/snapback] I disagree. It is a choice to follow many of the rules, because most things on the internet will work without following most of the RFC's. That is one of the problems SpamCop has run into while trying to parse email headers. Many servers and client's do NOT follow the RFC's making it difficult for the parsing to be automated. It is why some people can not report their spam. I can send an email using telnet and a minimum of 4 commands (helo, mail from, rcpt to, and data) but it does not follow most of the RFC's of a valid email message. Link to comment Share on other sites More sharing options...
PGTips91 Posted December 21, 2005 Author Share Posted December 21, 2005 I disagree. It is a choice to follow many of the rules, because most things on the internet will work without following most of the RFC's. That is one of the problems SpamCop has run into while trying to parse email headers. Many servers and client's do NOT follow the RFC's making it difficult for the parsing to be automated. It is why some people can not report their spam. I can send an email using telnet and a minimum of 4 commands (helo, mail from, rcpt to, and data) but it does not follow most of the RFC's of a valid email message. 38283[/snapback] * How many users would know what an RFC is, anyway? * This just amplifies the need for a secure environment where the rules are obligatory and are followed or the message is dropped by the first computer to receive it, minimising the waste of bandwidth. * Most people, given the choice, will chose something that works as against something that does not work. Therefore design the messaging system on the Internet to work only where compliance with necessary security procedures has been followed. As an analogy, consider the Airline industry. Not too many years ago hijackings were a common occurrence. When did the last one occur? They learned to apply stringent rules for embarkation and the hijackings have virtually ceased. When those rules are circumvented they are tightened rather than being abandoned. Same needs to happen on the Internet. Security needs to be tightened, rules made more strict, compliance needs to be non-optional where security is concerned. Whose freedoms are to be preserved, those of the ordinary user or those of the Spammers and fraudsters who are having a field day now? Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 21, 2005 Share Posted December 21, 2005 Same needs to happen on the Internet. Security needs to be tightened, rules made more strict, compliance needs to be non-optional where security is concerned. Whose freedoms are to be preserved, those of the ordinary user or those of the Spammers and fraudsters who are having a field day now? You have pointed out before that commercial/legal means are the way to achieve what you want. Legal means are fraught with difficulties because of the international nature of the internet. If you research some more and think about the implications of getting governments involved, IMHO, you will see that legal means are not a good idea. When I first started reporting spam, there were still many, many people with mailing lists that didn't follow best practices and even some ISPs that didn't have TOS or AUP. The use of blocklists has pretty well changed that. It made the spammers turn to open proxies because they can't get ISPs to host them - except in China, etc. Even so, there are Chinese ISPs who are careful (i actually had one say they stopped the spammer and AFAICT they did) and others who are inquiring about best practices. Blocklists are having an impact. And, again , if end users knew about how effective they are and the concept of blocking , they would have a lot more impact. And if legal means are not preactical, then that leaves the commercial - the internet is a new frontier in international communication and trade, not to mention the ISP and the concept of 'my server, my rules' There is no such thing as force on the internet - which is essentially what legal means are. Spammers cannot force you to accept their email. And if blocklists were the norm, they wouldn't be able to . IOW, cooperation, as in proper etiquette, is the key to making the internet a safe and pleasant place to be. Miss Betsy Link to comment Share on other sites More sharing options...
PGTips91 Posted December 21, 2005 Author Share Posted December 21, 2005 Hi Miss Betsy, It is good to have your feedback. Most of us using the Internet are not Geeks but all of us need to be involved in making the Internet a safe place to visit with our computers. I have answered your last post, item by item below. Paul The analogy of etiquette is absolutely accurate - the whole internet is based on voluntary cooperation. And all commercial activities are based on voluntary cooperation. The difference? Well commercial activities take place within a well structured environment where people's identities are verified before transacting with them and they can be held accountable if they break the rules. We have commercial practice **and** legislation **and** legal processes to hold it all together, along with Credit Bureau, Company registration, etc. to ensure compliance by the great majority of organisations and people. Shoplifting and other criminal activities still occur but in manageable volumes and culprits still get taken to court. What would happen if there were rings of criminals diverting whole truckloads of products to their own warehouses? Would we just try to educate people not to buy from doubtful outlets? Both aspects need to be covered on the Internet as well. And that's one of the problems of changing the protocols, IIUC. It would mean a major change in hardware, software that many would not want to invest in. A change in protocol would not affect hardware at all, except to the extent that it required more CPU cycles. If spam is reduced the number of wasted CPU cycles will reduce by an order of magnitude. This will mean that existing hardware will have a longer economic life as a result of more secure protocols. 70% of the servers on the Internet run on Open Source software, so an upgrade to handle improved protocols would cost a minimal amount, consistent with ongoing maintenance of the system now. 'The rest' would get free upgrades from their suppliers too as it would be a security update. The only investment would be in designing and writing the code to handle the new protocol requirements. And if an IP address is ignored by enough servers, they are totally excluded. At present no IP addresses are ignored by servers. That is why spam represents more than 50% of email traffic. spam filters may filter out emails from IP addresses that are on blocklists but this only happens in the last step before delivery to the addressee's inbox. The most of the damage has already been done before then. Since spam is on the increase, there must be enough of it getting through the filters to make it worthwhile to spam. There is always a black market. There may be enough ISPs who don't use blocklists and cater to the criminals and their dupes, but normal internet use will never know (except in warnings) about that section of town. If enough end users objected to receiving spam (and indirectly paying for the bandwidth), then ISPs could charge less for those who agree to blocklisting known spam sources (at the expense of also blocking some legitimate email). Most dupes are too cheap to pay for the extra bandwidth to accept any email so that there would not be as many takers and less profit. Here in New Zealand the major ISPs already provide free spam filtering. I have had to make a conscious choice to turn this off so that I can report the spam sent to my mailbox. While not as bright or as technically competent as some, I have become quite proficient in my use of the Internet. However when I received a spam telling me that I would lose my PayPal account unless I confirmed certain data [although I don't use PayPal], and although I knew the email was forged, when I investigated the URL that I was directed to it took a lot of digging and research to differentiate it from the real thing. Looking through the discussion board at PayPal it was clear that many normally intelligent people had been tricked into divulging their sensitive data on such sites and I now appreciate better how they could be tricked. the graphics look identical, they have their own 'security certificates', some links link back to the real PayPal site. It is most confusing and difficult to discern the subtle differences. Again, education of the user is a major part of dealing with such scams, but improving security protocols on the Internet must not be ignored either, or the scams will continue to find the vulnerable. What will happen if third-world children are supplied super-cheap computers which link them up to the Internet? Should they just be educated about the risks or should they be protected by a more secure environment? Again it must be 'both...and' not 'either...or' IMHO. In addition, if the *sending* end has to step up security to prevent being blacklisted, it will cost more for those who want to send bulk email. There would be some cost in setting up for genuine bulk emailers. This would not be onerous as it would be no more than a registration with annual upkeep. The huge advantage to them would be that their emails would **all** be delivered. I can think of one, the LangaList, which I receive and Fred Langa has complained that a sizable proportion of his mail - both in and out - does not get past the spam filters, even though it is quite legitimate traffic. He for one would be quite happy to pay a small annual fee in return for the security of knowing his mail will not be blocked. There are already commercial schemes that promise to do that which would likely cost more and succeed less. There are already Bonded Senders, SPF, and all kinds of whitelisting schemes using filters. These are just band aids on top of a bleeding wound, IMHO. What I envision would replace all these in one secure environment where spam would be virtually non-existent. Until the end user gets involved, there will not be enough commercial pressure for ISPs. There have been two discussions recently about not using large providers - for instance, not using sprint phone service because they provide China with connectivity to the rest of the world or not using the only broadband provider because they do nothing to stop users with infected machines from connecting. China is a problem, true, but the bulk of the problem is in the USA itself with Canada next. If none of the current 'solutions' are working in the USA or Canada they certainly will not work for places like China, Korea, South America or Africa. I can't document it, but although the number of successful spammers is quite small, part of the income from spam is selling spam kits to people who 'wannaberich' and they clutter up inboxes for a while before they lose interest or connectivity. Also, from the kind of spam that I get from time to time, I think, that just like virus writers, there are some people who just get a kick out of defeating filters. I don't get a lot of spam and it may not be representative of the overall position, but [my guess] 80% advertises pirated software, the balance being a mix of drugs, replica watches, diplomas, and the odd Phishing email. Some virus-disseminated emails also get trapped by the spam filters although they are more likely to be trapped by the anti-virus filters. The main spam sources are now highly professional and commercialised. I read recently where one advertised 'the first hour free'. With Botnets numbering in the tens of thousands available for hire and Spammers running their own ISPs the need for proper, enforceable security is apparent. Legal means never stopped the Nigerian scammers from sending snail mail and faxes; they won't stop them from sending email. And the biggest commercial lever is the end user. You seem pessimistic that Internet security can be implemented. When was https:// protocol introduced? Would you like to be without it today? Secure email is in the same category - necessary and feasible. Why not do it? Link to comment Share on other sites More sharing options...
PGTips91 Posted December 21, 2005 Author Share Posted December 21, 2005 As a PS to my last post, there is an interesting article on https at http://en.wikipedia.org/wiki/HTTPS which says: -- This system was invented by Netscape Communications Corporation to provide authentication and encrypted communication and is widely used on the Web for security-sensitive communication, such as payment transactions. Following a link from there I found: -- SSL/TLS Strong Encryption: An Introduction http://httpd.apache.org/docs/2.0/ssl/ssl_intro.html SSL/TLS Strong Encryption: An Introduction   The nice thing about standards is that there are so many to choose from. And if you really don't like all the standards you just have to wait another year until the one arises you are looking for.   -- A. Tanenbaum, "Introduction to Computer Networks" As an introduction this chapter is aimed at readers who are familiar with the Web, HTTP, and Apache, but are not security experts. It is not intended to be a definitive guide to the SSL protocol, nor does it discuss specific techniques for managing certificates in an organization, or the important legal issues of patents and import and export restrictions. Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, and examples as a starting point for further exploration. This could be a good starting point for further study of what might be required in a secure email system. Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 22, 2005 Share Posted December 22, 2005 Shoplifting and other criminal activities still occur but in manageable volumes and culprits still get taken to court. What would happen if there were rings of criminals diverting whole truckloads of products to their own warehouses? Would we just try to educate people not to buy from doubtful outlets? Both aspects need to be covered on the Internet as well. That is the same thing I said that you called 'pessimistic' If you use a blocklist (or your ISP), none of your email would be 'hijacked' There is a point where a combination of ignorance, greed, and stupidity on the part of the end user and the criminal or just legal scam artist will always be able to meet. It will be a choice, however, if responsible, competent ISPs and end users who have a basic education are in the majority The only investment would be in designing and writing the code to handle the new protocol requirements. I can't answer this argument because I don't know enough about it; however I have seen this discussion before and the 'experts' don't think it will work. Anything that is done will be in the same category as Bonded Senders, Truste, SPF (or is it SFP?). All of them would /stop/ spam if used by a majority. At present no IP addresses are ignored by servers. There are lots of IP addresses ignored by servers. Although Spamcop blocklist recommends tagging (and the Spamcop email service uses it that way), many server admins use it to reject at the server - usually in combination with other blocklists. At last count there were over 400 public blocklists and many server admins have their own. NONE of those emails ever enters their system; they are all returned to the sender (or if it is an open proxy, they have to be discarded). I can think of one, the LangaList, which I receive and Fred Langa has complained that a sizable proportion of his mail - both in and out - does not get past the spam filters, even though it is quite legitimate traffic. He for one would be quite happy to pay a small annual fee in return for the security of knowing his mail will not be blocked. There are already commercial schemes that promise to do that which would likely cost more and succeed less. Fred Langa has visited the spamcop newsgroup and presented his side of the story. However, basically the reason that his newsletter is blocked is because he continues to use an IP address that also serves people who do not use good mailing practice, IIRC. He is not the least bit interested in cooperating with those who use blocklists and has absolutely no patience with end users who get mixed up and report confirmation emails as spam - although at least with a spamcop report, he knows that they have done it. If the end user was using an after the acceptance spam filter and got confused, he would have someone who thought his list was uninterested in another user because the end user would JHD and Langa would never know it. Langa may be a good source on other computer areas, but he either doesn't understand or won't cooperate with the ways that others on the internet are controlling spam. It is much more likely that, if the end user doesn't whitelist his newsletter, to be caught by content, after acceptance filters, and disappear rather than being blocked with a message why. The blocklist concept is very simple. It puts the burden of not allowing spam to be sent on the *sending* end where it is the only place that it can be controlled. It provides feedback for legitimate email if there is a problem and the amount of time that one cannot use that particular email is no longer than backhoe or thunderstorms (though it is still possible to use alternate email addresses from other unblocked servers). It is widely used now. The only reason that it is not more widely used is because ISPs won't educate their customers that it is a great system because they are afraid that people won't understand. And note I am not talking about spamcop exclusively. Most ISPs use a combination. the spamcop blocklist has become an early warning system for admins who have a problem. People also use the spamvertized web sites to filter (one admin said that he estimated that caught about 25%) There are already laws against the phishers, the Nigerian scams, the unlicensed drugs, etc. There is even one scheme that involves Haiku that was going to try to use copy right laws (every legitimate emailer would use a haiku in the headers and be accepted; if a spammer used the haiku to get accepted, they would sue). I think I saw (in this topic) laws against trepass that could be used. And I definitely think that porn spam is harassment. In addition, I believe that because of the phishers, it is not common practice that no legitimate business sends a link to have you 'confirm' or do anything of a sensitive nature. People don't trust phone calls (though the same scam works on the phone and every once in a while there is a warning in the paper that scammers are operating in this area) so why should they trust emails? It is because of no education and whose fault is that? Miss Betsy Link to comment Share on other sites More sharing options...
PGTips91 Posted December 25, 2005 Author Share Posted December 25, 2005 Happy Christmas Miss Betsy et al, and a spam-free new year! I still believe that it is not impossible, not even difficult, to eliminate spam entirely from the Internet. All it would take is a protocol that is designed with security in mind. That and a commercial/legal structure that would support it with penalties in place for breaches of the protocol. Etiquette requires that someone be introduced by another who knows both them and the person to whom they wish to be introduced. In terms of email, this would mean that before sending an email to the secure email zone the sender would have to proffer their identity as authenticated by another, trusted, party. A quick DNS query would ascertain if this has been followed. The place for spam to be dropped is at the first server receiving it, not, as at present, at the recipient's ISP or inbox . If the protocol indicates that the destination is in the 'secure email zone' and the protocol has not been followed, it should be put in the bit bucket right there. since this would mean that 100% of spam never made it through with, 0% false positives, spam would be entirely eliminated for those participating in the secure email zone. I can imagine businesses moving over almost immediately, with all responsible ISPs offering the service shortly thereafter. The Spammers and irresponsible ISPs would, in short space, be left out in the cold where they belong. No compulsion, no Government intervention, just choice combined with the right protocols and commercial/legal structures. I repeat my first question, what would it take to achieve this desirable end? There are lots of details to fill in, but the idea is workable, IMHO. Has anyone got anything positive to add? Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 25, 2005 Share Posted December 25, 2005 I repeat my first question, what would it take to achieve this desirable end? There are lots of details to fill in, but the idea is workable, IMHO. It is just about as workable as the system of blocklists is. You can't have legal without getting governments involved. There are already a number of ways that servers drop (or reject which is according to netiquette) email that is not according to protocol. What would it take to achieve this desirable end? I keep saying it: "Get the consumer to demand responsible ISPs" is my opinion. Others have other opinions. Miss Betsy Link to comment Share on other sites More sharing options...
PGTips91 Posted December 25, 2005 Author Share Posted December 25, 2005 Miss Betsy 38421[/snapback] It is just about as workable as the system of blocklists is. Not so. Blocklists work at the opposite end of the process. My proposal would block the sending of the email at the start of the sending dialog unless the sender complied with the secure protocol. Thus, sending IP says (I'm simplifying), "Helo, I wish to send emails". Next server says, "Who are you?" Sending IP says, "I'm a customer of XYZ ISP" Server checks to see if the IP address is listed as an email server for XYZ ISP using a DNS lookup. If the IP address is not a valid one for XYZ ISP then server says, "Sorry you don't have permission to send" [This would automatically block all the Zombies that Spammers use now, with no need to continually report and block them, saving most of the current effort at SpamCop.] Compare that with billions of emails getting all the way to the addressee's email server before being filtered out, maybe. My proposal would stop the spam from being sent in the first place, period, saving two thirds of the current bandwith used by emails. You can't have legal without getting governments involved. There are already a number of ways that servers drop (or reject which is according to netiquette) email that is not according to protocol. You seem to have a fixation on this. The government is not involved in most legal matters. Laws and law courts are different from governments. Governments do make laws, but not all laws are made by governments. How much law have you studied? I am not a lawyer, but I did study Commercial Law many years ago when doing a Commerce degree and most of the commercial law came from Common Law, which in turn depended on commercial practice [something very akin to your 'Netiquette'] and developed over centuries of litigation. Most of this still applies today unless specifically superseded by legislation. Commercial agreements are upheld by the legal system - and this has nothing to do with governments. Forget governments, I never mentioned them in what I am proposing ( except it might be inferred by my reference to the Companies Office, which is a quasi-governmental department in NZ). From what I have seen, in the USA any way, the kind of legislation to expect would be more than likely to be favourable to Spammers. What would it take to achieve this desirable end? I keep saying it: "Get the consumer to demand responsible ISPs" is my opinion. Others have other opinions. Well that is akin to cleaning the Aegean Stables of legend. How do you propose to "Get the consumer" to do anything differently from what they are doing now? Where does freedom of choice come into that? Can you educate someone who does not want to learn or is incapable of learning? I am still looking for a positive response to getting a better system than exists now. Any helpers? Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 25, 2005 Share Posted December 25, 2005 Thus, sending IP says (I'm simplifying), "Helo, I wish to send emails". Next server says, "Who are you?" Sending IP says, "I'm a customer of XYZ ISP" Server checks to see if the IP address is listed as an email server for XYZ ISP using a DNS lookup. If the IP address is not a valid one for XYZ ISP then server says, "Sorry you don't have permission to send" They already do that. It's called DNS look up. I think that SFP (SPF) is based on the same theory (so is the haiku scheme). Many servers don't accept from dynamic IP addresses. The reason the techies are not answering is that you don't seem to know even basic technical knowledge. And if commercial law is basically common law, then the internet is a completely free market driven entirely by what the consumer wants and will pay for. I know that it is frustrating. Miss Betsy Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 25, 2005 Share Posted December 25, 2005 Thus, sending IP says (I'm simplifying), "Helo, I wish to send emails". Next server says, "Who are you?" Sending IP says, "I'm a customer of XYZ ISP" Server checks to see if the IP address is listed as an email server for XYZ ISP using a DNS lookup. If the IP address is not a valid one for XYZ ISP then server says, "Sorry you don't have permission to send" Compare that with billions of emails getting all the way to the addressee's email server before being filtered out, maybe. 38422[/snapback] Paul: Do you realize that in most circumstances, your "Next server" is the "addressee's email server" causing the "filtered out" to be the same location? Do you realize you have just described SPF (Sender Permitted From) which breaks many configurations currently in place (for instance using only one email address for receiving no matter what ISP you are connected to and almost ALL forwarding schemes)? Please explain how I could use my SpamCop email address for all email no matter which of the 3 or more ISP's I am connected to at the time. I Have my cable ISP at home, my work servers, and a dialup service for when I am on the road. I could also be in a hotel somewhere trying to send email from there but wnat all these messages to appear to come from my home address (to keep seperate contacts). Link to comment Share on other sites More sharing options...
mshalperin Posted December 25, 2005 Share Posted December 25, 2005 I am still looking for a positive response to getting a better system than exists now. Any helpers? 38422[/snapback] One way would be to centralize email service so that it functioned independently of ISP's (which would serve only as gateways to and from the end users). Email would be a pay-per-unit service like snail mail postage. The main reason why there is so much less "junk" snail mail than spam is that it is a lot more expensive to the sender. This central agency (government or "private" UPS like) would have the clout to collect the postage in advance and would make it extremely difficult to obscure or forge the sender. Also, as there are big $$$ involved, surveillance of illegal activities and abuse would be a lot more stringently enforced. (Not that they're not doing it already) the FBI, CIA, SEC, DEA, NSC, etc. would be openly monitoring content as there is not even the pretense of privacy as there is with snail mail. This would need to be internationally accepted to be enforceable, which would be difficult - but the US has enough cruise missiles and nukes to effect compliance. Nothing can eliminate spam entirely and more than any other undesirable or illegal activity, but this would go a long way to reduce it. The question is - do you think it's worth the price? Link to comment Share on other sites More sharing options...
PGTips91 Posted December 25, 2005 Author Share Posted December 25, 2005 38429[/snapback] Paul: Do you realize that in most circumstances, your "Next server" is the "addressee's email server" causing the "filtered out" to be the same location? Do you realize you have just described SPF (Sender Permitted From) which breaks many configurations currently in place (for instance using only one email address for receiving no matter what ISP you are connected to and almost ALL forwarding schemes)? No, Steven, I based my thinking on the idea that all traffic on the Internet [physical network] proceeds as packets sent using the DNS, HTTP and other protocols, and that this would include the email system. Therefore I assume that each email would progress along a path similar to that revealed by a Traceroute search which would show multiple hops from the sender to the receiver, of the order of 20 or so typically. If I were to send an email, it would go, first to my own email server, Proxy+, then to my ISP,currently smtp.wxc.co.nz, then they would transfer it to ... and finally the ISP of the recipient would get the packet(s). With my proposal, instead of using smtp [simple Mail Transfer Protocol], I would have to use a new protocol - [smtp?? - Secure Mail Transfer Protocol] - and this would check at the border of the secure network that it was coming from a legitimate sender and drop it at the border if it did not pass the right IP information about me or my ISP [held on DNS servers]. This would mean that all smtp servers participating in the secure network would have to be recorded in the DNS records for their domain, something that is already being done partially, so it cannot be an insoluble problem. Please explain how I could use my SpamCop email address for all email no matter which of the 3 or more ISP's I am connected to at the time. I Have my cable ISP at home, my work servers, and a dialup service for when I am on the road. I could also be in a hotel somewhere trying to send email from there but want all these messages to appear to come from my home address (to keep separate contacts). Carrying on from what I have said above, you would need to authenticate yourself to your ISP before 'sending' any email messages and they would have to authenticate you as a legitimate member of the secure email network. Of course, each layer of authentication would require a legally binding agreement between both parties that enabled penalties to be imposed for breaches of the agreement with fuller sanctions for repeated breaches, such as banning from the secure network for a limited or unlimited time depending on the severity of the breaches. In short, I don't see any insuperable problems with this scheme. Paul Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 26, 2005 Share Posted December 26, 2005 No, Steven, I based my thinking on the idea that all traffic on the Internet [physical network] proceeds as packets sent using the DNS, HTTP and other protocols, and that this would include the email system. Therefore I assume that each email would progress along a path similar to that revealed by a Traceroute search which would show multiple hops from the sender to the receiver, of the order of 20 or so typically.38433[/snapback] Packets travel that way, not HTTP, DNS or SMTP which are higher level protocols. Routers sent the packets over these hops to the end server which "re-assembles" the message. If I were to send an email, it would go, first to my own email server, Proxy+, then to my ISP,currently smtp.wxc.co.nz, then they would transfer it to ... and finally the ISP of the recipient would get the packet(s).38433[/snapback] That is the way the packets would travel, but NOT how the message travels. Your mail server generally sends a connect message to the remote server, who answers by sending a reply back and the connection progresses. Carrying on from what I have said above, you would need to authenticate yourself to your ISP before 'sending' any email messages and they would have to authenticate you as a legitimate member of the secure email network. Of course, each layer of authentication would require a legally binding agreement between both parties that enabled penalties to be imposed for breaches of the agreement with fuller sanctions for repeated breaches, such as banning from the secure network for a limited or unlimited time depending on the severity of the breaches. 38433[/snapback] There is already a legally binding agreement every step of the way right now. It is called the AUP (Acceptable Use Policy) that every ISP (I am aware of) requires customers to agree to in exchange for providing the connectivity (including spammy ISP's). The enforcement of that AUP is the problem. SpamCop's list is a compilation of ISP's that have let people break that AUP over a certain level and spamcop reports are letting that ISP know of these infractions. To be honest, mshalperin's idea of a separate mail provider service makes more sense to me, removing the burden from the ISP's. The problem is getting people to pay to send emails in a culture where it has always been free. And to be honest, MOST people I know get lots of spam and are fine with the JHD mentality. I saw my Brother-in-Law go through his email and delete over 100 messages (about 85-90% of all the messages there). When I asked him about it, he was not bothered by it. I guess my basic point is, if it were simple to replace the system, it would have been done. It is not like people are not trying, there are LOTS of ways people have tried. If you think you have the better mousetrap, develop it and let the world beat down your door. Good luck Link to comment Share on other sites More sharing options...
PGTips91 Posted February 15, 2006 Author Share Posted February 15, 2006 spam Growth Symantec: spam growth slowing at last Brightmail's research shows 67 percent of e-mail is now spam By John E. Dunn, Techworld.com January 12, 2005 The volume of e-mail made up of spam has stabilized, according to figures from Symantec's (Profile, Products, Articles) Brightmail unit. Not only has the percentage of spam been increasing, but as Spammers have to try harder to get through the spam filters, the size of each email is also increasing. Many of those that I receive are mainly JPEG files and when I see a larger than normal email I can almost predict that it will be spam. These, with hidden 'innocuous' text and with no detectable URLs, are passing through the spam filters. The need for reform still remains in spite of several partial solutions proposed nearly a decade ago. The current system has been almost unchanged since the beginning of the Internet. Does anyone remember how much spam there was ten years ago? Proprietary solutions will not work on their own and are in a kind of parasitic relationship with spam anyway. Until the wider community of email users get involved in demanding and providing a solution we will continue to sink under this avalanche of unwanted garbage. Paul Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 15, 2006 Share Posted February 15, 2006 spam Growth <snip> Proprietary solutions will not work on their own and are in a kind of parasitic relationship with spam anyway. Until the wider community of email users get involved in demanding and providing a solution we will continue to sink under this avalanche of unwanted garbage. 40484[/snapback] I definitely agree that any kind of content filters are in a 'parasitic' relationship. However, the use of blocklists based on IP addresses *has* worked in that few ISPs permit the 'sending' of spam. Most of the spam sent today is sent through open proxies and compromised machines. You are correct in that the only reason that spam has not disappeared is that 'the wider community of email users' are not involved. For whatever reasons, the IT community will not, or cannot, convey the understanding about 'responsible' use being necessary for individual users of the internet. It is silly because people understand about responsible use for traffic on highways. Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.