IETF Logo Mail Archive

Re: [Asrg] seeking comments on new RMX article

Vernon Schryver <vjs@calcite.rhyolite.com> Mon, 05 May 2003 20:27 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14977 for <asrg-archive@odin.ietf.org>; Mon, 5 May 2003 16:27:17 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h45KZPL32097 for asrg-archive@odin.ietf.org; Mon, 5 May 2003 16:35:25 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h45KZP832094 for <asrg-web-archive@optimus.ietf.org>; Mon, 5 May 2003 16:35:25 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14792; Mon, 5 May 2003 16:26:46 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19CmZv-0000aU-00; Mon, 05 May 2003 16:28:51 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19CmDF-0000I0-00; Mon, 05 May 2003 16:05:25 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h45K6r830183; Mon, 5 May 2003 16:06:53 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h45Jld829343 for <asrg@optimus.ietf.org>; Mon, 5 May 2003 15:47:39 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA13667 for <asrg@ietf.org>; Mon, 5 May 2003 15:38:47 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19ClpU-000091-00 for asrg@ietf.org; Mon, 05 May 2003 15:40:52 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19ClpO-00008b-00 for asrg@ietf.org; Mon, 05 May 2003 15:40:46 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h45Jdq8w026810 for asrg@ietf.org env-from <vjs>; Mon, 5 May 2003 13:39:52 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305051939.h45Jdq8w026810@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: [Asrg] seeking comments on new RMX article
References: <E19Ckqn-0006iK-00@mail.nitros9.org>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 05 May 2003 13:39:52 -0600

> From: "Alan DeKok" <aland@freeradius.org>

> ...
>   It's really a mind-set issue.  I want to have the ability to use all
> of the tools at my disposal to fight spam.  Some people want to
> prevent me from using certain tools, because they don't find those
> tools useful.  Why that happens is question for psychology, and is
> outside of the scope of this group.

If you really think RMX (or anything else) is worthwhile, then you
should already have written and deployed some code.   So please say
how it's working.

In fact, no one is preventing you from using RMX or any other tactic
you like (subject to the terms of service of your ISP).  What you are
not getting are accolades for the silver bullet and volunteers to do
all of the work and then present it on a silver platter.

I think there are some early implementations of RMX, but that they
are not working is not the result of efforts of the "legacy internet
engineers" who prevented the spread of IPv8 and suppressed the discovery
of how to encode more than 4,294,967,296 addresses in 32 bit.

 ......



] From: "Eric D. Williams" <eric@infobro.com>

] ...
] I think the premise is that RMX is about finding a method to give 
] accountability.

] ...
] Part of the 'spam' problem lies in accountability.  ...

How so?  Why do you care who Alan Ralsky is, since you surely won't
be sending him bomb threats or signing him up for junk postal mail.

Who cares who "Bill Zhang" of "Sunshine" in China really is, besides
his ISPs and people who fight spammers instead of spam?  As long as his
ISPs connect his computers and those of his customers, what anti-spam
accountability does RMX or any mail sender tagging scheme give?  If RMX
or some other tagging scheme were universal, and if you could keep "Bill
Zhang" from signing up for as many RMX tags as he has domains, one might
argue that it could have some effect.  (He seems to make create several
new domains/day.  Why don't the ICANN rules against his obviously bogus
WHOS data make him "accountable" or stop him?)  It's trivial to recognize
mail from "Bill Zhang" by checking the whois data on the domain names
in his messages.  What is the difference between using port 53 or port
43 for "accountability" for his large volumes of spam?

What accountability is lacking but would be provided by RMX for the
unsolicited bulk email from Verisign, American Express, Roving Software,
Topica, and the rest of the Fortune 50,000 that would be our topic if
the "Bill Zhangs" were not so productive?  The Fortune 50,000 send
with unforged headers that point directly at themselves.

The immediate purpose of RMX bits is to let SMTP servers compare IP
addresses to sender domain names and so stop what some people call
forgery.  However, the RMX bits for commonly "forged" domains including
Yahoo, AOL, and Microsoft would say "all IP addresses can send from
our domain", because they have significant numbers of users who use
other sending ISPs.

Does SMTP-TLS enforce a valuable anti-spam accountablity?  SMTP-TLS
has been available for years for free in the popular SMTP implementations,
so why it used by less than 1%, not to mention more than 80% of the
net?  Every organization with web pages that can be fetched by HTTPS
has certificates that could be used with SMTP-TLS.  Most of those
certificates are signed by major commercial PKI vendors.  Why isn't
that "accountability" useful?  If it is useful against spam, why isn't
it being used?  Why is the RMX accountability useful but the SMTP-TLS
accountability useless?

The underlying problem is that people who advocate RMX, TOES,
authentication, or content tagging hope that some magic technology
will finger spammers.  They don't want to be bothered with the standard
work of collaring bad guys.  They don't care that counting coup on
spammers by saying "I know who you are" never stops any spam.  Those
who are serious about fighing spammers instead of fighting spam don't
need RMX or any of the other superficial quick fixes.  That's demonstrated
in web pages such as http://www.spamhaus.org/rokso/


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email