RE: [Asrg] seeking comments on new RMX article

["Eric D. Williams" <eric@infobro.com>]

On Monday, May 05, 2003 3:40 PM, Vernon Schryver 
[SMTP:vjs@calcite.rhyolite.com] wrote:
8<...>8
> ] From: "Eric D. Williams" <eric@infobro.com>
>
> ] ...
> ] I think the premise is that RMX is about finding a method to give
> ] accountability.
>
> ] ...
> ] Part of the 'spam' problem lies in accountability.  ...
>
> How so?  Why do you care who Alan Ralsky is, since you surely won't
> be sending him bomb threats or signing him up for junk postal mail.

It is my prerogative to act as I stipulate in policy, or not, relative to 
information I can gather.  The point is that appropriate policy can be defined 
at a policy boundary associated with an RMX result (whatever that is) and 
applied to my liking.

>
> Who cares who "Bill Zhang" of "Sunshine" in China really is, besides
> his ISPs and people who fight spammers instead of spam?

There is a flaw in this statement.  It pre-supposes what policy I will apply to 
an RMX result.  It remains a sysadmins responsibility (typically) to establish 
controls at the policy boundary.  That of course could be anything in the 
universe of options available to the sysadmin including rejecting, accepting, 
redirecting, forwarding, etc.

>                                                           As long as his
> ISPs connect his computers and those of his customers, what anti-spam
> accountability does RMX or any mail sender tagging scheme give?

I am not sure why you think of RMX as a tagging scheme, do you consider DNS a 
tagging scheme or a naming scheme?  Do you consider tagging and naming as 
merely a semantic distinction?  In any event my read is that RMX does not make 
a 'sender' accountable it allows the recipient system/administrator to make 
policy judgements based on objective information and if used by a spammer 
exposes the 'so-called' true authorized origination point for a domain (that's 
accountability).

>                                                                   If RMX
> or some other tagging scheme were universal, and if you could keep "Bill
> Zhang" from signing up for as many RMX tags as he has domains, one might
> argue that it could have some effect.  (He seems to make create several
> new domains/day.  Why don't the ICANN rules against his obviously bogus
> WHOS data make him "accountable" or stop him?)  It's trivial to recognize
> mail from "Bill Zhang" by checking the whois data on the domain names
> in his messages.  What is the difference between using port 53 or port
> 43 for "accountability" for his large volumes of spam?

To answer your question which I think is 'what's the difference with using DNS 
vs. WHOIS?' I don't believe there is a difference for domains that are listed 
in "From:" and "Received by:" headers that is accurate however, I think that 
RMX endeavors to address the problem of inaccurate information in that data 
set.  If I can know, for the purpose of establishing policy, that an IP address 
and domain do not match header information (in the context of the SMTP 
transaction) I consider that valuable information, even if it is only for 
post-hoc filter implementation.  As far as ICANN rules, the RMX proposal does 
not address that.

> What accountability is lacking but would be provided by RMX for the
> unsolicited bulk email from Verisign, American Express, Roving Software,
> Topica, and the rest of the Fortune 50,000 that would be our topic if
> the "Bill Zhangs" were not so productive?  The Fortune 50,000 send
> with unforged headers that point directly at themselves.

I don't think RMX is in effect either a legitimizer or eliminator of spam.  I 
do think that RMX provides a scalable, 'adoption-worthy', un-encumbered,

> The immediate purpose of RMX bits is to let SMTP servers compare IP
> addresses to sender domain names and so stop what some people call
> forgery.  However, the RMX bits for commonly "forged" domains including
> Yahoo, AOL, and Microsoft would say "all IP addresses can send from
> our domain", because they have significant numbers of users who use
> other sending ISPs.

I don't agree.  I think there are other means to establish domain/IP 
associations.  Specifically, modifications or extensions to DHCP or other 
dynamic configuration protocols may be valuable work to look into for this 
group.  In any event the introduction of any proposal, including RMX, does not 
eliminate the viability of other mechanisms e.g. SMTP-AUTH, SMTP-TLS, etc.

> Does SMTP-TLS enforce a valuable anti-spam accountablity?  SMTP-TLS
> has been available for years for free in the popular SMTP implementations,
> so why it used by less than 1%, not to mention more than 80% of the
> net?  Every organization with web pages that can be fetched by HTTPS
> has certificates that could be used with SMTP-TLS.  Most of those
> certificates are signed by major commercial PKI vendors.  Why isn't
> that "accountability" useful?  If it is useful against spam, why isn't
> it being used?  Why is the RMX accountability useful but the SMTP-TLS
> accountability useless?

I don't think measurement of adoption is a viable metric at this point unless 
it is associated with a failed concept or some that don't meet our minimum 
requirements.  Perhaps SMTP-TLS was not 'what the people wanted'.  Any proposal 
that can demonstrably show 'what the people want' does not necessarily have to 
be 'what the people need' or 'what the people asked for'.  Accountability is 
not tied to any specific proposal.  Accountability should, IMHO, be reviewed in 
any proposal as a requirement or goal.

> The underlying problem is that people who advocate RMX, TOES,
> authentication, or content tagging hope that some magic technology
> will finger spammers.  They don't want to be bothered with the standard
> work of collaring bad guys.  They don't care that counting coup on
> spammers by saying "I know who you are" never stops any spam.

I don't agree.  I think the problem is that we have not truly reviewed any 
approach that is the 'silver bullet' and probably won't ever see one.  As I 
said accountability is an important concept for formulating and establishing 
appropriate policy boundaries, knowing who someone is vs. who they purport to 
be is a valuable bit of information no matter where it comes from. 
 Establishing an appropriate policy boundary and effective (by some measure) 
enforcement controls is I think a consensus goal.  It is the method and means 
of doing that where we are focusing in this group.

>                                                                Those
> who are serious about fighing spammers instead of fighting spam don't
> need RMX or any of the other superficial quick fixes.  That's demonstrated
> in web pages such as http://www.spamhaus.org/rokso/

I understand your point, however I think with work RMX can be evolved into a 
more effective accountability mechanism, I am will to participate in that 
endeavor.  I don't understand what your premise is for the statement "Those who 
are serious".  I am serious about researching this issue to help formulate a 
set of solutions and approaches that CAN work.  I can not predict adoption or 
non-adoption and I do not attempt to evaluate the motives, resolve or agendas 
of the other participants in this group.  I would like to evaluate proposal 
using objective technical measures.

-e
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg