Fwd: Re: [Asrg] Consent Proposal

[Yakov Shafranovich <research@solidmatrix.com>]

>X-Originating-IP: [62.252.200.188]
>X-Originating-Email: [markmccarron_itt@hotmail.com]
>From: "Mark McCarron" <markmccarron_itt@hotmail.com>
>To: research@solidmatrix.com
>Subject: Re: [Asrg] Consent Proposal
>Date: Mon, 30 Jun 2003 18:33:33 +0000
>X-OriginalArrivalTime: 30 Jun 2003 18:33:34.0102 (UTC) 
>FILETIME=[1CD52360:01C33F36]
>
>
>I believe the answer is yes.  I just used a calculator at Paul Judge's 
>website and I put in the values of 1000 employees with an average salary 
>of $15,000 and recieving 20 spam messages a day.  It calculated that it 
>would cost the business $31,250 per year.
>
>The issue is not going to come down to end-users, but business 
>losses.  Add to this the financial damage caused by virus', worm's, 
>trojans and hoax emails this cost just skyrockets per annum.  The future 
>is only set to get worse, especially with more eastern block countries 
>expanding their networks without the proper legal frameworks.
>
>Mark McCarron.
>
>
>>From: Yakov Shafranovich <research@solidmatrix.com>
>>To: "Mark McCarron" <markmccarron_itt@hotmail.com>,asrg@ietf.org
>>Subject: Re: [Asrg] Consent Proposal
>>Date: Mon, 30 Jun 2003 14:26:28 -0400
>>
>>This raises an interesting issue for the group in general. If the current 
>>spam problem is not fixed, would there be a move to proprietary 
>>alternative email solutions such as this one?
>>
>>Yakov
>>
>>At 06:21 PM 6/30/2003 +0000, you wrote:
>>
>>
>>>The 'GIEIS' system is not designed to be backwards compatible.  There is 
>>>no possible way for any solution to arise using the current system.  If 
>>>it could be achieved it would have happened by now.
>>>
>>>I am completely unconcerned with objections.  As I said before, I not 
>>>designing a system to win a 'popularity' contest.  I am concerned with 
>>>only one thing, complete effectiveness.  Nothing else.
>>>
>>>I looked at the systems you from the links you provided.  They can all 
>>>be bypassed without too much effort.
>>>
>>>It will not be an alternative, the system will not be active until the 
>>>patner companies are ready.  Then it will become exclusive.
>>>
>>>I read mike's proposal, its slightly different from my system.  You will 
>>>understand this within the next hour or so.
>>>
>>>Mark McCarron.
>>>
>>>
>>>
>>>>From: Yakov Shafranovich <research@solidmatrix.com>
>>>>To: "Mark McCarron" <markmccarron_itt@hotmail.com>,asrg@ietf.org
>>>>Subject: Re: [Asrg] Consent Proposal
>>>>Date: Mon, 30 Jun 2003 13:54:33 -0400
>>>>
>>>>At 05:06 PM 6/30/2003 +0000, Mark McCarron wrote:
>>>>
>>>>>Thankyou for your reply.  I have not been posting this conversation to 
>>>>>the group.  You can if you wish, you have my full permission to do so.
>>>>>
>>>>>Sorry, I wasn't refering to you personally about selling anti-span 
>>>>>solutions, that was just a general comment.  'The Ultimate Spam 
>>>>>System' may be too hard to handle, but that is an accurate description 
>>>>>of the system.
>>>>
>>>>There are numerous other proposals that seek to change the underlying 
>>>>infrastructure - YOU ARE NOT ALONE. Example of this would be Walter 
>>>>Dnes's proposal, another example would the AMDP protocol 
>>>>(http://www.amdpmail.com/), MTP protocol 
>>>>(http://www.danisch.de/tmp/draft_mtp.txt), etc. Also take a look at 
>>>>this list message 
>>>>(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg00882.html) 
>>>>that lists objection to new systems.
>>>>
>>>>>Also, as you learn within the next few hours, the system will be near 
>>>>>impossible to hack based upon its architecture.  I have complete the 
>>>>>overview today, and it will be released in the next coming hours to 
>>>>>the mailing group.
>>>>>
>>>>>I feel that change to the architecture is the magic bullet 
>>>>>solution.  I am not claiming this will be easy, but it is certainly 
>>>>>far from impossible.
>>>>
>>>>We know as a group that changing the architecture will significantly 
>>>>reduce the spam problem. However, moving over and implementing such 
>>>>change is extremely hard as Alan DeKok and many other pointed out. Our 
>>>>goal is to create a cohesive framework for anti-spam solutions with 
>>>>short, medium and long term solutions.
>>>>
>>>>>This will not be an alternative email system that will reside along 
>>>>>side the current one.  It will replace it completely making it 
>>>>>entirely redundant.
>>>>
>>>>However until it does, it will operate side by side with the regular 
>>>>SMTP. Thus, its alternative.
>>>>
>>>>>The US military is instigating a change to IPv6 in mid 2004 or 2006 
>>>>>(I'll clear that date up, the source is at Reuters, I read it a few days ago).
>>>>>This will have a global impact, I believe that 'GIEIS' would be 
>>>>>implemented at this stage also.
>>>>
>>>>IPv6 is backwards compatible with IPv4 UNLIKE your system, Walter 
>>>>Dnes's proposal and many others have accounted to backwards 
>>>>compatibility, you have not yet as seen from this quote:
>>>>
>>>>"What would happen if this system was implemented and I tried to send 
>>>>spam or even an email from an older server?
>>>>The message would not be received by those protected by 'GIEIS'."
>>>>
>>>>>Also, my system would inform users when a limit was reached.  Users 
>>>>>would know if they sent this volume of email and the system would have 
>>>>>information of those who suspect their machine was infected or hacked.
>>>>
>>>>This idea has been proposed before by Mike Rubel 
>>>>(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg04616.html).
>>>>
>>>>>Mark McCarron.
>>>>>
>>>>>
>>>>>>From: Yakov Shafranovich <research@solidmatrix.com>
>>>>>>To: "Mark McCarron" <markmccarron_itt@hotmail.com>
>>>>>>Subject: [offlist] Re: [Asrg] Consent Proposal
>>>>>>Date: Mon, 30 Jun 2003 12:29:09 -0400
>>>>>>
>>>>>>The consent framework is not a specific solution - its a framework. 
>>>>>>Various anti-spam tools and proposals including yours will fit into 
>>>>>>this framework. It is more of a bird-eye view of all anti-spam solutions.
>>>>>>
>>>>>>As for your specific proposal, first of all my company does not write 
>>>>>>or distribute anti-spam software so I do not have "financial 
>>>>>>considerations" here. I also do not like the name calling between 
>>>>>>different group members - it causes a feeling of discord. 
>>>>>>Additionally, calling your system "the ultimate anti spam system" is 
>>>>>>a bit too much for most members to handle. I would like to see 
>>>>>>everyone to stay away from name calling while keeping in mind that 
>>>>>>this is a technical list.
>>>>>>
>>>>>>As for the technical considerations of your proposal, what you are 
>>>>>>proposing essentially is an alternative email system along side of 
>>>>>>the current one. This is similar to the system being proposed by 
>>>>>>Walter Dnes except that his system does not rely on cryptographic 
>>>>>>methods (see 
>>>>>>https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg05683.html). 
>>>>>>The problem with this system is three fold - one is the fact that 
>>>>>>everyone has to change in order to use it which is also a problem 
>>>>>>with Walter's proposal. The second problem is privacy - what you are 
>>>>>>essentially proposing is that every single email message will have a 
>>>>>>tracking number that can be traced to the sender. This creates 
>>>>>>potential for abuse. Third, inter-operability with existing email is 
>>>>>>a big problem as well since no one would want to use an alternative 
>>>>>>system unless many people will switch over to it and many people will 
>>>>>>not switch to it until others use it. If you look through the mailing 
>>>>>>list archive somewhere there is a list of requirements by Eric 
>>>>>>Williams. I asked him to email me the most recent copy which I will 
>>>>>>forward to you. Among those requirements, deployment and 
>>>>>>inter-operability rank pretty high up.
>>>>>>
>>>>>>It is obvious that creating an alternative email system will cut down 
>>>>>>on spam since its the open nature of the Net that causes it. But as I 
>>>>>>mentioned before, cell phone companies build their SMS systems based 
>>>>>>on email (at least in US) and SMTP, so you can see how pervasive 
>>>>>>existing standards are. Additionally, as Barry Shain has mentioned 
>>>>>>many times before, much of spam is being sent via hacked computers. 
>>>>>>Even with your rate limits in place, spammers can probably be able to 
>>>>>>coordinate many hacked computers to send spam from legit GEIS/EAS senders.
>>>>>>
>>>>>>Among the various discussions over the last few months, many of the 
>>>>>>group members have reached a conclusion that there is not magic 
>>>>>>silver bullet that will stop spam overnight. Rather, a combination of 
>>>>>>various solutions and proposals will start cutting into the spam flow 
>>>>>>until it stops.
>>>>>>
>>>>>>Yakov
>>>>>>
>>>>>>P.S. I am replying to you off-list since the message that you sent me 
>>>>>>was not CCed to the group list. Please let me know if this is correct 
>>>>>>because I would rather have discussions in public so we can get 
>>>>>>comments from other people.
>>>>>>
>>>>>>At 03:23 AM 6/30/2003 +0000, Mark McCarron wrote:
>>>>>>
>>>>>>>Paul is an excellent poster, he has the subject matter clearly defined.
>>>>>>>I see he has broken the issue down to two major catagories, local 
>>>>>>>and global.
>>>>>>>The consent system is going to be difficult to implement, I haven't 
>>>>>>>seen anything that actually deals with issue of how to prevent sending spam.
>>>>>>>The 'GIEIS' system would be on the middle ground in terms of consent 
>>>>>>>and its application would be global.  It forces the erasure/stoppage 
>>>>>>>of all fraudulent email but also allows the end-user the whitelist options.
>>>>>>>
>>>>>>>There has been a lot of confusion on the system and I have been 
>>>>>>>compiling all the postings in one file so that I can clearly address 
>>>>>>>all concerns.
>>>>>>>Also, there seems to be quite a bit of opposition to the idea of a 
>>>>>>>centralised angency and a lot of paranoid responses to it.  The more 
>>>>>>>I post on the subject, and the clearer the system has become, 
>>>>>>>concerns have dwindled.  The main opposition now comes from those 
>>>>>>>advocating 'anti-spam software' and this is just to protect 
>>>>>>>financial considerations.
>>>>>>>
>>>>>>>'GIEIS' is the only proposal I have ever seen that can stop all 
>>>>>>>fraudulent email.  Are you aware of any others?
>>>>>>>
>>>>>>>I'm am in the process of designing an Internet draft of the system.
>>>>>>>It is a major task as there is a lot to go through.  I have 30 pages 
>>>>>>>of comments alone to address, however, all the comments have a 
>>>>>>>resolution within the 'GIEIS' system.  I will post a complete 
>>>>>>>accurate proposal of the system in the next few days once I have 
>>>>>>>compiled all the information together.  It will refer to both local, 
>>>>>>>global, consent and forced issues.
>>>>>>>
>>>>>>>Mark McCarron.
>>>>>>>
>>>>>>>
>>>>>>>>From: Yakov Shafranovich <research@solidmatrix.com>
>>>>>>>>To: "Mark McCarron" 
>>>>>>>><markmccarron_itt@hotmail.com>,research@solidmatrix.com
>>>>>>>>Subject: Re: [Asrg] Consent Proposal
>>>>>>>>Date: Sun, 29 Jun 2003 22:52:34 -0400
>>>>>>>>
>>>>>>>>Take a look at today's message from the chair, Paul Judge, on this 
>>>>>>>>subject 
>>>>>>>>(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg05968.html). 
>>>>>>>>The consent framework that we are discussing is not limited to 
>>>>>>>>end-users only. The generic proposal that I put forth concentrated 
>>>>>>>>specifically on the end-user and this is probably what is throwing you off.
>>>>>>>>
>>>>>>>>Yakov
>>>>>>>>
>>>>>>>>At 02:46 AM 6/30/2003 +0000, Mark McCarron wrote:
>>>>>>>>
>>>>>>>>>This I understand very well.  What I am asking is, have you been 
>>>>>>>>>able to overcome any of the limitations I mentioned?
>>>>>>>>>
>>>>>>>>>Mark McCarron.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>From: Yakov Shafranovich <research@solidmatrix.com>
>>>>>>>>>>To: "Mark McCarron" <markmccarron_itt@hotmail.com>,asrg@ietf.org
>>>>>>>>>>Subject: Re: [Asrg] Consent Proposal
>>>>>>>>>>Date: Sun, 29 Jun 2003 22:41:54 -0400
>>>>>>>>>>
>>>>>>>>>>First of all take a look a the group's charter 
>>>>>>>>>>(http://www.irtf.org/charters/asrg.html). As the charter states 
>>>>>>>>>>we are seeking to define an overall consent framework and fit in 
>>>>>>>>>>all the different spam proposals into it. The proposal below was 
>>>>>>>>>>put forth to solicit opinions and ideas from people on consent in 
>>>>>>>>>>general and the consent framework in particular.
>>>>>>>>>>
>>>>>>>>>>Yakov
>>>>>>>>>>
>>>>>>>>>>At 01:20 AM 6/30/2003 +0000, Mark McCarron wrote:
>>>>>>>>>>
>>>>>>>>>>>Yakov,
>>>>>>>>>>>
>>>>>>>>>>>This system is very similar, in fact almost identical, to the 
>>>>>>>>>>>current one employed by Hotmail.  It is not effective in 
>>>>>>>>>>>eliminating spam, the end user still recieves it and has to deal 
>>>>>>>>>>>with it.  Also, it does not address the main issue about spam 
>>>>>>>>>>>and that is the roughly 30% band-width absorbed across the 
>>>>>>>>>>>Internet by it.  All this seems to do is sort it at the recieving end.
>>>>>>>>>>>
>>>>>>>>>>>I also read something about a confirmation being sent back from 
>>>>>>>>>>>the server, this is just an adaptation of challange response.
>>>>>>>>>>>
>>>>>>>>>>>It also does not address the issue of spammer's who use their 
>>>>>>>>>>>own mail servers.
>>>>>>>>>>>Can you clear any of these problems up?
>>>>>>>>>>>
>>>>>>>>>>>Mark McCarron.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> > > > > -----Original Message-----
>>>>>>>>>>>> > > > > From: Yakov Shafranovich [mailto:research@solidmatrix.com]
>>>>>>>>>>>> > > > > Sent: Thursday, June 26, 2003 11:23 AM
>>>>>>>>>>>> > > > > To: asrg@ietf.org
>>>>>>>>>>>> > > > > Subject: [Asrg] Consent Proposal
>>>>>>>>>>>> > > > >
>>>>>>>>>>>> > > > >
>>>>>>>>>>>> > > > > I would like to provide a generic proposal for
>>>>>>>>>>>> > > consent-based system
>>>>>>>>>>>> > > > > as per
>>>>>>>>>>>> > > > > charter:
>>>>>>>>>>>> > > > >
>>>>>>>>>>>> > > > > 1. Users and/or ISP define rules and filters to=20
>>>>>>>>>>>>filter incoming=20
>>>>>>>>>>>> > > > > email. Rules/filters are decided by end users and ISPs,
>>>>>>>>>>>> > > and are not
>>>>>>>>>>>> > > > > mandated.
>>>>>>>>>>>> > > > > Every user/ISP can define its own policies ranging=20
>>>>>>>>>>>>from banning=20
>>>>>>>>>>>> > > > > all email not digitally signed to blocking HTML.
>>>>>>>>>>>> > > > > 2. For each email user, the MUA or the ISP maintains a
>>>>>>>>>>>> > > > > whitelist of trusted
>>>>>>>>>>>> > > > > senders, blacklist of blocked senders and a graylist of
>>>>>>>>>>>> > > > > unknown senders.
>>>>>>>>>>>> > > > > Whitelisted senders go the inbox, graylisted senders go to
>>>>>>>>>>>> > > > > the bulk folder,
>>>>>>>>>>>> > > > > and blacklisted senders are either in the spam folder or
>>>>>>>>>>>> > > > > erased. 3. Whitelists are not only a list of email 
>>>>>>>>>>>> addresses
>>>>>>>>>>>> > > > > of trusted senders,
>>>>>>>>>>>> > > > > but to avoid sender spoofing also have additional features
>>>>>>>>>>>> > > > > such as digital
>>>>>>>>>>>> > > > > signatures, certificates, passwords, tokens, etc.
>>>>>>>>>>>> > > > > 4. Additional automatic whitelist rules are defined as 
>>>>>>>>>>>> such
>>>>>>>>>>>> > > > > email from
>>>>>>>>>>>> > > > > trusted senders (e.g. Habeas) is automatically goes to the
>>>>>>>>>>>> > > > > inbox unless
>>>>>>>>>>>> > > > > blacklisted, etc. C/R systems are also integrated and upon
>>>>>>>>>>>> > > > > receiving a
>>>>>>>>>>>> > > > > positive response automatically whitelist the sender.
>>>>>>>>>>>> > > > > 5. Additional automatic blacklist rules are defined 
>>>>>>>>>>>> such as
>>>>>>>>>>>> > > > > email coming
>>>>>>>>>>>> > > > > from known open relays is blocked.
>>>>>>>>>>>> > > > > 6. Whitelists, graylists and blacklists are stored 
>>>>>>>>>>>> hashed or
>>>>>>>>>>>> > > > > encrypted to
>>>>>>>>>>>> > > > > protect privacy.
>>>>>>>>>>>> > > > >
>>>>>>>>>>>> > > > > Any thoughts?
>>>>>>>>>>>> > > > >
>>>>>>>>>>>> > > > > Yakov
>>>>>
>>>>>_________________________________________________________________
>>>>>It's fast, it's easy and it's free. Get MSN Messenger today! 
>>>>>http://www.msn.co.uk/messenger
>>>
>>>_________________________________________________________________
>>>Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
>
>_________________________________________________________________
>It's fast, it's easy and it's free. Get MSN Messenger today! 
>http://www.msn.co.uk/messenger


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg