Re: [imap5] Feature set? - was Re: Designing a new replacement protocol for IMAPRe:

[Adrien de Croy <adrien@qbik.com>]

On 23/02/2012 2:18 p.m., Brandon Long wrote:
> On Wed, Feb 22, 2012 at 12:22 PM, Adrien de Croy<adrien at qbik.com>  
> wrote:
>>
>>
>>  On 23/02/2012 8:24 a.m., Brandon Long wrote:
>>>
>>>  On Sat, Feb 18, 2012 at 2:07 AM, Adrien de Croy<adrien at 
>>> qbik.com>    wrote:
>>>>
>>>>  Having to get another cert will provide an incentive for the admin to
>>>>  care
>>>>  about it.
>>>
>>>  You seem to believe that all servers can always be entirely free from
>>>  sending spam.  That's pretty funny.
>>
>>
>>  sorry, where do I propose that?
>
> You're proposing revoking a server's certificate for spamming.  Based
> on what level?  What level of fault?  Would Gmail get its certificate
> revoked because 1% of the email it sends is spam?

there would need to be some level.  You'd hope it would be revoked if 
say 50% was spam.  Or even a lot less.

>
>>  I'm just proposing a system that allows the identification of 
>> organisations
>>  that inject and relay spam.  That then allows enforcement of 
>> accountability.
>
> We can already do this via IP addresses and sender domains and
> SPF/DKIM authentication.  Yes, its just a proxy and sometimes its
> wrong, but it works fairly well.

SPF is only reliable to block spoof attempts from a limited set of 
well-known domains that use it.  Since spammers register their own SPF 
records, you can't use it as a pass check for any domain.

I don't know enough about DKIM.  I thought it's optional, so therefore 
how can you rely on it?

IP addresses is problematic as well, RBLs that block dynamic blocks for 
example is a big problem.  Sender domains is a big administrative 
maintenance hassle.

>
>>>  How about spam sent from a hijacked account?  How many hijacked
>>>  accounts a day do you think there are on a service with 1B email
>>>  users?
>>
>>  How many other crimes are there committed a day, do you propose we 
>> don't go
>>  after criminals?
>
> Heh.  Do you know how many spam messages are sent a day?  How large an
> enforcement organization do you propose to go after them all?  And how
> long do you think that would take?

I don't think the number of actual spammers is actually that high.  It 
takes some serious infrastructure, which is a bit of a barrier to entry.

e.g. http://krebsonsecurity.com/tag/mega-d/

some key players responsible for a vast proportion of all spam.  Take 
them out and others will jump into their shoes though.

>
> Not to mention that multiple people and governments have different
> definitions of spam.
>
> When we see a new spam campaign, we need to be able to shut it down in
> less than hours.  A recent time that we helped the US government go
> after a malware operation, it took them a year before the first
> arrests.  A year where we had to leave the botnets and operations
> alone so they could gather the evidence necessary to make the arrests.
>
> Police action doesn't scale the same way that spammers do.

sure.  In the end, with the certificates, basically we are tying the 
mail to a person somewhere to enable enforcement of accountability.  
Whether that happens quickly or not is another matter.

Currently there's no such reliable tie.  If it takes authorities ages to 
get someone now, it's because of difficulty of proof.  Things might be a 
bit different if that problem were resolved.  Then add large fines / 
jail terms for spamming, and there's your incentive.  That's why there 
are so many parking and traffic cops here.... it's where the money is.


>
>>>  Or how much money do you think a spammer is willing to spend to buy an
>>>  account, even on a free service?  Or do you think its actually
>>>  possible to force everyone who wants an email account to pay for it at
>>>  this point?  And if so, how much money?  $5/year is cheap in parts of
>>>  the world, and really expensive in others, should poor parts of the
>>>  world be relegated to the email ghetto because their accounts are so
>>>  cheap that spammer abuse them constantly, while they have the least
>>>  resources to keep them out?
>>
>>
>>  why do you assume the system would be structured like this?  Sounds 
>> like a
>>  system that would fail.
>
> Then who pays for this enforcement?  Who pays for the certification?

I imagine it would be a function for government, in the same way as 
dealing with any crime is.

If the FBI put as much resource into it as copyright protection, I 
wonder what would happen (Kim Dotcom recently bailed in the town I live in).

>
>>>  Which is all pretty irrelevant, for most users today spam is already a
>>>  solved problem.
>>
>>  it certainly is not a solved problem for anyone.  Ignorance is not the
>>  answer.
>>
>>  Jut because a business doesn't know how many customers they are 
>> losing due
>>  to over-agressive spam filtering doesn't mean it has no cost to them.
>
> Of course it has a cost.  I'm saying the cost of your solution is higher.

quite possibly.  But I think if spammers were identified, found and 
jailed effectively it would be more of a deterrent.

The revokation of certs may not even be the key function of this.

Currently pretty much anyone can send mail anonymously.  IMO that's just 
plain wrong on a moral level.  Incurring costs on other parties anonymously.

>
>>  The system (and I admit it's ambitious) would need co-operation from
>>  governments.
>
> As if all the governments of the world agree on anything, much less
> the definition of spam.

well, you get the main ones to agree, and they can impose sanctions on 
those that continue to be a source of spam.

And before you cry new world order, sanctions could be simply blocking 
incoming mail from those countries.

>
>>  there's no need for ma and pa to have a certificate, they can submit to
>>  their ISP.  The ISP would need a certificate.  There's no reason to 
>> assume
>>  the certs would be managed by the existing CA infrastructure.  I'd 
>> propose
>>  that should be a function of Governments, and there are already special
>>  provisions for governments to issue certificates.  They could be for 
>> long
>>  periods as well.  The purpose is to identify and provide a means to 
>> revoke.
>>    Renewing annually seems like a waste of time for that, unless you 
>> think the
>>  certificate may be breached.
>
> And what if the CA is breached?  Ie, like the 2-3 that have happened
> in the last year?

what happens when any CA is breached?  You need to start over, reissue 
all new certs from the CA root down.  So best it's not breached.

>
>>  Organisations wanting to deliver directly could get a certificate as 
>> well.
>>
>>  As to determination about whether someone spams or not.  Well most 
>> countries
>>  have systems to establish whether crimes are committed and go after and
>>  punish those responsible.  There are already spamming laws all over the
>>  place.  I'm proposing setting up a system that allows for 
>> identification of
>>  perpetrators and enforcement, and enables services to be set up to 
>> solve
>>  issues independently (e.g. if a government refuses to prosecute a 
>> spammer).
>
> Weee, now we're talking about extra-governmental authorities making
> the rules. 

not enforcing them though, receivers would be free to use the service or 
not.

> Its always great to argue with an RBL maintainer about
> whether or not something is spam. 

sure, but people exercise their own rights to choose whether to use the 
RBL or not.

> Or maybe what you're proposing is
> more like SOPA/PIPA, we can have an organization like the RIAA
> deciding what's good. 

hell no.  More likely be a community-driven thing.

> Even better, the government of Iran can just
> prevent their providers from accepting any mail certified by other
> governments.

if they want.  They can surely already block port 25 incoming if they want.

>
> Or here's an even more fun one: We just emailed all of our users about
> the changes to our privacy policy, a move we made at the request of
> the US government.  And we had RBL organizations complaining that it
> was spam.  Who wins?

decided in court if it gets that far.  At least you can't escape, since 
you're identified.

>
> Our answer is simple: the user decides what is spam, not someone else.
>  Our job is to make our spam filter match each user's expectations.
>
>>    Revokation of certificates would be a function of government after 
>> due
>>  process.  People couldn't just buy new ones (unless they get them from
>>  corrupt government officials), because their previous spamming would be
>>  associated with them as a person.  In short, treat spamming like any 
>> other
>>  crime - which it certainly is.
>
> No corrupt government officials in the world, that's for sure.
>
> And they already treat spamming as a crime, have for years.  Done a
> lot of good at reducing the spam load, eh?

I wouldn't call the CAN-SPAM act criminalisation of spamming.  Here in 
NZ people go to jail for it unless it's opt-in.

>
>>  I think if governments were aware of the costs of spamming they may 
>> take a
>>  different view on it.  How many hours are wasted deleting spam? How 
>> much
>>  money is spent on anti-spam?  How much network capacity (which costs 
>> money)
>>  is wasted transporting spam?
>
> Not as much as you'd think, turns out spam is much smaller than
> regular mail at this point, at least for consumers.  A large
> percentage of mail, but on the order of 40x smaller in size (on
> average).  And email in general is not generally a large user of
> network capacity.  How many email messages, even at 100k average, does
> it take to equal a single iphone app download?  Or a streamed video
> from Youtube?

sure, I guess it's actually changed a lot over the last 4 years or so.  
So maybe the network cost isn't such an issue.  It's definitely more of 
an issue over long-haul submarine cables though.

>
>>  How many opportunities are lost due to false
>>  positives?  Personally I believe the real economic costs of spam are
>>  astronomical.  Someone needs to do a study, and come up with some 
>> numbers
>>  they can back up.
>
> Regardless of those costs, your proposal would cost more and still not
> solve the problem.

hard to come to that conclusion without evaluating costs of both, which 
of course would be very difficult.

For those hosting their own mail, even the cost of evaluating and 
testing anti-spam products is significant - before you get your wallet 
out to purchase software.

I'm not claiming any of this would be easy.  But humans have done some 
fairly difficult things in the past successfully.

>
>>  Otherwise we should just all join FB and just use that for 
>> communication and
>>  ditch mail altogether.
>
> We have the stats on what percentage of our users receiving mail mark
> messages as spam or not spam.  Its tiny.

maybe they gave up and now just delete it.  Unless it's no more 
difficult to mark and delete than just delete, people will gravitate 
towards the lower-effort option, and you'll lose the information.

>   For most people, they don't
> see the spam, and maybe they don't see enough to actually check their
> spam label, but its just not an issue.
>
> As to where the kids are going these days, who knows.  Email is
> certainly not the only game in town.
>
> Brandon
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 is released! - http://www.wingate.com/getlatest/