Re: [imap5] Feature set? - was Re: Designing a new replacement protocol for IMAP

[Brandon Long <blong@google.com>]

On Wed, Feb 22, 2012 at 12:22 PM, Adrien de Croy <adrien@qbik.com> wrote:
>
>
> On 23/02/2012 8:24 a.m., Brandon Long wrote:
>>
>> On Sat, Feb 18, 2012 at 2:07 AM, Adrien de Croy<adrien@qbik.com>  wrote:
>>>
>>> Having to get another cert will provide an incentive for the admin to
>>> care
>>> about it.
>>
>> You seem to believe that all servers can always be entirely free from
>> sending spam.  That's pretty funny.
>
>
> sorry, where do I propose that?

You're proposing revoking a server's certificate for spamming.  Based
on what level?  What level of fault?  Would Gmail get its certificate
revoked because 1% of the email it sends is spam?

> I'm just proposing a system that allows the identification of organisations
> that inject and relay spam.  That then allows enforcement of accountability.

We can already do this via IP addresses and sender domains and
SPF/DKIM authentication.  Yes, its just a proxy and sometimes its
wrong, but it works fairly well.

>> How about spam sent from a hijacked account?  How many hijacked
>> accounts a day do you think there are on a service with 1B email
>> users?
>
> How many other crimes are there committed a day, do you propose we don't go
> after criminals?

Heh.  Do you know how many spam messages are sent a day?  How large an
enforcement organization do you propose to go after them all?  And how
long do you think that would take?

Not to mention that multiple people and governments have different
definitions of spam.

When we see a new spam campaign, we need to be able to shut it down in
less than hours.  A recent time that we helped the US government go
after a malware operation, it took them a year before the first
arrests.  A year where we had to leave the botnets and operations
alone so they could gather the evidence necessary to make the arrests.

Police action doesn't scale the same way that spammers do.

>> Or how much money do you think a spammer is willing to spend to buy an
>> account, even on a free service?  Or do you think its actually
>> possible to force everyone who wants an email account to pay for it at
>> this point?  And if so, how much money?  $5/year is cheap in parts of
>> the world, and really expensive in others, should poor parts of the
>> world be relegated to the email ghetto because their accounts are so
>> cheap that spammer abuse them constantly, while they have the least
>> resources to keep them out?
>
>
> why do you assume the system would be structured like this?  Sounds like a
> system that would fail.

Then who pays for this enforcement?  Who pays for the certification?

>> Which is all pretty irrelevant, for most users today spam is already a
>> solved problem.
>
> it certainly is not a solved problem for anyone.  Ignorance is not the
> answer.
>
> Jut because a business doesn't know how many customers they are losing due
> to over-agressive spam filtering doesn't mean it has no cost to them.

Of course it has a cost.  I'm saying the cost of your solution is higher.

> The system (and I admit it's ambitious) would need co-operation from
> governments.

As if all the governments of the world agree on anything, much less
the definition of spam.

> there's no need for ma and pa to have a certificate, they can submit to
> their ISP.  The ISP would need a certificate.  There's no reason to assume
> the certs would be managed by the existing CA infrastructure.  I'd propose
> that should be a function of Governments, and there are already special
> provisions for governments to issue certificates.  They could be for long
> periods as well.  The purpose is to identify and provide a means to revoke.
>  Renewing annually seems like a waste of time for that, unless you think the
> certificate may be breached.

And what if the CA is breached?  Ie, like the 2-3 that have happened
in the last year?

> Organisations wanting to deliver directly could get a certificate as well.
>
> As to determination about whether someone spams or not.  Well most countries
> have systems to establish whether crimes are committed and go after and
> punish those responsible.  There are already spamming laws all over the
> place.  I'm proposing setting up a system that allows for identification of
> perpetrators and enforcement, and enables services to be set up to solve
> issues independently (e.g. if a government refuses to prosecute a spammer).

Weee, now we're talking about extra-governmental authorities making
the rules.  Its always great to argue with an RBL maintainer about
whether or not something is spam.  Or maybe what you're proposing is
more like SOPA/PIPA, we can have an organization like the RIAA
deciding what's good.  Even better, the government of Iran can just
prevent their providers from accepting any mail certified by other
governments.

Or here's an even more fun one: We just emailed all of our users about
the changes to our privacy policy, a move we made at the request of
the US government.  And we had RBL organizations complaining that it
was spam.  Who wins?

Our answer is simple: the user decides what is spam, not someone else.
 Our job is to make our spam filter match each user's expectations.

>  Revokation of certificates would be a function of government after due
> process.  People couldn't just buy new ones (unless they get them from
> corrupt government officials), because their previous spamming would be
> associated with them as a person.  In short, treat spamming like any other
> crime - which it certainly is.

No corrupt government officials in the world, that's for sure.

And they already treat spamming as a crime, have for years.  Done a
lot of good at reducing the spam load, eh?

> I think if governments were aware of the costs of spamming they may take a
> different view on it.  How many hours are wasted deleting spam? How much
> money is spent on anti-spam?  How much network capacity (which costs money)
> is wasted transporting spam?

Not as much as you'd think, turns out spam is much smaller than
regular mail at this point, at least for consumers.  A large
percentage of mail, but on the order of 40x smaller in size (on
average).  And email in general is not generally a large user of
network capacity.  How many email messages, even at 100k average, does
it take to equal a single iphone app download?  Or a streamed video
from Youtube?

> How many opportunities are lost due to false
> positives?  Personally I believe the real economic costs of spam are
> astronomical.  Someone needs to do a study, and come up with some numbers
> they can back up.

Regardless of those costs, your proposal would cost more and still not
solve the problem.

> Otherwise we should just all join FB and just use that for communication and
> ditch mail altogether.

We have the stats on what percentage of our users receiving mail mark
messages as spam or not spam.  Its tiny.  For most people, they don't
see the spam, and maybe they don't see enough to actually check their
spam label, but its just not an issue.

As to where the kids are going these days, who knows.  Email is
certainly not the only game in town.

Brandon