North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How do you stop outgoing spam?

  • From: Dave Crocker
  • Date: Tue Sep 10 17:26:00 2002

Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again.

Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd.

Security mechanisms can choose between a default-yes or a default-no mode. Choosing to restrict outbound ports is a default-no. Think of this as the difference between democracy and totalitarianism. You get to do things until you try to do something wrong, versus you are not allowed to do anything until you first prove that it is ok.

Spamming is a serious problem, and it needs serious responses, but we need to be very careful that dealing with the problem does not kill the net.


At 03:34 PM 9/10/2002 -0400, Barry Shein wrote:
On September 10, 2002 at 10:16 [email protected] (Dave Crocker) wrote:
 > One of the basic problems with discussions about spam control is that it
 > focuses entirely on spam.  Blocking output SMTP from individual dial-ups
 > has a serious negative consequence:

Yeah, well, too late, that battle was fought and settled years
ago. The spammers are driving the standards at this point, not
reasonable people trying to make things work.
There are no standards for these practises. There are component mechanisms, but no integrated solution that is documented in a standard. That's part of the problem. In reality what is being done is entirely ad hoc and inconsistent. Otherwise we could at least know what will work for all "conforming" sites. And we could migrate everyone over to it.

And, again, let me stress that I am not saying spamming isn't a problem. But rather that dealing with spamming simplistically carries very serious side-effects.


At this point your easy-to-agree-with point is kinda like saying
  "I pay taxes, I damned well ought to be able to walk any street in any
   city at any time of the day or night and be safe!"
No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever.

And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored.

That really is what these blanket outbound controls are like.



At 07:40 PM 9/10/2002 +0000, Paul Vixie wrote:
>          Laptop mobile users cannot use their home SMTP server.
in the business, we call this "tough noogies."
I had hoped that my reference to wireless hot-spot implications would make the scale and import of this approach adequately clear.

That it does not nicely demonstrates why techies must not be in charge of a business that makes any claim to serving their customers.

Broad-sweep, large-scale crippling of legitimate activity is not a realistic way to deal with a problem, even one as serious as spam.


> At best, they must reconfigure for each venue -- goodbye wireless
> hotspot convenience -- and that is IF they know the SMTP server address for
> the local access.

i've gotten very good mileage out of ssl-smtp, and out of "port forwarding"
so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a
(ssh-borne) tunnel to my home smtp server.
There are always technical solutions that techies can follow. A more relevant question is what it will take for 100 million average users. As everyone on this list knows, the Internet is about scaling.

So it is entirely irrelevant what any one of the people on this list can do to make things work. It is ONLY relevant what the impact is on 100 million other folks. Folks who are not sysadmins. Folks who cannot constantly reconfigure their systems.

And ultimately it does not matter that a particular hack can be propagated, such as mapping 25 to a local ssl redirect.

What matters is that the model that leads to that hack is broken even worse than spamming, because it says that the way to respond to a problem by some folks is to block all folks. Today, port 25. Tomorrow -- and in some places, today -- all ports except a precious few and even those are mediated.


be hurt now.  but the design calls for a polite population, and while
that was true of the internet in 1983, it is absolutely not true today.
Since I never said anything against adding security mechanisms, I'll just assume that you missed my point. In order not to bog down too far on that point, let me just ask:

And the BCP that specifies the "correct" set of technologies, configurations, and use is...?

However the danger of going down this path is to miss the larger point about the problem with wholesale outbound port blocking.

d/


----------
Dave Crocker <mailto:[email protected]>
TribalWise, Inc. <http://www.tribalwise.com>
tel +1.408.246.8253; fax +1.408.850.1850