North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Email peering

  • From: Rich Kulawiec
  • Date: Tue Jun 21 09:50:45 2005

On Fri, Jun 17, 2005 at 11:48:58AM -0400, Ben Hubbard wrote:
> You seem to repeatedly describe a solution that becomes so big that it (at
> least substantially) replaces 25/SMTP. That's what I don't think will
> work, or is needed.

Please let me borrow Ben's point and expand on it.

Spam as it's usually discussed (spam propagated via SMTP) is only part of
the spam problem.  We've seen Usenet spam, chat room spam, http referrer
log spam, blog spam, and so on.  And all of those bundled together and
labeled as "spam" are only part of the overall network abuse problem --
which also involves phishing, zombies, DoS attacks, spyware, etc.
And these are all (increasingly) interelated problems, e.g. spam is used to
phish people to sites which forcibly download spyware, and so on.

We could (and some already have) spend an enormous amount of time devising
very clever "solutions" to these and deploying them.  But as we've seen,
doing so usually results only in a shift in the nature of the abuse, not
an overall reduction in it.

So even if we had The Perfect Solution to SMTP spam and it was globally
deployed tomorrow and had no adverse side-effects...we'd buy ourselves
a brief respite, no better.

I'm not saying some of the technical approaches aren't clever.  They are.
But none of them are going to solve the problem for any acceptable value
of "solve", not because there's anything wrong with them per se, but
because they're technological attempts to solve the problem at its
end points -- rather than its source points.

"The best place to stop abuse is as near its source as possible."

Meaning: it's far easier for network X to stop abuse from leaving its
network than it is for 100,000 other networks to defend themselves from it.
Especially since techniques for doing so (for instance, controlling
outbound SMTP spam) are well-known, heavily documented, and easily put
into service.

The problem is that network X, for many values of "X" (see the data
compiled by Spamhaus or SPEWS or any number of others) hasn't done so.
Whether that failure is due to incompetence, greed, laziness, negligence
or anything else is an interesting question...but really doesn't matter,
because regardless of the cause, the fastest way to get it fixed is to
make it X's problem...*not everyone else's*.  (It's often impressive
how fast X can move--despite protestations otherwise--when this situation
is created.)

Those who have been around a long long time know that this is how it
used to be.  If your network started spewing crap, and didn't stop spewing
crap in a fairly timely manner, you got a phone call or email explaining
that someone had their hand on your plug and was going to pull it.

The point?  The point is that there is no need for any new technology
to deal with the spam/abuse probem.  What there is a desperate need
for is the *will* to use the technology we already have -- to shift
the burden of dealing with abuse onto those who are permitting it
to originate from their network.  This can be done in a number of
ways: using DNSBLs, firewalls, routers, whatever.

Because if it's not done, then Network X, for many values of X,
will be perfectly happy to watch everyone else innovate and scramble
and spend money to defend themselves *as long as X doesn't have to*.
As we've seen.  For many years.  Over and over and over again.

After all, why should they?  There's nothing in it for them and no
downside if they don't.

	"[...] if you give people the means to hurt you, and they do it,
	and you take no action except to continue giving them the means
	to hurt you, and they take no action except to keep hurting you,
	then one of the ways you can describe the situation is "it isn't
	scaling well."

                --- Paul Vixie

So either the collective "we" has the will to stop putting up with this
nonsense -- or we don't.  If it's the former, then we already have all
the tools we need.  If it's the latter, then nothing we come up with,
no matter who clever it is, is going to make any real difference.