Worsening google service reputation and abuse
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise? Wanting me to create a google account for the addresses that are receiving the abuse does not scale and as the reputation continues to get worse, I don't want to block all google services - but getting someone to work with on the issues would be appreciated. X-Notifications: COURSE_INVITATION:792026619952-1755166651116 X-Google-Group-Id: 1087901814827 X-Google-Group-Id: 328755863 X-Google-Group-Id: 864553705765 X-Google-Group-Id: 295922276390 X-Google-Group-Id: 534760014314 Decade+ old mailman has the end-user accept invitations to lists, but google seems to not even use it's own tools so isn't really meeting what would be a general standard. I saw others complain about this as well, and i've had to configure various blocking of different google services which is a moving target of abuse. It's fair to say that a human should be able to send e-mail to an owner alias for a mailing list, but not subscribe that to a group or classroom. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
It is a well know issue of a company named Google that supports spammers. It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action. Google wants it that way. -- kind regards Marco Send spam to abfall1755160902@stinkedores.dorfdsl.de
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when) The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
On Thu, 14 Aug 2025, Christopher Morrow via NANOG wrote:
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
I think part of what Jared is complaining about is something I've complained about for years. For many years, spammers have abused Google groups. i.e. They're apparently able to create a group, import address lists to it, and then spam by emailing the group. Abuse complaints are ignored. I eventually setup a procmail rule to automatically turn messages from one such Google group into ARF formatted complaints to abuse@google.com rather than deliver them to me. It sounds like you may have created additional vectors I'm not familiar with for spammers to abuse. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 14.08.2025 12:23 Christopher Morrow <morrowc.lists@gmail.com> wrote:
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
It is broken by design - for years. Operating a public mailing list service that lets anybody create a list and subscribe bulks of addresses without confirmation is an invitation for spammers. Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers. -- kind regards Marco Send spam to abfall1755167006@stinkedores.dorfdsl.de
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers.
Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business.
On 14.08.2025 14:12 Francis Booth via NANOG <nanog@lists.nanog.org> wrote:
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers.
Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business.
Requiring confirmation from subscribers massively reduces the usefulness of this service for spammers. Limiting the amount of addresses that can be subscribed for new users too. If they can't send it to thousands, the spammer's customers cannot reach the audience they want. -- kind regards Marco Send spam to abfall1755173533@stinkedores.dorfdsl.de
You mean to tell me Google's AI can't tell... Nevermind I've used Gemini before -----Original Message----- From: Marco Moock via NANOG <nanog@lists.nanog.org> Sent: Thursday, August 14, 2025 2:36 PM To: nanog@lists.nanog.org Cc: Marco Moock <mm@dorfdsl.de> Subject: Re: Worsening google service reputation and abuse On 14.08.2025 14:12 Francis Booth via NANOG <nanog@lists.nanog.org> wrote:
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers.
Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business.
Requiring confirmation from subscribers massively reduces the usefulness of this service for spammers. Limiting the amount of addresses that can be subscribed for new users too. If they can't send it to thousands, the spammer's customers cannot reach the audience they want. -- kind regards Marco Send spam to abfall1755173533@stinkedores.dorfdsl.de _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_AT6JKCVQRJZI6ARULV3XLEHSKJYNZ6TS_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=wLZQsS2D3h2YeSi1T1t23a20CxpGigvrBvlW_THabYtuQP6D9Gn7RHfzWHN-Uvul&s=Lr1wQyZxYm3IoS9AtsPTjPI3AAa46cW25f9vhcY-u1U&e=
On 8/14/25 11:35 AM, Marco Moock via NANOG wrote:
On 14.08.2025 14:12 Francis Booth via NANOG <nanog@lists.nanog.org> wrote:
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers. Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business. Requiring confirmation from subscribers massively reduces the usefulness of this service for spammers. Limiting the amount of addresses that can be subscribed for new users too.
If they can't send it to thousands, the spammer's customers cannot reach the audience they want.
Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other spam filters? It seems like such an easy problem for them to solve. Mike
Michael Thomas <mike@mtcc.com> via NANOG
<nanog@lists.nanog.org> wrote: Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other >>>spam filters? It seems like such an easy problem for them to solve.
Google bought Postini and from all accounts simply dismantled it (WHYYYYYYYYYYY) maybe apply some of the technologies you purchase to some of your other technologies? Just a suggestion. Thanks, -Drew
On Thu, Aug 14, 2025 at 11:54 AM Michael Thomas via NANOG < nanog@lists.nanog.org> wrote:
Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other spam filters? It seems like such an easy problem for them to solve.
I disagree. Gmail spam filtering has been pretty bad for me. A lot of mailing list traffic (various IETF lists and even NANOG) and responses from businesses that I communicate with end up in my spam folder. And a lot of real spam and phishing messages end up in my inbox. If I could, I would disable it and do my spam filtering manually. It would be less work than undoing the mess that the current filter creates.
I'm so confused about how/why this thread focuses specifically on Google Groups spams. Some weeks ago, I calculated the percentage of spams vs legit-emails sent to my real-human-being users (a few thousand of them) for whom I host email (so, no spamtraps!), over a few-days period of time, and the amount of spam sent from Google servers was a full 1/3rd of everything sent to these users from Google servers. That's horrific. (this includes emails sent from both their gmail system and their google workspaces business email system) Also, the following is anecdotal, but as I was auditing a random sampling of those Google-server-sent spams at that time, I don't recall seeing even a single Google Groups spam, so at the least, that was a low percentage of all such spams. Rob McEwen, invaluement
Meanwhile, the tools Google has for you to manage your mail reputation with Google are dreadful. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Rob McEwen via NANOG" <nanog@lists.nanog.org> To: nanog@lists.nanog.org Cc: "Rob McEwen" <rob@invaluement.com> Sent: Thursday, August 14, 2025 1:59:58 PM Subject: Re: Worsening google service reputation and abuse I'm so confused about how/why this thread focuses specifically on Google Groups spams. Some weeks ago, I calculated the percentage of spams vs legit-emails sent to my real-human-being users (a few thousand of them) for whom I host email (so, no spamtraps!), over a few-days period of time, and the amount of spam sent from Google servers was a full 1/3rd of everything sent to these users from Google servers. That's horrific. (this includes emails sent from both their gmail system and their google workspaces business email system) Also, the following is anecdotal, but as I was auditing a random sampling of those Google-server-sent spams at that time, I don't recall seeing even a single Google Groups spam, so at the least, that was a low percentage of all such spams. Rob McEwen, invaluement _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EVE7AM44...
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things. I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null. This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Yeah, it's a bit much to assert that G "wants" things this way. It's kind of a big FU to the people who do work on this stuff full time. Heard the same thing about Y for years, how we 'support spammers' , how we 'don't care', and 'never did anything'. All the while our anti-spam teams came up with absurdly genius ways to handle these problems that only people in that space ever knew about. The amount of shit spam that people don't see is many, many orders of magnitude more than what gets through. Email spam has been a problem for more than 30 years at this point. The fact that a ton of really smart people have worked on this for that long, and it's still an issue, should be a huge indicator that it's a complex issue with no easy solutions. Could Y have done many things better? Sure. Could Google be doing many things better? Sure. Nobody is perfect. Can we ask them to be better? Yes, we should. But assertions that companies *WANT* these problems to exist is , honestly, pretty damn ignorant. On Fri, Aug 15, 2025 at 10:27 AM Jared Mauch via NANOG < nanog@lists.nanog.org> wrote:
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org>
wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things.
I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null.
This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LGJ42OUE...
i suspect that, when a net service gets large and useful, we start to view it as authoritative and have expectations and demands of correctness and rigor that are very hard to achieve at scale. and large organizations tend to fray at the edges. folk have less drive and motivation than they did when it was smaller. centralization and late stage capitalism at work. randy
On 14/08/2025 18:13, Marco Moock via NANOG wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise? It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I tend to agree in regards to abuse and lack of caring from Google. Since 2021 numerous street names have been changed in mass in my area and numerous towns nearby. I found this out when a delivery guy called me and said he couldn't find my street in Google maps. So I opened a ticket in Google Maps and had to supply proof of street name (pix of street signs showing the correct and valid street name). Took about 2 weeks and got my street name fixed, but dozens of streets around me still have invalid names. I do not have the time or patience to open a Google Maps ticket for each misnamed street name. These numerous street name renames could only have been done by someone internal to Google. No amount of contacting people inside Google helped. I have since given up and realize that not all aspects of Google are secure. Regards, Hank
On Sat, Aug 16, 2025 at 6:16 PM Damian Menscher <damian@google.com> wrote:
On Sat, Aug 16, 2025 at 6:08 PM Matthew Petach via NANOG < nanog@lists.nanog.org> wrote:
On Sat, Aug 16, 2025 at 5:47 PM John Levine via NANOG < nanog@lists.nanog.org> wrote:
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice.
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*.
And this would, in my opinion, be why it's a non-starter. You'll never get a system that requires everyone to adhere to dictates from a central authority.
Instead, I'm advocating for a decentralized, one-at-a-time type approach, where the penalty box is in the time domain, so it's easily implemented unilaterally by the receiving side. It's the very opposite of what the paper you're citing proposed.
Pretty sure what you're proposing is the equivalent of Hashcash? https://en.wikipedia.org/wiki/Hashcash
Ah, very cool! I wasn't aware of that, thank you for the pointer to it! I'm not sure that needing to maintain a database of used hash values would scale very well, though, but I like that it made it into SpamAssassin for a while. The need to manually configure address resources/domain patterns in order for it to be enabled sounds like it may have limited the scope to which it got applied, but that sounds like it was very similar to what I was thinking. Good to know smarter minds than mine already came up with it and tried it out. ^_^; Thanks! Matt
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*.
There's been lots of other work like their Penny Black, and Hashcash, that let recipients decide how much work they want to see. Dwork worked for Microsoft and for a while MS tried a version of it in their mail systems. They all failed for a variety of reasons, one of the most intractable being that criminals with botnets have a lot more CPU power available than legitimate senders. Tahe usual botnet blacklist techniques don't work since the botted machines talk to the senders, not the recipients. Wikipedia has a summary of these WKBIs: https://en.wikipedia.org/wiki/Cost-based_anti-spam_systems R's, John
On August 16, 2025 at 19:09 nanog@lists.nanog.org (John R. Levine via NANOG) wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
I don't understand, I say "electronic postage stamps" are probably not the right approach tho whatever happens someone might call it that and you want to argue that...electronic postage stamps are probably not the right approach? I just said that. All I've said thus far is that spammers' business models seem fragile and brittle and to rely on sending around a billion messages per day per each and perhaps it would be better to disrupt that business model than to engineer yet another filtering / validation technology. I haven't proposed a specific solution even if you keep wanting to read that into my words. At this point all I'm proposing is a paradigm shift, that we need to think differently about the problem.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/D55VUHKF...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
The past decades are full of technical solutions to try and put the costs on the spammers without imposing too much cost on oneself while implementing it - with one such tech after the other falling by the wayside with monotonous regularity. About the only viable way to put the cost on the spammer is to get him turfed off whatever provider he’s hosted on so he has to pay for new servers before he can start again. But even that costs him far less than what he stands to gain from a spam campaign, and is infinitesimal compared to what he gains from a phishing or scam campaign. And getting spammers to stay off a provider’s servers once terminated seems nearly impossible for at least some providers that have a revolving door for one spam campaign after the other. --srs ________________________________ From: Barry Shein via NANOG <nanog@lists.nanog.org> Sent: Sunday, August 17, 2025 10:22:39 AM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: bzs@theworld.com <bzs@theworld.com>; Marc Binderberger <marc+lists@sniff.es>; John R. Levine <johnl@iecc.com> Subject: Re: Worsening google service reputation and abuse On August 16, 2025 at 19:09 nanog@lists.nanog.org (John R. Levine via NANOG) wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
I don't understand, I say "electronic postage stamps" are probably not the right approach tho whatever happens someone might call it that and you want to argue that...electronic postage stamps are probably not the right approach? I just said that. All I've said thus far is that spammers' business models seem fragile and brittle and to rely on sending around a billion messages per day per each and perhaps it would be better to disrupt that business model than to engineer yet another filtering / validation technology. I haven't proposed a specific solution even if you keep wanting to read that into my words. At this point all I'm proposing is a paradigm shift, that we need to think differently about the problem.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/D55VUHKF...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/7XTB52JZ...
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
Part of the theory itself is generally sound. If spamming isn't making someone money, much less spam would be sent. However, the assertion that the spam economy is 'fragile' doesn't really hold up. The number of spam emails hasn't substantively decreased in a long time. Year over year, it's generally flat to increasing. Even with all the efforts to stop said messages, the senders are still clearly making enough money to do it, and the people paying the senders to fire their stuff out are still getting enough of a return on their money to keep using that method. This is true even with spammer networks regularly being blocked / sinkholed / etc. Such disruptions would impact a fragile economy a lot, but since they are not, it's a very safe conclusion that things aren't really that fragile to begin with. On Sun, Aug 17, 2025 at 8:07 AM Marc Binderberger via NANOG < nanog@lists.nanog.org> wrote:
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible.
Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals?
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft).
Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today!
So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-)
Marc
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF...
On Sun, 17 Aug 2025, bzs@theworld.com wrote:
All I've said thus far is that spammers' business models seem fragile and brittle and to rely on sending around a billion messages per day per each and perhaps it would be better to disrupt that business model
I dunno about you, but most of the spam that makes it into my inbox is B2B junk from throwaway accounts at the big three providers. It's never the same address twice so I believe they are buying spamming kits with a bunch of addresses and instructions on how to set up accounts, spam until they're shut down, repeat indefinitely. That's at most thousands at a time, not billions. The messages are usually either turbo charge my (often nonexistent) website, virtual remote cold callers, or occsionally business loans which makes me wonder why the providers can't shut them down faster. Unfortunately, under CAN SPAM the spamming kits are arguably legal.
than to engineer yet another filtering / validation technology.
My electric shock proposal isn't filtering and it'd be a stretch to call it validation. R's, John
It appears that Tom Beecher via NANOG <nanog@lists.nanog.org> said:
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
Part of the theory itself is generally sound. If spamming isn't making someone money, much less spam would be sent.
However, the assertion that the spam economy is 'fragile' doesn't really hold up. The number of spam emails hasn't substantively decreased in a long time. Year over year, it's generally flat to increasing. ...
I'm still seeing 90% spam but many people I know say that it's dropped to more like 50%. My guess is that the spammers have just figured out how to do it a little more efficiently. 50% is still awful. T's, John PS: my system is small and strange and has a lot of honeypots so I'm not surprised spammers keep trying.
You are just seeing the email part 😊 Spammers have found a wider range of messaging products to abuse, and more users are using those products as opposed to email. So a lot of the spammers just pivoted to abusing elsewhere. Email spam groups are still quite active though, some have been operating for a very long time. From: John Levine via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 9:36 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: John Levine <johnl@iecc.com> Subject: Re: Worsening google service reputation and abuse It appears that Tom Beecher via NANOG <nanog@lists.nanog.org> said:
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
Part of the theory itself is generally sound. If spamming isn't making someone money, much less spam would be sent.
However, the assertion that the spam economy is 'fragile' doesn't really hold up. The number of spam emails hasn't substantively decreased in a long time. Year over year, it's generally flat to increasing. ...
I'm still seeing 90% spam but many people I know say that it's dropped to more like 50%. My guess is that the spammers have just figured out how to do it a little more efficiently. 50% is still awful. T's, John PS: my system is small and strange and has a lot of honeypots so I'm not surprised spammers keep trying. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PYWKOLEI...
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though. From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF...
One old paper I remember talked about addressing pharmacy spam - they went after everything. Hosting, payments processors, shady manufacturers in India and China, mailing out the pills in ziploc bags taped inside a magazine and so on. But that was easier because it was a criminal enterprise in which multiple agencies could and did collaborate to stamp it out. --srs ________________________________ From: Suresh Ramasubramanian <ops.lists@gmail.com> Sent: Monday, August 18, 2025 5:45 AM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though. From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF...
On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years.
A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Until some idea suddenly works. Or an old idea becomes feasible.
Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals?
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft).
Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today!
So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-)
Marc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ________________________________ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years.
A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Until some idea suddenly works. Or an old idea becomes feasible.
Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals?
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft).
Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today!
So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-)
Marc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3...
On 8/17/25 7:18 PM, Suresh Ramasubramanian wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police.
Yeah, so? It's just a cost of doing business. That's what's a joke about the people who think we can "defeat" this. We can't. It's cats and mouses all the way down. Mike
--srs ------------------------------------------------------------------------ *From:* Michael Thomas via NANOG <nanog@lists.nanog.org> *Sent:* Monday, August 18, 2025 7:46:01 AM *To:* nanog@lists.nanog.org <nanog@lists.nanog.org> *Cc:* Michael Thomas <mike@mtcc.com> *Subject:* Re: Worsening google service reputation and abuse
Real economics as a factor has been studied quite a lot - check for
On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote: papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years.
A lot of the real economic impact just doesn’t lie in technical
solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts.
Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It
work then, it won't work now. Until some idea suddenly works. Or an old idea becomes feasible.
Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals?
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of
and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, I guess "acceptable" can be defined as: Hey, I can always get a free
wouldn't this box personal
account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft).
Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today!
So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-)
Marc
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3...
Cats and mice? Sure is. It feeds my family at any rate. At the expense of knowing that if I and many like me slip up, it means another several poor schlubs got scammed or phished and end up with their bank accounts emptied and cards maxed out Love my job, yeah I do :( --srs ________________________________ From: Michael Thomas <mike@mtcc.com> Sent: Monday, August 18, 2025 7:55:36 AM To: Suresh Ramasubramanian <ops.lists@gmail.com>; North American Network Operators Group <nanog@lists.nanog.org> Subject: Re: Worsening google service reputation and abuse On 8/17/25 7:18 PM, Suresh Ramasubramanian wrote: It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. Yeah, so? It's just a cost of doing business. That's what's a joke about the people who think we can "defeat" this. We can't. It's cats and mouses all the way down. Mike --srs ________________________________ From: Michael Thomas via NANOG <nanog@lists.nanog.org><mailto:nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org<mailto:nanog@lists.nanog.org> <nanog@lists.nanog.org><mailto:nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com><mailto:mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years.
A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org><mailto:nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org><mailto:nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es><mailto:marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Until some idea suddenly works. Or an old idea becomes feasible.
Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals?
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft).
Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today!
So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-)
Marc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3...
I'm curious who you think is the internet police. On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police.
--srs ________________________________ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse
On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years.
A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts.
Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse
On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Until some idea suddenly works. Or an old idea becomes feasible.
Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals?
Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory.
And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft).
Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today!
So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-)
Marc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
On Mon, Aug 18, 2025, 04:13 nanog--- via NANOG <nanog@lists.nanog.org> wrote:
I'm curious who you think is the internet police.
On 18 Aug 2025, at 02:53, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
One old paper I remember talked about addressing pharmacy spam - they went after everything. Hosting, payments processors, shady manufacturers in India and China, mailing out the pills in ziploc bags taped inside a magazine and so on. But that was easier because it was a criminal enterprise in which multiple agencies could and did collaborate to stamp it out.
Exactly - follow the money, as it’s done for drugs, ddos and similar matters. It’s a really small sample but a while back I got curious on how the “Website/App Development” spam worked, so I started responding to every single spam email. Figured out they spam from Google/Outlook with a generic question / offer for development services, and only once you express interest they reach out with the actual company domain. After more than two years, and close to 150 emails received across my main address and multiple socks, I have a list of… 13 web development agencies in total. When you plot them on a map (red dots here - excluding hospitals: https://ibb.co/PGry1fsd) the majority is physically located in an 1km radius from each other. This is a simple case where chasing an extremely limited number of organizations (which also happen to fall under a single local police authority) would completely eradicate a typology of spam from the internet. Is it much in volume? Don’t know, but it’s definitely the primary type which breaches a range of spam filters. Giorgio
Everyone that has a network, everyone that runs an organisation that provides and registers resources - netblocks, asns, domains .. everyone that insists it isn’t their problem it is somebody else’s. --srs ________________________________ From: nanog@immibis.com <nanog@immibis.com> Sent: Monday, August 18, 2025 4:42:46 PM To: North American Network Operators Group <nanog@lists.nanog.org>; Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> Cc: Suresh Ramasubramanian <ops.lists@gmail.com> Subject: Re: Worsening google service reputation and abuse I'm curious who you think is the internet police. On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote: It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ________________________________ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote: Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though. There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote: Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?). Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc ________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... ________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI... ________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... ________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
Should everyone have the freedom to police their own network the way they want, or should everyone police their network the way *you* want? If the latter, why *you* instead of, say, the way Donald Trump wants? He is the president after all. On 18/08/25 13:42, Suresh Ramasubramanian wrote:
Everyone that has a network, everyone that runs an organisation that provides and registers resources - netblocks, asns, domains .. everyone that insists it isn’t their problem it is somebody else’s.
--srs ------------------------------------------------------------------------ *From:* nanog@immibis.com <nanog@immibis.com> *Sent:* Monday, August 18, 2025 4:42:46 PM *To:* North American Network Operators Group <nanog@lists.nanog.org>; Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> *Cc:* Suresh Ramasubramanian <ops.lists@gmail.com> *Subject:* Re: Worsening google service reputation and abuse I'm curious who you think is the internet police.
On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ------------------------------------------------------------------------ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
Sure, ultimate freedom, but freedom doesn't come without sacrifice and consequence. Allow or disallow whatever you want, but don't be upset when the community bands together to create best practices, you violate what the community considers best practice, and you get blocked from the community for violating those best practices to an egregious degree (from the standpoint of the community). I used community instead of individual because it's easier to defend. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "nanog--- via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: nanog@immibis.com Sent: Monday, August 18, 2025 9:19:07 AM Subject: Re: Worsening google service reputation and abuse Should everyone have the freedom to police their own network the way they want, or should everyone police their network the way *you* want? If the latter, why *you* instead of, say, the way Donald Trump wants? He is the president after all. On 18/08/25 13:42, Suresh Ramasubramanian wrote:
Everyone that has a network, everyone that runs an organisation that provides and registers resources - netblocks, asns, domains .. everyone that insists it isn’t their problem it is somebody else’s.
--srs ------------------------------------------------------------------------ *From:* nanog@immibis.com <nanog@immibis.com> *Sent:* Monday, August 18, 2025 4:42:46 PM *To:* North American Network Operators Group <nanog@lists.nanog.org>; Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> *Cc:* Suresh Ramasubramanian <ops.lists@gmail.com> *Subject:* Re: Worsening google service reputation and abuse I'm curious who you think is the internet police.
On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ------------------------------------------------------------------------ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SQC2E3E2...
Truth. Reduced to its simplest terms, if the way you run (or don’t bother to run) your network causes issues to other networks, those networks may take whatever action necessary to protect their network, systems and users. The problem of random, indiscriminate blocking and no possible redress was why these community / industry organizations and best practices came about. So there are at least processes that you can follow to get yourself unblocked, worst comes to worst. The other best practices about keeping bad actors off your network? Well, they seem much more difficult in practice than on paper. Even the most proactive organization can’t avoid it 100%, despite their spending time and effort on it. Orgs that don’t care or don’t want to know about the problem? No need to say anything further about those. From: Mike Hammett via NANOG <nanog@lists.nanog.org> Date: Monday, 18 August 2025 at 7:56 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Mike Hammett <nanog@ics-il.net> Subject: Re: Worsening google service reputation and abuse Sure, ultimate freedom, but freedom doesn't come without sacrifice and consequence. Allow or disallow whatever you want, but don't be upset when the community bands together to create best practices, you violate what the community considers best practice, and you get blocked from the community for violating those best practices to an egregious degree (from the standpoint of the community). I used community instead of individual because it's easier to defend. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "nanog--- via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: nanog@immibis.com Sent: Monday, August 18, 2025 9:19:07 AM Subject: Re: Worsening google service reputation and abuse Should everyone have the freedom to police their own network the way they want, or should everyone police their network the way *you* want? If the latter, why *you* instead of, say, the way Donald Trump wants? He is the president after all. On 18/08/25 13:42, Suresh Ramasubramanian wrote:
Everyone that has a network, everyone that runs an organisation that provides and registers resources - netblocks, asns, domains .. everyone that insists it isn’t their problem it is somebody else’s.
--srs ------------------------------------------------------------------------ *From:* nanog@immibis.com <nanog@immibis.com> *Sent:* Monday, August 18, 2025 4:42:46 PM *To:* North American Network Operators Group <nanog@lists.nanog.org>; Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> *Cc:* Suresh Ramasubramanian <ops.lists@gmail.com> *Subject:* Re: Worsening google service reputation and abuse I'm curious who you think is the internet police.
On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ------------------------------------------------------------------------ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SQC2E3E2... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPYI2J3L...
Oh, and I don't mean you specifically. I mean "you" as just anyone out there. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Mike Hammett via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "Mike Hammett" <nanog@ics-il.net> Sent: Monday, August 18, 2025 9:26:11 AM Subject: Re: Worsening google service reputation and abuse Sure, ultimate freedom, but freedom doesn't come without sacrifice and consequence. Allow or disallow whatever you want, but don't be upset when the community bands together to create best practices, you violate what the community considers best practice, and you get blocked from the community for violating those best practices to an egregious degree (from the standpoint of the community). I used community instead of individual because it's easier to defend. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "nanog--- via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: nanog@immibis.com Sent: Monday, August 18, 2025 9:19:07 AM Subject: Re: Worsening google service reputation and abuse Should everyone have the freedom to police their own network the way they want, or should everyone police their network the way *you* want? If the latter, why *you* instead of, say, the way Donald Trump wants? He is the president after all. On 18/08/25 13:42, Suresh Ramasubramanian wrote:
Everyone that has a network, everyone that runs an organisation that provides and registers resources - netblocks, asns, domains .. everyone that insists it isn’t their problem it is somebody else’s.
--srs ------------------------------------------------------------------------ *From:* nanog@immibis.com <nanog@immibis.com> *Sent:* Monday, August 18, 2025 4:42:46 PM *To:* North American Network Operators Group <nanog@lists.nanog.org>; Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> *Cc:* Suresh Ramasubramanian <ops.lists@gmail.com> *Subject:* Re: Worsening google service reputation and abuse I'm curious who you think is the internet police.
On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ------------------------------------------------------------------------ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SQC2E3E2... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPYI2J3L...
Important in what you said is the ability to seek redress. The Internet often doesn't provide good means of seeking redress. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "Mike Hammett" <nanog@ics-il.net> Sent: Monday, August 18, 2025 9:36:33 AM Subject: Re: Worsening google service reputation and abuse Truth. Reduced to its simplest terms, if the way you run (or don’t bother to run) your network causes issues to other networks, those networks may take whatever action necessary to protect their network, systems and users. The problem of random, indiscriminate blocking and no possible redress was why these community / industry organizations and best practices came about. So there are at least processes that you can follow to get yourself unblocked, worst comes to worst. The other best practices about keeping bad actors off your network? Well, they seem much more difficult in practice than on paper. Even the most proactive organization can’t avoid it 100%, despite their spending time and effort on it. Orgs that don’t care or don’t want to know about the problem? No need to say anything further about those. From: Mike Hammett via NANOG <nanog@lists.nanog.org> Date: Monday, 18 August 2025 at 7:56 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Mike Hammett <nanog@ics-il.net> Subject: Re: Worsening google service reputation and abuse Sure, ultimate freedom, but freedom doesn't come without sacrifice and consequence. Allow or disallow whatever you want, but don't be upset when the community bands together to create best practices, you violate what the community considers best practice, and you get blocked from the community for violating those best practices to an egregious degree (from the standpoint of the community). I used community instead of individual because it's easier to defend. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "nanog--- via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: nanog@immibis.com Sent: Monday, August 18, 2025 9:19:07 AM Subject: Re: Worsening google service reputation and abuse Should everyone have the freedom to police their own network the way they want, or should everyone police their network the way *you* want? If the latter, why *you* instead of, say, the way Donald Trump wants? He is the president after all. On 18/08/25 13:42, Suresh Ramasubramanian wrote:
Everyone that has a network, everyone that runs an organisation that provides and registers resources - netblocks, asns, domains .. everyone that insists it isn’t their problem it is somebody else’s.
--srs ------------------------------------------------------------------------ *From:* nanog@immibis.com <nanog@immibis.com> *Sent:* Monday, August 18, 2025 4:42:46 PM *To:* North American Network Operators Group <nanog@lists.nanog.org>; Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> *Cc:* Suresh Ramasubramanian <ops.lists@gmail.com> *Subject:* Re: Worsening google service reputation and abuse I'm curious who you think is the internet police.
On 18 August 2025 04:18:18 CEST, Suresh Ramasubramanian via NANOG <nanog@lists.nanog.org> wrote:
It isn’t just cops it is all the various people and orgs in the ecosystem who are all convinced they aren’t the internet police. --srs ------------------------------------------------------------------------ From: Michael Thomas via NANOG <nanog@lists.nanog.org> Sent: Monday, August 18, 2025 7:46:01 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Michael Thomas <mike@mtcc.com> Subject: Re: Worsening google service reputation and abuse On 8/17/25 5:15 PM, Suresh Ramasubramanian via NANOG wrote:
Real economics as a factor has been studied quite a lot - check for papers by Vern Paxson, Stefan Savage etc and you’ll find some going back 20+ years. A lot of the real economic impact just doesn’t lie in technical solutions though.
There is a lot of damage done for tons of things. Yet, Visa still exists. Fraud exists. It's a cost of doing business. It's just petty crime. Nothing is going to stop it. That is what the joke is. The cops don't give a flying fuck about this, and never will. They don't care about anything if it doesn't involve donuts. Mike
From: Marc Binderberger via NANOG <nanog@lists.nanog.org> Date: Sunday, 17 August 2025 at 5:37 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marc Binderberger <marc+lists@sniff.es> Subject: Re: Worsening google service reputation and abuse On Sat, 16 Aug 2025 17:24:04 -0700, Michael Thomas via NANOG wrote:
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now.
Until some idea suddenly works. Or an old idea becomes feasible. Frankly, many things we take for granted today would not exist with that "won't work" attitude. The better question (imho) to Barry is: how is your idea different from the already existing proposals? Barry has a reasonable theory - that the economics of spamming is brittle - but it is just that: a theory. And most of the (failed) proposals seem academic and avoid actual "costs" in terms of money. Or raise the real-world costs for everyone, if you need CPU cycles to participate in the email system. So Barry stepping out of this box and suggesting real economics as a factor is not unreasonable. I am not sure if there are more concrete details though (?).
Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance,
I guess "acceptable" can be defined as: Hey, I can always get a free personal account with gmail. And as a company I pay Google or Microsoft, save money on my IT staff. And good luck blocking "me" (i.e. Google, Microsoft). Maybe a problem if you are in the email business, fine with me, my domain is a private hobby. In fact, for all their "flaws", seeing the insanity of the know-it-all experts (some here on the list) I think I prefer Google requesting some reputation steps and a webpage explaining it. The alternative: being blocked for "Excessive Spam - Come back when you have fixed it". No further details. Sure, private domain, private VPS, no BL/score listing that I can find ... fortunately that blocking was just a Cc: to one of my posts, so I could not care less. The acceptable state of the mail system today! So there you may have an argument: that the increasing number of mechanisms, lists, tricks make the mail system less work-able and more broken. But I have no crystal ball, if email will finally break or will keep going - I don't know. Would be just sad if it breaks (but I have a gmail account as a backup ;-) Marc ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAZSIVJF... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DCKS64CI...
------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G7FDDNH3... ------------------------------------------------------------------------ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/Z54AAQL6...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SQC2E3E2... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPYI2J3L...
It appears that Mike Hammett via NANOG <nanog@lists.nanog.org> said:
Important in what you said is the ability to seek redress. The Internet often doesn't provide good means of seeking redress.
You can always get a refund of what you paid for the mail they don't deliver. R's, John
----- Original Message ----- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "Mike Hammett" <nanog@ics-il.net> Sent: Monday, August 18, 2025 9:36:33 AM Subject: Re: Worsening google service reputation and abuse
Truth. Reduced to its simplest terms, if the way you run (or don’t bother to run) your network causes issues to other networks, those networks may take whatever action necessary to protect their network, systems and users.
The problem of random, indiscriminate blocking and no possible redress was why these community / industry organizations and best practices came about. So there are at least processes that you can follow to get yourself unblocked, worst comes to worst.
The other best practices about keeping bad actors off your network? Well, they seem much more difficult in practice than on paper. Even the most proactive organization can’t avoid it 100%, despite their spending time and effort on it. Orgs that don’t care or don’t want to know about the problem? No need to say anything further about those.
Are there any good sources breaking down spam (et al) behavior? I've found some that try to measure, usefully, how much spam, what percentage of email is spam, registrar sources, hosting sources, domains and in particular TLDs most used. Which is fine. But I'm thinking more in the realm of characterizing the spammers themselves. There's too much anecdote in these discussions. For example are there ~20 spam operations which account for 90+% of the spam? What sort of products do the major spammers spam? Wild guess, but I suspect it's something like that, a small set of spammers accounting for most of it and then a rapidly descending long tail. How would you begin to group them? A first try might be by spam content, by apparent customer. And probably stylistically, for example identical embedded HTML or CSS tho that could just be commonly shared packages. But something like that should provide fingerprints with some study just as we do with computer viruses. At least it might begin to suggest what arrowhead(s) to put the wood behind if one wants to disrupt their business models. I realize some want to now argue "but what is spam?" which is a valid question but as with all science and engineering research so long as the methods are transparent and seem reasonable then the results simply are a measure of what they set out to do and you're free to interpret whether they apply to your interests or not. Or provide alternative approaches. But my question is whether anyone is already doing this? P.S. Because I don't think this merits another message: Some here reason that spam is effective and profitable because it persists. That is probably somewhat true for the spamming operations but I wouldn't be so sure about their customers. There's an old joke about an experienced business person saying that only half their advertising is effective -- and if they could ever figure out which half they could save a lot of money! The same might be true of spamming. For example a company might give an advertising broker (numbers just made up) $100K/month to provide an advertising campaign. If $10K/mo of that went into subcontracting spammers but only the other $90K/mo had any effectiveness they may have no way of knowing that so they continue throwing 10% of their budget at spamming operations. Yes there may be ways of trying to measure that, welcome to the realities of the advertising industry as that joke above illustrates. Often all the advertising purchaser can hope for is overall that a $100K spend was profitable for them, it brought in more than $100K revenue even if they have no idea from which campaign. And even that may change over time, spamming for example might work somewhat seasonally or based on other external conditions such as news events, a big competitor's similar advertising campaign elsewhere and now everybody wants blue beer, university schedules, etc. etc. etc. It ain't science. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views) On the past I'd also have said: "And Richard Clayton" but :( <sad panda> There's been a bunch of presentation work on these things over the years...
Since this is a network operator list, here's my question. What percentage of traffic is spam? That is, total traffic? My guess is that it's minuscule. That and how negatively does it cut into bottom line for an operator like an ISP? I hardly see ISP based email anymore these days. My bet is that it's making a mountain out of a molehill these days, which is why nobody has any incentive do anything but the minimum required. Just like anything else that isn't core to what actually makes money. Mike On 8/19/25 2:53 PM, Barry Shein via NANOG wrote:
Are there any good sources breaking down spam (et al) behavior?
I've found some that try to measure, usefully, how much spam, what percentage of email is spam, registrar sources, hosting sources, domains and in particular TLDs most used.
Which is fine.
But I'm thinking more in the realm of characterizing the spammers themselves.
There's too much anecdote in these discussions.
For example are there ~20 spam operations which account for 90+% of the spam? What sort of products do the major spammers spam?
Wild guess, but I suspect it's something like that, a small set of spammers accounting for most of it and then a rapidly descending long tail.
How would you begin to group them?
A first try might be by spam content, by apparent customer.
And probably stylistically, for example identical embedded HTML or CSS tho that could just be commonly shared packages.
But something like that should provide fingerprints with some study just as we do with computer viruses.
At least it might begin to suggest what arrowhead(s) to put the wood behind if one wants to disrupt their business models.
I realize some want to now argue "but what is spam?" which is a valid question but as with all science and engineering research so long as the methods are transparent and seem reasonable then the results simply are a measure of what they set out to do and you're free to interpret whether they apply to your interests or not. Or provide alternative approaches.
But my question is whether anyone is already doing this?
P.S. Because I don't think this merits another message:
Some here reason that spam is effective and profitable because it persists.
That is probably somewhat true for the spamming operations but I wouldn't be so sure about their customers.
There's an old joke about an experienced business person saying that only half their advertising is effective -- and if they could ever figure out which half they could save a lot of money!
The same might be true of spamming. For example a company might give an advertising broker (numbers just made up) $100K/month to provide an advertising campaign.
If $10K/mo of that went into subcontracting spammers but only the other $90K/mo had any effectiveness they may have no way of knowing that so they continue throwing 10% of their budget at spamming operations.
Yes there may be ways of trying to measure that, welcome to the realities of the advertising industry as that joke above illustrates.
Often all the advertising purchaser can hope for is overall that a $100K spend was profitable for them, it brought in more than $100K revenue even if they have no idea from which campaign.
And even that may change over time, spamming for example might work somewhat seasonally or based on other external conditions such as news events, a big competitor's similar advertising campaign elsewhere and now everybody wants blue beer, university schedules, etc. etc. etc.
It ain't science.
Holdup. What did I miss about Richard Clayton? On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG < nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views)
On the past I'd also have said: "And Richard Clayton" but :( <sad panda> There's been a bunch of presentation work on these things over the years... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3...
On 8/19/25 3:13 PM, Josh Reynolds via NANOG wrote:
Holdup. What did I miss about Richard Clayton?
If it's the same Richard Clayton as the one I think it is, he's off on a useless adventure to reinvent DKIM for the hell of it, for one. Mike
On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG < nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views)
On the past I'd also have said: "And Richard Clayton" but :( <sad panda> There's been a bunch of presentation work on these things over the years... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LLIBXT44...
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
There's too much anecdote in these discussions.
For example are there ~20 spam operations which account for 90+% of the spam? What sort of products do the major spammers spam?
Wild guess, but I suspect it's something like that, a small set of spammers accounting for most of it and then a rapidly descending long tail.
I go to conferences where we talk about questions like this. There is a complicated crime economy where different groups specialize in different things, of which sending the spam is only one bit. Believe it or not there is a lot of law enforcement action, they take these groups down all the time, but there are many of them, and they are often in countries where the government doesn't care. As an egregious example, the romance scams are mostly along the Cambodia-Burma border with people from other countries lured by promises of fake tech jobs who then can't leave. I think it is safe to say there are a lot more than 20 groups, and they're not the same groups from one year to the next. Adding to the excitement, you can send spam in lots of different ways. There was a Chinese group that specialized in iMessage and RCS spam of "you have an unpaid turnpike toll" or "you have a postage due package", directing you to very plausible fake websites where they steal your credit card info. They got busted due to poor opsec but they seem to have regrouped elsewhere in China. R's, John
Interesting. Do you have any links about this? I was talking to him a few months back about some things. Thanks On Tue, Aug 19, 2025, 5:16 PM Michael Thomas via NANOG < nanog@lists.nanog.org> wrote:
On 8/19/25 3:13 PM, Josh Reynolds via NANOG wrote:
Holdup. What did I miss about Richard Clayton?
If it's the same Richard Clayton as the one I think it is, he's off on a useless adventure to reinvent DKIM for the hell of it, for one.
Mike
On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG < nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views)
On the past I'd also have said: "And Richard Clayton" but :( <sad panda> There's been a bunch of presentation work on these things over the
years...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LLIBXT44... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/OPCTBGUR...
On 8/19/25 3:17 PM, Josh Reynolds wrote:
Interesting. Do you have any links about this? I was talking to him a few months back about some things.
Just google ietf dkim to find the mailing list. It should have pointers to any drafts too. Mike
Thanks
On Tue, Aug 19, 2025, 5:16 PM Michael Thomas via NANOG <nanog@lists.nanog.org> wrote:
On 8/19/25 3:13 PM, Josh Reynolds via NANOG wrote: > Holdup. What did I miss about Richard Clayton?
If it's the same Richard Clayton as the one I think it is, he's off on a useless adventure to reinvent DKIM for the hell of it, for one.
Mike
> > On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG < > nanog@lists.nanog.org> wrote: > >> On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG >> <nanog@lists.nanog.org> wrote: >>> >>> Are there any good sources breaking down spam (et al) behavior? >> <snip> >> >>> But my question is whether anyone is already doing this? >>> >> I think you want to find Suresh and the SpamHaus folks (at least) >> (they are different orgs with slightly different views) >> >> On the past I'd also have said: "And Richard Clayton" but :( <sad panda> >> There's been a bunch of presentation work on these things over the years... >> _______________________________________________ >> NANOG mailing list >> >> https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3... > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LLIBXT44... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/OPCTBGUR...
It appears that Michael Thomas via NANOG <nanog@lists.nanog.org> said:
Since this is a network operator list, here's my question. What percentage of traffic is spam? That is, total traffic? My guess is that it's minuscule. That and how negatively does it cut into bottom line for an operator like an ISP? I hardly see ISP based email anymore these days.
In terms of percentage of total bits, I'm sure you're right. Mail is a sliver of bandwidth, spam is between half and 90% of that. The problems are on the one hand, having a mailbox full of spam makes mail less useful (I am so tired of my morning B2B blasts from Outlook and Gmail), but on the other a lot of is linked to real crime with significant financial consequences to the victims. I agree that the incentives are skewed, with little incentive for ISPs to deal with it. I note that Comcast who used to run a large mail system recently handed it all over to Yahoo, presumably because Yahoo has economies of scale they don't. R's, John
It appears that Josh Reynolds via NANOG <nanog@lists.nanog.org> said:
Interesting. Do you have any links about this? I was talking to him a few months back about some things.
You can read about it in the IETF DKIM working group and its ietf-dkim mailing list. Let's just say that Mike and I disagree about its likely utility. R's, John
Thanks
On Tue, Aug 19, 2025, 5:16 PM Michael Thomas via NANOG < nanog@lists.nanog.org> wrote:
On 8/19/25 3:13 PM, Josh Reynolds via NANOG wrote:
Holdup. What did I miss about Richard Clayton?
If it's the same Richard Clayton as the one I think it is, he's off on a useless adventure to reinvent DKIM for the hell of it, for one.
Mike
On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG < nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views)
On the past I'd also have said: "And Richard Clayton" but :( <sad panda> There's been a bunch of presentation work on these things over the
years...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LLIBXT44... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/OPCTBGUR...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VSGFJSJJ...
I'll dig into it. There are some very strong opinions about how we should solve some of our technical issues, but I've always had a huge amount of respect for Dr Clayton and his work. Even if I disagree in the end, it's worth a look to me. Thank you. On Tue, Aug 19, 2025, 5:24 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Josh Reynolds via NANOG <nanog@lists.nanog.org> said:
Interesting. Do you have any links about this? I was talking to him a few months back about some things.
You can read about it in the IETF DKIM working group and its ietf-dkim mailing list.
Let's just say that Mike and I disagree about its likely utility.
R's, John
Thanks
On Tue, Aug 19, 2025, 5:16 PM Michael Thomas via NANOG < nanog@lists.nanog.org> wrote:
On 8/19/25 3:13 PM, Josh Reynolds via NANOG wrote:
Holdup. What did I miss about Richard Clayton?
If it's the same Richard Clayton as the one I think it is, he's off on a useless adventure to reinvent DKIM for the hell of it, for one.
Mike
On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG < nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views)
On the past I'd also have said: "And Richard Clayton" but :( <sad
panda>
There's been a bunch of presentation work on these things over the years... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LLIBXT44...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/OPCTBGUR... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VSGFJSJJ...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2IQXMKKN...
On Tue, Aug 19, 2025 at 6:13 PM Josh Reynolds <joshr@spitwspots.com> wrote:
Holdup. What did I miss about Richard Clayton?
Oh wait.. I thought I recalled he had died :( If that's not the case then great! (and add him to your list barry)
On Tue, Aug 19, 2025, 5:10 PM Christopher Morrow via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 5:54 PM Barry Shein via NANOG <nanog@lists.nanog.org> wrote:
Are there any good sources breaking down spam (et al) behavior?
<snip>
But my question is whether anyone is already doing this?
I think you want to find Suresh and the SpamHaus folks (at least) (they are different orgs with slightly different views)
On the past I'd also have said: "And Richard Clayton" but :( <sad panda> There's been a bunch of presentation work on these things over the years... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZSBVGKR3...
On 8/19/25 3:24 PM, John Levine via NANOG wrote:
It appears that Josh Reynolds via NANOG <nanog@lists.nanog.org> said:
Interesting. Do you have any links about this? I was talking to him a few months back about some things. You can read about it in the IETF DKIM working group and its ietf-dkim mailing list.
Let's just say that Mike and I disagree about its likely utility.
The problem basically boils down to ESP's not policing their users. That's a social problem, not a technical problem. Wholesale wheel-reinvention is not the answer. That and the people pursuing this are extremely dismissive and don't have a good track record, cf ARC. Mike
It appears that Christopher Morrow via NANOG <nanog@lists.nanog.org> said:
On Tue, Aug 19, 2025 at 6:13 PM Josh Reynolds <joshr@spitwspots.com> wrote:
Holdup. What did I miss about Richard Clayton?
Oh wait.. I thought I recalled he had died :( If that's not the case then great! (and add him to your list barry)
He seemed quite alive when I talked to him next week and replpied to his email today. R's, John
On Tue, Aug 19, 2025 at 9:43 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Christopher Morrow via NANOG <nanog@lists.nanog.org> said:
On Tue, Aug 19, 2025 at 6:13 PM Josh Reynolds <joshr@spitwspots.com> wrote:
Holdup. What did I miss about Richard Clayton?
Oh wait.. I thought I recalled he had died :( If that's not the case then great! (and add him to your list barry)
He seemed quite alive when I talked to him next week and replpied to his email today.
Oh, excellent news :)
On Aug 18, 2025, at 7:29 AM, Matthew Petach via NANOG <nanog@lists.nanog.org> wrote:
On Mon, Aug 18, 2025, 04:13 nanog--- via NANOG <nanog@lists.nanog.org> wrote:
I'm curious who you think is the internet police.
Haven't seen anyone cite this in awhile so I might as well: <https://www.rhyolite.com/anti-spam/you-might-be.html> John
One of my staff once suggested we have a "Spam Appreciation Day", shut off all the filters for 24 hours to give customers an idea of what's really going on. Amusing, it had practical problems like no doubt many customers mailboxes would just fall over dead (e.g., out of quota, become totally unmanageable by them.) I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature. But as the old expression goes: When all you have is a hammer the whole world looks like a nail. On August 15, 2025 at 10:54 nanog@lists.nanog.org (Tom Beecher via NANOG) wrote:
Yeah, it's a bit much to assert that G "wants" things this way. It's kind of a big FU to the people who do work on this stuff full time.
Heard the same thing about Y for years, how we 'support spammers' , how we 'don't care', and 'never did anything'. All the while our anti-spam teams came up with absurdly genius ways to handle these problems that only people in that space ever knew about. The amount of shit spam that people don't see is many, many orders of magnitude more than what gets through.
Email spam has been a problem for more than 30 years at this point. The fact that a ton of really smart people have worked on this for that long, and it's still an issue, should be a huge indicator that it's a complex issue with no easy solutions.
Could Y have done many things better? Sure. Could Google be doing many things better? Sure. Nobody is perfect. Can we ask them to be better? Yes, we should.
But assertions that companies *WANT* these problems to exist is , honestly, pretty damn ignorant.
On Fri, Aug 15, 2025 at 10:27 AM Jared Mauch via NANOG < nanog@lists.nanog.org> wrote:
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org>
wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things.
I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null.
This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LGJ42OUE...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/XU74PYK4...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem. R's, John
I think all of these big companies lack a meaningful feedback loop from reasonably vetted people, lending credibility to their feedback. Most of them don't provide the tools to diagnose, nor have the ability to receive support requests. Not just SPAM, but all kinds of sanitation type services. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Tom Beecher via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "Marco Moock" <mm@dorfdsl.de>, "Tom Beecher" <beecher@beecher.cc> Sent: Friday, August 15, 2025 9:54:26 AM Subject: Re: Worsening google service reputation and abuse Yeah, it's a bit much to assert that G "wants" things this way. It's kind of a big FU to the people who do work on this stuff full time. Heard the same thing about Y for years, how we 'support spammers' , how we 'don't care', and 'never did anything'. All the while our anti-spam teams came up with absurdly genius ways to handle these problems that only people in that space ever knew about. The amount of shit spam that people don't see is many, many orders of magnitude more than what gets through. Email spam has been a problem for more than 30 years at this point. The fact that a ton of really smart people have worked on this for that long, and it's still an issue, should be a huge indicator that it's a complex issue with no easy solutions. Could Y have done many things better? Sure. Could Google be doing many things better? Sure. Nobody is perfect. Can we ask them to be better? Yes, we should. But assertions that companies *WANT* these problems to exist is , honestly, pretty damn ignorant. On Fri, Aug 15, 2025 at 10:27 AM Jared Mauch via NANOG < nanog@lists.nanog.org> wrote:
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org>
wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things.
I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null.
This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LGJ42OUE...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/XU74PYK4...
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem.
I assume Barry was thinking about the "electronic post stamp", not to send the lawyers ;-) On 16 Aug 2025 13:56:54 -0400, John Levine via NANOG wrote:
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
On 14/08/25 20:52, Michael Thomas via NANOG wrote:
Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other spam filters? It seems like such an easy problem for them to solve.
They probably don't. Google has an pattern where teams building new products to get themselves promoted, and then abandoning them. Eventually when the abandoned product becomes too much of a liability, it's turned off. It's not surprising each product is a silo. Google services with ongoing maintenance are the minority.
Mike
John is going to pop up instantly whenever I, or perhaps others, I can only follow me, suggest that we need a fresh approach to spam and related. He has done this for literally 20+ years going back to the days of the IRTF/ASRG ca 2003. The paper, or a similar paper, he flogs he also has offered as "mathematical proof" that bitcoin cannot possibly work 15 or so years ago. Perhaps we have different notions of "work". But I want to ask: John: Do you have any conflict of interest which might motivate you to shoot down even the most generally worded proposal regarding spam et al as quickly as you can type? At best my take is he wants to shut down any discussion, fast. So maybe we need to hear from new or at least encouraging voices because the current technological approaches aren't working no matter how much we tweak them over and over as evidenced by even the past few days' commiseration right here on nanog. In a sentence: Let's figure out how to put these spammers et al out of business. I've watched them for nearly 30 years and believe their business model is fragile and brittle but isn't going to be subdued by layering on yet another blind, general-purpose, verification layer. It's possible this might be a threat to some so-called "legitimate" bulk emailers who are currently getting an enormous free ride on the current architecture at the cost of end-users' attention time and those who have to provide the ever-growing infrastructure to carry their boondoggle*. * By the old business rule: If it's not worth anything to you it's CERTAINLY not worth anything to me! On August 16, 2025 at 13:56 nanog@lists.nanog.org (John Levine via NANOG) wrote:
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem.
R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/R2PLEFOH...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
John is going to pop up instantly whenever I, or perhaps others, I can only follow me, suggest that we need a fresh approach to spam and related. He has done this for literally 20+ years going back to the days of the IRTF/ASRG ca 2003.
Well, sure, you keep saying the same things, I keep reminding people that they're known not to work.
The paper, or a similar paper, he flogs he also has offered as "mathematical proof" that bitcoin cannot possibly work 15 or so years ago.
Um, you have me confused with someone else. I'm the guy who blogged about buying coffee with bitcoin a decade ago. It was more hassle than it was worth, but it did work. At current BTC prices that coffee probably cost $50,000 (Canadian, I did it in Vancouver.) R's, John PS:
I've watched them for nearly 30 years and believe their business model is fragile and brittle but isn't going to be subdued by layering on yet another blind, general-purpose, verification layer.
Hey, we agree there. "Authenticate everyone" is one of those ideas that's well known not to work.
On August 16, 2025 at 21:32 nanog@lists.nanog.org (Marc Binderberger via NANOG) wrote:
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem.
I assume Barry was thinking about the "electronic post stamp", not to send the lawyers ;-)
Spammers' business models depend on sending O(1B) messages per day per each basically for free, or at a negligible cost. So anything which increases that cost or limits that behavior is likely to be a threat to their business model. Not too many honest sources need to send O(1B) msgs/day, and fewer still need to do that for free, probably zero almost by definition. That is, if they need to send that amount for free their business model is of questionable honesty, so ipso facto. "Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted. But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
On 16 Aug 2025 13:56:54 -0400, John Levine via NANOG wrote:
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5P5C5OAI...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps. My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas. R's, John
On Sat, Aug 16, 2025 at 4:10 PM John R. Levine via NANOG < nanog@lists.nanog.org> wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
"Electronic Postage Stamps" conjures up visions of a centralized Post Office type entity that issues postage. I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well. I avoid the term "proof of work", because I'd like it to be broader than simply "please jump through these mathematical calculations for me" -- imagine a combination of either proof you've accepted a certain number of email messages from me (a tit-for-tat type of proof of skin in the game, where the sender can pass along a cryptographic hash of message-IDs that it accepted for its users from the domain to which it is now trying to send a message), or a recaptcha type "do some work for the good of the internet first, and then I'll accept your message" computational challenge. The idea would be to have a distributed challenge, one in which each connection between servers brings with it a "prove to me you bring value to the email ecosystem" from the receiver to the sender. For "white hat" types of sites, it should be easy to show that they accept mail for their users from the domain to which they are now sending a message. For sites which have not yet received any mail, the challenge might be to classify the contents of three images sent back from the receiving server to the sender. Or even just hold the connection open for three minutes, and make the sender wait on the connection for three minutes before the message will be accepted. Once a site has started to receive inbound mail, it can use the faster "here's a hash of message-IDs I've accepted from you in the past X time interval, please accept this new message from me", so the 3 minute cooldown would only be used for suspicious sites that haven't received email previously. This is completely off-the-cuff, and clearly needs much smarter people than me to turn it into something more workable; but the idea is to have a distributed "proof of stake" model, where senders have either shown that they are also participants in the global back-and-forth flow of email messages, and have a reason to work towards the improvement of the overall system, or that they are willing to hold a connection open for a long period of time to get their message accepted, because it really is that meaningful for their user. That way, the determination doesn't require any centralized "Post Office" type entity that everyone trusts, and it could be rolled out on an incremental basis. A receiving site can request proof-of-stake validation from the sender; if it has no idea what that is, the receiver can treat it as an unknown site, and put it in the three minute penalty box. Senders would have an incentive then to update their software to be able to answer the request for proof-of-stake with a valid answer, to reduce the wait times on their outbound message queues. For spammers, who don't accept mail, and have no good way to answer a proof-of-stake request, it puts a throttle on how many messages they can send out at a time, drastically reducing (but not eliminating) the spam volume they can send out. In short; I think John's right, but I also don't think Barry's entirely wrong either. ^_^; Thanks! Matt
On 8/16/25 4:42 PM, Matthew Petach via NANOG wrote:
On Sat, Aug 16, 2025 at 4:10 PM John R. Levine via NANOG < nanog@lists.nanog.org> wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words. It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
"Electronic Postage Stamps" conjures up visions of a centralized Post Office type entity that issues postage.
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, rather than some FUSSP that will never happen. Spam filtering is just a cost of business like electricity. You'd probably save more by addressing that with dilithium crystals, or something. Mike
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice. https://www.wisdom.weizmann.ac.il/~naor/PAPERS/pvp.pdf R's, John
It appears that Mike Hammett via NANOG <nanog@lists.nanog.org> said:
I think all of these big companies lack a meaningful feedback loop from reasonably vetted people, lending credibility to their feedback. Most of them don't provide the tools to diagnose, nor have the ability to receive support requests. Not just SPAM, but all kinds of sanitation type services.
I know people at the large mail providers and I have to have some sympathy for them. They have mailers endlessly screaming at them, outraged that the Valuable Offers from their Treasured Marketing Partners go into the spam folder or worse, and they're sure that someone manually made that filtering decision and just has to flip a switch to fix it. Vetting trusted reporters just doesn't scale. To repeat a cliche, any group large enough to be interesting is going to include people who shouldn't be there. R's, John
On Sat, Aug 16, 2025 at 5:47 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice.
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*. In their words: The system requires a single pricing function fs, with shortcut c, and a hash function h. The selection of the pricing function and the setting of usage fees are controlled by a pricing authority. All users agree to obey the authority. There can be any number of trusted agents that receive the shortcut information from the pricing authority. The functions h and fs are known to all users, but only the pricing authority and its trusted agents know c. And this would, in my opinion, be why it's a non-starter. You'll never get a system that requires everyone to adhere to dictates from a central authority. Instead, I'm advocating for a decentralized, one-at-a-time type approach, where the penalty box is in the time domain, so it's easily implemented unilaterally by the receiving side. It's the very opposite of what the paper you're citing proposed. I mean, I know I'm a complete idiot, but at least shoot down my idea for its own flaws, don't shoot it down using a paper that contemplates the exact opposite scheme. ;P Thanks! :) Matt
On Sat, Aug 16, 2025 at 6:08 PM Matthew Petach via NANOG < nanog@lists.nanog.org> wrote:
On Sat, Aug 16, 2025 at 5:47 PM John Levine via NANOG < nanog@lists.nanog.org> wrote:
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice.
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*.
And this would, in my opinion, be why it's a non-starter. You'll never get a system that requires everyone to adhere to dictates from a central authority.
Instead, I'm advocating for a decentralized, one-at-a-time type approach, where the penalty box is in the time domain, so it's easily implemented unilaterally by the receiving side. It's the very opposite of what the paper you're citing proposed.
Pretty sure what you're proposing is the equivalent of Hashcash? https://en.wikipedia.org/wiki/Hashcash Damian
participants (24)
-
Anoop Ghanwani -
bzs@theworld.com -
Christopher Morrow -
Damian Menscher -
Drew Weaver -
Francis Booth -
Giorgio Bonfiglio -
Hank Nussbacher -
Jared Mauch -
John Kristoff -
John Levine -
John R. Levine
-
Jon Lewis -
Josh Reynolds -
Marc Binderberger -
Marco Moock -
Matthew Petach -
Michael Thomas -
Mike Hammett -
nanog@immibis.com -
Randy Bush -
Rob McEwen -
Suresh Ramasubramanian -
Tom Beecher