On Fri, Jun 17, 2005 at 11:48:58AM -0400, Ben Hubbard wrote:

You seem to repeatedly describe a solution that becomes so big that it (at least substantially) replaces 25/SMTP. That's what I don't think will work, or is needed.

Please let me borrow Ben's point and expand on it. Spam as it's usually discussed (spam propagated via SMTP) is only part of the spam problem. We've seen Usenet spam, chat room spam, http referrer log spam, blog spam, and so on. And all of those bundled together and labeled as "spam" are only part of the overall network abuse problem -- which also involves phishing, zombies, DoS attacks, spyware, etc. And these are all (increasingly) interelated problems, e.g. spam is used to phish people to sites which forcibly download spyware, and so on. We could (and some already have) spend an enormous amount of time devising very clever "solutions" to these and deploying them. But as we've seen, doing so usually results only in a shift in the nature of the abuse, not an overall reduction in it. So even if we had The Perfect Solution to SMTP spam and it was globally deployed tomorrow and had no adverse side-effects...we'd buy ourselves a brief respite, no better. I'm not saying some of the technical approaches aren't clever. They are. But none of them are going to solve the problem for any acceptable value of "solve", not because there's anything wrong with them per se, but because they're technological attempts to solve the problem at its end points -- rather than its source points. "The best place to stop abuse is as near its source as possible." Meaning: it's far easier for network X to stop abuse from leaving its network than it is for 100,000 other networks to defend themselves from it. Especially since techniques for doing so (for instance, controlling outbound SMTP spam) are well-known, heavily documented, and easily put into service. The problem is that network X, for many values of "X" (see the data compiled by Spamhaus or SPEWS or any number of others) hasn't done so. Whether that failure is due to incompetence, greed, laziness, negligence or anything else is an interesting question...but really doesn't matter, because regardless of the cause, the fastest way to get it fixed is to make it X's problem...*not everyone else's*. (It's often impressive how fast X can move--despite protestations otherwise--when this situation is created.) Those who have been around a long long time know that this is how it used to be. If your network started spewing crap, and didn't stop spewing crap in a fairly timely manner, you got a phone call or email explaining that someone had their hand on your plug and was going to pull it. The point? The point is that there is no need for any new technology to deal with the spam/abuse probem. What there is a desperate need for is the *will* to use the technology we already have -- to shift the burden of dealing with abuse onto those who are permitting it to originate from their network. This can be done in a number of ways: using DNSBLs, firewalls, routers, whatever. Because if it's not done, then Network X, for many values of X, will be perfectly happy to watch everyone else innovate and scramble and spend money to defend themselves *as long as X doesn't have to*. As we've seen. For many years. Over and over and over again. After all, why should they? There's nothing in it for them and no downside if they don't. "[...] if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well." --- Paul Vixie So either the collective "we" has the will to stop putting up with this nonsense -- or we don't. If it's the former, then we already have all the tools we need. If it's the latter, then nothing we come up with, no matter who clever it is, is going to make any real difference. ---Rsk