[IP] So now the FTC is in on the act

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] So now the FTC is in on the act
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 25 May 2005 05:26:47 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <4293D753.7040901@xxxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Begin forwarded message:

From: Phil Karn <karn@xxxxxxxx>
Date: May 24, 2005 9:39:31 PM EDT
To: David Farber <dave@xxxxxxxxxx>
Subject: So now the FTC is in on the act


(For IP if you want...)

So now the FTC has lent the bully pulpit of the federal governmenttoward those advocating ill-advised "anti-spam" practices like port25 blocking.


Double sigh.

No doubt the FTC's staff members *think* they're doing the rightthing. They're probably well-meaning but totally non-technical peoplewho only know what a few especially rabid, scorched-earth anti-spamzealots have told them. So they simply don't know any better. That'sapparent from their nonsensical remark that users who need to runtheir own mail servers could use authenticated access to port 587.


So how do we clue them into the fact that there are better ways?

If the FTC wants to do some good, they could start with a vigorouslegal action against the software vendor whose incompetence,arrogance and utter recklessness is directly responsible for thehundreds of thousands of spam zombies that we all agree are causing aserious problem. I find it inexplicable that they're still unscathedby all the damage they have caused and continue to cause. I guessmost people (including those in government) simply don't know thatthere are better alternatives, and that personal computer softwaresimply doesn't *have* to be this wretched.

And when it comes to technical countermeasures, the FTC (and thosewho seem to have its ear) have it totally wrong.

Their first mistake is the belief that it should be an ISP's job topolice their customer's email for viruses and spam. This raises somevery serious and fundamental security, privacy and due-processissues. These issues are not raised -- or are far less serious --when an ISP's abuse department is triggered only by complaints fromusers on the receiving end of malicious traffic.

But even if we were to agree that it's an ISP's job to monitor itscustomers' mail, exactly why does that imply blocking port 25 andforcing all outbound mail through an application level gateway? Whyis it necessary to do so much violence to the Internet end-to-endmodel? Let the users talk directly to port 25 if they want. Just setup an automatic packet monitor and passively watch for thecharacteristic signs of massive spamming or a virus infection. Whenit trips, investigate the situation and, if necessary, cut off theuser's service or limit his connectivity to sites distributingpatches and anti-virus tools.

Such packet monitoring systems already exist. They're calledintrusion detection systems, and they're in widespread use. Not onlycan they catch infected hosts using port 25, they can catch virusesthat spread by other means -- something forced mail relaying won't stop.

I am totally baffled by the fact that so many people (and apparentlynow the FTC) believe that forcing email through an application levelrelay is some sort of magic bullet against spam and viruses. If itwas that easy to configure a mail relay to block spam and viruses,then we'd already be running those very same mechanisms on our ownincoming mail servers. Oh wait -- we are. To the extent that theyactually work, of course.

And since all these spam and virus detection mechanisms have theirproblems, I'd much rather give the recipients of an email -- thosewho are most directly affected by blocking and filtering decisions --direct policy control over those mechanisms and the appropriate tradeoffs between false positives and false negatives. It is simply wrongto put those mechanisms back at the sender's ISP whose staffgenerally couldn't care less if a few (or even a lot) of legitimateemail is blocked as long as their phone and pagers don't ring as much.


- --Phil




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iQEVAwUBQpRE5Zvsr0LEqlnXAQJaiAf7B4rjXiqeTeWZB6wkURLdfPuXTflp3CWN
cIVQIYPxSc4sJO3M0izGWrrhBMqurWOrbFIboIYvqquSEEHcKe91Yl9IgEcxPHcF
2PQCsNR+0yMMGA/GZxqK5fvWPYMgRmGrIQfT7fgQM1VoLhZ46X+1t+hDpqzONNJe
6v7Oy81SNYnZZoDgkovYpSrT8a3EuisDx66UAMZVrmUdHfyWqAMqeUObZhNUtvkS
F9fEAtM7S9KKGYfVYek1d3HzMaVqbPnMkH+BMnMrhM3svTHw0x98xpJrx79z0XAG
xx1cEtou68VyOTegQ5P/uciTZbPgCxEV98PQ8EpEJ6a1W1X9JD51Eg==
=TRIq
-----END PGP SIGNATURE-----

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] FTC plans spam "zombie" crackdown: a good idea? [sp]
Next by Date: [IP] more on Banking Alert (fwd)
Previous by thread: [IP] FTC plans spam "zombie" crackdown: a good idea? [sp]
Next by thread: [IP] more on Banking Alert (fwd)
Index(es):
- Date
- Thread