<<< Date Index >>>     <<< Thread Index >>>

[IP] So now the FTC is in on the act



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Begin forwarded message:

From: Phil Karn <karn@xxxxxxxx>
Date: May 24, 2005 9:39:31 PM EDT
To: David Farber <dave@xxxxxxxxxx>
Subject: So now the FTC is in on the act


(For IP if you want...)


So now the FTC has lent the bully pulpit of the federal government toward those advocating ill-advised "anti-spam" practices like port 25 blocking.

Double sigh.

No doubt the FTC's staff members *think* they're doing the right thing. They're probably well-meaning but totally non-technical people who only know what a few especially rabid, scorched-earth anti-spam zealots have told them. So they simply don't know any better. That's apparent from their nonsensical remark that users who need to run their own mail servers could use authenticated access to port 587.

So how do we clue them into the fact that there are better ways?

If the FTC wants to do some good, they could start with a vigorous legal action against the software vendor whose incompetence, arrogance and utter recklessness is directly responsible for the hundreds of thousands of spam zombies that we all agree are causing a serious problem. I find it inexplicable that they're still unscathed by all the damage they have caused and continue to cause. I guess most people (including those in government) simply don't know that there are better alternatives, and that personal computer software simply doesn't *have* to be this wretched.

And when it comes to technical countermeasures, the FTC (and those who seem to have its ear) have it totally wrong.

Their first mistake is the belief that it should be an ISP's job to police their customer's email for viruses and spam. This raises some very serious and fundamental security, privacy and due-process issues. These issues are not raised -- or are far less serious -- when an ISP's abuse department is triggered only by complaints from users on the receiving end of malicious traffic.

But even if we were to agree that it's an ISP's job to monitor its customers' mail, exactly why does that imply blocking port 25 and forcing all outbound mail through an application level gateway? Why is it necessary to do so much violence to the Internet end-to-end model? Let the users talk directly to port 25 if they want. Just set up an automatic packet monitor and passively watch for the characteristic signs of massive spamming or a virus infection. When it trips, investigate the situation and, if necessary, cut off the user's service or limit his connectivity to sites distributing patches and anti-virus tools.

Such packet monitoring systems already exist. They're called intrusion detection systems, and they're in widespread use. Not only can they catch infected hosts using port 25, they can catch viruses that spread by other means -- something forced mail relaying won't stop.

I am totally baffled by the fact that so many people (and apparently now the FTC) believe that forcing email through an application level relay is some sort of magic bullet against spam and viruses. If it was that easy to configure a mail relay to block spam and viruses, then we'd already be running those very same mechanisms on our own incoming mail servers. Oh wait -- we are. To the extent that they actually work, of course.

And since all these spam and virus detection mechanisms have their problems, I'd much rather give the recipients of an email -- those who are most directly affected by blocking and filtering decisions -- direct policy control over those mechanisms and the appropriate trade offs between false positives and false negatives. It is simply wrong to put those mechanisms back at the sender's ISP whose staff generally couldn't care less if a few (or even a lot) of legitimate email is blocked as long as their phone and pagers don't ring as much.

- --Phil




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iQEVAwUBQpRE5Zvsr0LEqlnXAQJaiAf7B4rjXiqeTeWZB6wkURLdfPuXTflp3CWN
cIVQIYPxSc4sJO3M0izGWrrhBMqurWOrbFIboIYvqquSEEHcKe91Yl9IgEcxPHcF
2PQCsNR+0yMMGA/GZxqK5fvWPYMgRmGrIQfT7fgQM1VoLhZ46X+1t+hDpqzONNJe
6v7Oy81SNYnZZoDgkovYpSrT8a3EuisDx66UAMZVrmUdHfyWqAMqeUObZhNUtvkS
F9fEAtM7S9KKGYfVYek1d3HzMaVqbPnMkH+BMnMrhM3svTHw0x98xpJrx79z0XAG
xx1cEtou68VyOTegQ5P/uciTZbPgCxEV98PQ8EpEJ6a1W1X9JD51Eg==
=TRIq
-----END PGP SIGNATURE-----

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/