[anti-abuse-wg] Policy disallowing spam from RIPE blocks, was Use of RIPE region space by out-of-region users

In message <1299680973.2210.72.camel at shane-desktop>, 
Shane Kerr <shane at time-travellers.org> wrote:

>As far as I can tell, the desire is to make it against the policies to
>send spam from RIPE NCC address space. I find it incredibly frustrating
>that nobody will actually just say that. :)
>...
>If I'm missing the point and there is actually something else going on,
>please someone clue me in!

Be glad to.  And I appreciate you asking.

OK, here's what's really going on...

As yu may have noticed, there's a LOT of spam on the Internet, and has
been for several years now.  but there are different flavors of it, and
some are harder to combat (and some create some _separate_ and _additional_
problems) more than others.

It is often the case that, for example, "Joe" of "Joe's Pizza Palace"
happens to have an idiot nephew, and the idiot nephew, who believes
everything he reads, believes that the way to instant riches is to
have a web site and then spam *everybody* in the Universe, from Alaska
to Zanzibar, telling them how swell Joe's pizza is.  (This happens
routinely _even though_ Joe's Pizza Palace has only one location, on
the Interstate just outside of Lakewood, New Jersey, and nobody is
likely to travel from Alaska to New jersey just to get a pizza.)

So anyway, Joe, being an ordinary small businessman, has one web site
and it has been assigned one single domain name and one single IP
address.  When Joe's idiot nephew sends out his massive spam run,
that one domain name and that one IP address almost instantly end up
on a whole slew of blacklists.  (In particular, the IP address will
end up very quickly on the Spamcop blacklist.)

The bottom line is that these kinds of one-domain/one-IP spammers are
actually not difficult at all to handle in a very complete and comprehensive
manner, using existing tools (i.e. existing blacklists), and thus they
don't create much in the way of problems for anyone.  The problem of
one-domain/one-IP spammers is virtually a non-problem.

In contrast to this sort of sitiation, these days the net has lots and
lots of what are called professional ``snowshoe'' spammers.  These folks
are astute. They know the score, and they know how existing spam blocking
systems work.  These people are *not* at all the same as Joe's idiot nephew.
They are determined, and they educated, and like he Terminator, they WILL
NOT STOP... at least not until they have managed to defeat all of the
existing technical systems that have been put in place to block spam.

The primary methodology of these folks... the way they get around traditional
anti-spam blacklists, if to ``spread out'' (like a snowshoe) their activities,
across big swaths of the domain name space and also across big swaths of the
IP address space.  Their approach is the same what the Soviets were planning
(hoping?) to be able to use to overcome the U.S's "Star Wars" missle defense
system... just build enough attack vehicles so that you can overwhelm the
defenses with sheer numbers.

In the case of showshoe spammers, their ``attack vehicles'' consist of domain
names and IP addresses, and from their perspective, they can NEVER have too
many of either one.  As we speak, there are snowshoe spammers on the Internet
who have well over 10,000 different second-level domain names and well over
10,000 different IPv4 addresses at their disposal, and they are using them
all to overwhelm traditional spam defenses (like the Spamcop IP blacklist,
and the URIBL and SURBL domain-based blacklists).  The ``spam traps'' that
are used gto drive these blacklists are never likely to see _all_ of the
actual spam sources (IPs & domains) that comprise any given snowshoer's
complete arsenal, so as with the Soviets, 20+ years ago, they can be assured
that at least _some_ of their stuff will always get through.

Is this whole escalation of the spam arms race bad for ``our side''... for
the ``good guys'' who are fighting against spam?  Yes.  Certainly.  But
here, since not everybody on this list is even clearly convinced that spam
itself is a Bad Thing, we can... abnd probably should... ignore that fact
entire.  Instead, just ask yourself if this specific escalation in the
ongoing spam arms is good (or bad) for the Internet generally, and without
even any regard for the acual spam flow which inevitably follows the setting
up of any given snowshoe.

When the issue is looked at even with these blinders on... ignoring totally
the massive annoyance and massive costs that spam on the net creates for
everyone... it can *still* be seen that ``snowshoeing'', at least with
respect to IP address space, is a fundamentally and unequivocally Bad Thing.
The reason is simple... IP address snowshoeing uses up vast quantities of
IP address space... in particular, IPv4 address space... you know... the
stuff that we are supposedly running out of, and that people soon won't
be able to get any more of.  Professional snowshoe spammers are rather like
the all-consuming ``virus'' that was alluded to briefly in the first "Matrix"
movie.  It doesn't matter how much IPv4 space you give them.  They will
always want more and always consume as much as they were given (laying waste
to it as they consume it).

So in order to understand why the issue of snowshoe spammers might have
relevance to RIPE, *even independent from the annoying and costly aspects
of the spam they generate*, you only have to understand that IPv4 (and
also IPv6) are finite resources, that we are rapidly running out of IPv4,
and that snowshoe spam farms are almost certainly the absolutely LEAST
effecient and/or cost effective way to make use of what remains.

Think of it this way... You are among the remaining inhabitants of Easter
Island.  Your tribe has already chopped down and used up all of the trees 
on the island except one.  Your friends are currently making plans to
chop down that one last tree, and they plan to use the wood from it
_not_ to build a canoe to get you and your tribe away from this dying
island, but rather, your friends just want to use the wood from the
last remaining tree to make toothpicks and earrings.  Now they turn to
you and ask you for YOUR opinion.  What are you going to tell them?

Using vast swaths of the remaining IPv4 address space for spammer snowshoe
farms is simply THE most silly and wasteful use of what remains that you
can possibly imagine, bar none.

In summary:

    *  Thwarting spam from single-point sources is easy.  Thwarting it
       when it emmanates from ``snowshoe spam farms'' is exponentially
       harder.

    *  Snowshoe spam farms are THE single most wasteful use of finite and
       limited Internet number resources imaginable.

Some people here don't want RIPE involved in the business of regulating
spam.  OK.  Fine.  I understand that.  But that's not the question before
us.

Rather, the dual questions before us are as follows:

    *  Does RIPE _really_ have to operate under a set of policies (and/or
       lack-of-policies) that, it would seem, may actually be *encouraging*
       and *supporting* the practice of snowshoe spamming, which, as I have
       said, is the most difficult form of spamming to combat with existing
       technical measures?

    *  Does RIPE and the RIPE community _really_ not grasp that fact that
       regardless of what you think of spam and spammers, the creation of
       IP address snowshoe spam farms is an unmitigated and colossal waste
       of the very resources that RIPE was created to be competent shepards
       over?

Yes, I admit it.  Guilty as charged.  I don't like spam.  And I'd love it
if every spammer ever found using RIPE number resources was summarily
shown the door.  But that's clearly not going to happen, so just forget
I even mentioned it, and a please turn your attention instead to the two
bullet points just above.

Just one last comment... I have no doubts whatsoever that some folks here
in the U.S.A., and many folks in the RIPE geographical region, and probably
even a few people on this specific mailing lists own stock in companies
that manufacture and sell networking equipment, in particular, IPv6 gear.
For all such folks, I fully expect my entreaties to fall on deaf ears.
Anybody owning stock in the various network equipment manufacturers would,
I suspect, like nothing better than the utter and final exhaustion of IPv4
at the earliest possible moment, as that event will almost certainly be
the primary trigger for the next big equipment upgrade cycle.  Notwithstanding
these facts, the community as a whole... both stockholders and non-stockholders
alike... would be ill-served, I think, by any deliberate efforts to engineer
the early exhaustion of the IPv4 space, e.g. by using snowshoe spammers
and their infinite appetities for IP space as convenient scapegoats.


Regards,
rfg