Re: [anti-spam-wg@localhost] Contacts
- Date: Mon, 3 Feb 2003 19:48:00 +0100 (MET)
On Mon, 3 Feb 2003, Dr. Jeffrey Race wrote:
> Please read the (early) draft proposal at
> <www.camblab.com/misc/univ_std.txt>
>
> and offer comments for improvement.
You write :
> 1.1 Purpose
>
> This document defines a precise, simple Universal Standard for Duty of
> Care of Internet Resources as Best Current Practice, so as to minimize
> abuse using the community's own measures in the absence of effective
> legal, regulatory and technical measures.
1) There are effective legal means (suing enduser, suing accomplice ISPs)
2) There are efective technical means (blacklists, firewalls, de-peering,etc)
3) There is a regulatory base which can be used (AUP's contractual obligations)
The reason these are not as bright and shiny as you wish, is because:
1) It is profitable to send spam
2) It is profitable to host spammers
In other words. This is not YOUR internet. It doesn't work as you want
because other people actually want it to be so. Yes, it frustrates me to
no end when I talk to a spammer, and and he shows me graphs like:
http://www.xtdnet.nl/paul/spam/pornspam.png
But you have to face reality. A large part of the internet users claim to
hate spam, but they will visit and even buy the crap.
And similarly, since not many ISP's host spammers, the few that do can ask
exorbitant prices (God of free market rulez), and tend to be the biggr ones
that can afford to ignore the complains (and need the money in post .com)
> At present there are few or no disincentives for abuse,
> so abuse may be expected to increase without limit until the Internet is
> destroyed as a viable communication mechanism.
Wild speculation on your side. The end of the world hasn't happend yet.
It didn't happen with Usenet, didn't happen with uuencoded binaries,
didn't happen with 10MB size emails. And it won't happen even if the
spammers send us DVD quality MPEG's as previews to their porn DVD's.
> Since both legal and technical measures have failed and will continue to
> fail, only the behavior modification method of stopping abuse remains,
Abuse of any systme will always happen. You have to make sure that
1) only a small fraction can abuse the system
2) if possible, make the abuse unaffordable
1) can be done, but we all know the price. Every single bit authenticated,
and the end of anonimity. It's not worth the price.
2) is up to the endusers to not buy spamvertised products. It hardly matters
what netadmin's do.
> and the only proven effective method of behavior modification is
> withdrawal of IR of identity and connectivity to continue abuse.
It seems you are saying that the solution to save the internet already has
a proof? I think you mean to say "if we disconnect users, we have fixed
their misbhaviour".
> (1) It makes explicit that every custodian of IR is responsible for
> preventing abuse from emerging out of his IR onto the Internet
> and is responsible for the consequences of such abuse on others
You cannot make this a reality without killing 95% of the ISP's,
leaving only the international carriers being able to afford the legal
and financial risk of hosting any customers. This is one heck of a way
to stiffle free speech. After all, me attacking McDonalds on a website
www.mcdonaldsruinsthworld.org is clearly IR abuse (at least, it is clear
to McDonalds lawyers, which is all that matters)
> (2) Adopting a universal standard of withdrawal of IR, by common
> procedures, means that no SP will suffer competitive disadvantage
> from cooperating in the community effort to halt network abuse
> because all will adopt simultaneously (or lose Internet
> connectivity).
Right. Microsoft Benelux spams me every 6 months. Is that reason for all
ISP's in the world to ban microsoft.com? Let's say we all agree on that,
does it mean that a few repeated spams from Microsoft Benelux should
take out windowsupdates.microsoft.com? And even if we ISP's agree on that,
and do terminate them, who is going to defend that when a hospitable Microsoft
machine didn't fetch an update and kills a patient?
We are ISP's. We canont determine what's best for society. Just like car
manufacturors don't get to set the maximum speed on highways.
>(3) This standard places the burden of abuse on the abuse enabler rather
> than on the victim, so conforming to practice elsewhere in society.
So I dail up through AT&T, and have my browser send out fake REFERER strings,
and spam into everyone's access_log. You kill my account, I take a new one,
and I play this game until AT&T gets their address space yanked or they
start filtering all their customers browsers (which is probably illegal).
One way or the other AT&T loses. Add to that I can actually fake lots of
abuse, and the web becomes just too intricate for AT&T to unravel.
> (4) This standard legitimates withdrawal of IR as the only method proven
> effective in halting abuse.
You claim at the beginning this document is a "Best Practice". This item
makes it a "Only mandatory practise". By doing that, you actually pretend
to be speaking on behalve of "the community at large", while you're just
policing the whole internet, instead of adopting its core philosophy of
"Be liberal in what you receive, strict in what you sent" which is part
of the "Best Practises". Best Practises are recommendations,and not
internet laws.
> As a voluntary community, the Internet may do so at will
I think you mean "MUST", since "may do so" is already possible for
everyone who manages IR currently.
> This document is intended to legitimate such withdrawals
Legitimate under which law? which juristiction? Which enforcers?
Which court? What Appeals?
> The withdrawal of IR (use of blocklists, cancellation of routing,
> withdrawal of IP addresses and domain names) may at first split the
> Internet into zones of purity and islands of pollution. As blockage
> expands, abusers will be pushed into ever smaller and less connected
> domains, which grow ever more blocked. This cumulative process will
> end quickly, with residual polluted areas populated by those lacking
> a need to communicate with zones of purity.
Keep on dreaming. You think you can disconnect the pollution island of
UUnet? AOL? This is unrealistic. Too much money is involved.
> This standard is intended to apply at every level of allocation,
> registration and usage of IR including but not limited to RIRs, LIRs,
> ISPs, backbone providers, domain name registrars, and end-users.
So if RIPE doesn't enforce valid email addresses, you are
going to disconnect Europe and Africa? You're going to revoke
all domains hosted by NetworkSolutions cause they keep spamming us?
(committing fraud actually with their way of invoicing for moved domains)
Kill all of UUnet's customers who have done nothing wrong but selected a
what turned out to be bad ISP?
> and to prevent their abuse to create injury to other users or custodians
> of IR, including but not limited to transmission of UBE, viruses, worms,
> conduct of denial-of-service attacks, and propagation of Trojan
> programs.
Ahh, everyone is now also forced to run proprietary comercial anti-virus
software? Isn't it more fair to actually just remove Microsoft from the
intertnet, since they are responsible for the polution to begin with, by
writing bad software? And do we then also remove Microsoft resellers, since
they're also responsible. Perhaps Symantec too, cause if they didn't patch up
Windows, it would have deleted itself long ago and there would be no
vectors left to use in spreading viri?
> SPs shall enforce a published AUP as a condition of service. This AUP
> shall as a minimum forbid
>
> - transmission of UBE, viruses, worms or Trojan programs, or denial
> of service transmissions
Like there is a single ISP that actually likes this on their network to
begin with? It's like having a rule "ISP's shall not set fire to their
own servers". It's not up to the legal system to protect people from
stupidity.
> - using any e-mail or domain address on its network for receiving
> replies to UBE
So if I spam with paulwouters@localhost you get your domain pulled?
Or do I need to spam with 10? 100? of attglobal accounts? What if I
fake your domain? Fake someone else's domain/product by spamming through
you?
> - open relays, open proxies, or accessible scripting programs
> abusable for any forbidden purpose
Who defines "forbidden purpose". This document becomes circular now.
> - use of the SP's IR to promote tools or services to commit abuse
What is abuse? What is free speech, what is parody? in which juristiction?
> SPs shall ensure, by prior notice to all users and intending users, and
> by periodic testing
Where are tests available? How do I test whether my customer is using a Korean
spammer? How do I test my customer is engaged in "forbidden purpose"? What
if customers block my tester IP's? What if the testing itself is a
violation of local law? national law? breach of contract?
> This AUP shall bind all contracting parties and require them to bind
> their sub-contracting parties likewise with these minimum standards.
The AUP can never sign away constituational rights or obligations.
> the standard shall be financial penalties for infringement
Right so the moron who thinks to pay his alimoney using faked
viagra pills advertised through spam is going to pay me
damages? Or the professional spammer is not going to setup a few fake
holding companies to bankrupt without a loss? You will only be able
top cash in from the ignorant stupid ones, and they are not the
resource problem. It's the repeated powerspammers with some money yo
hide themselves that are the real problem.
> In the event a connectivity provider elects not to provide for
> financial penalties in its AUP, it must have a clearly documented
> procedure in place to prevent re-application for resources by
> disconnected abusers.
This seems to suggest that by having customers pay a penalty, they
will stop spamming. I doubt that, spamming is making money, so they
can pay the fine as well. Also, whether or not having a fine won't
have any effect on someone re-applying under another (false) name.
> The reasoning for this election not to use financial penalties
> shall be open to public inspection.
What public inspection? Whose public inspection?
> Notional 'financial penalties' shall not be utilized as a cover for a
> continuing revenue stream from an abuser.
How can the ISP determine the spammer takes it as such, when using
differnt false identities?
> At a minimum the application process shall require the applicant to
> specify whether he (if a natural person) or it or any of its principals
> (if a juristic person) has been disconnected from service previously by
> any SP.
So the thief has to lie one more time. Big deal. Useless information.
> Applicants accepted for service who reabuse shall be turned
> over to local criminal authorities for prosecution for fraud.
Breach of contract is not fraud, and cannot be prosecuted penally.
> A pattern of failing to turn serial abusers over to local criminal
> authorities shall be deemed ground for enforcement action against
> the SP under this standard.
Breach of RFC is not fraud, and cannot be prosecuted penally. (there is
no contract between RIR's and endusers)
> Using public resources entails waiving so much of one's privacy as is
> required to maintain the usability of the resources, and being
> contactable is an essential element of system maintenance.
Who are you to forbid anonimity because thers have abused it. Some
people NEED anonimity in their publications, for perfectly legal reasons.
Giving everyone sone kind of global ID is not going to help many causes that
need anonimity (eg. think of being in China, Iraq, hunted by Co$, etc)
> A valid postal address is essential for legal service.
A postal address for a $20/month website is ridicilious and opens up
the small website for an even worse kind of physical abuse. (In some
countries, natural persons cannot get a PObox)
> Telephone and fascimile numbers and e-mail address are necessary for
> redundancy and rapid technical coordination.
And enables harassment and violates many privacy laws (esp in Europe)
> Technical measures such as challenge/response to preclude harvesting
> are permitted and encouraged.
Hah! You see your own catch-22. You are creating a breeding ground for
spammers by forcing people to register their address and phone numbers.
> An exception may be made for registrants having a genuinely documented
> requirement for anonymity, in which case the registrar assumes the
> responsibility for timely contacting the registrant on behalf of the
> public.
That won't work, because if the registrant abused that freedo, you
punish the registrar. Therefor, the registrar, from a commercial point of
view will never allow this exception to happen.
> Registrars shall ensure that contact data are active and that contact
> addresses (e.g. Postmaster and RFC-recommended role accounts) are
> properly operated by registrants.
How can registrars do that (against malicious users) How can anyone
ensure delivery to any known and harvestable email address?
> All IR custodians shall, with the exception noted below, know the true
> identity of its IR users, so that accountability for behavior may be
> ensured and financial or criminal penalties imposed as necessary.
Unenforcable. First of all, all these 'test memberships' won't work
with that, and you can't seriously want to ban those. Second, why should
I be forced to keep a register of real usres. Again, who are you (or the
registrar) to disallow anonimity? Also, it opens up the ISP to lawsuits to
obtain the identity that could otherwise be better protected (such as
taking domicile at a lawfirm.
> For technical or economic reasons (such as prepaid or free services), or
> for other valid reasons such as safety of users
Define these reasons objectively.
> In such cases the provider must adopt technical measures such as rate-
> limiting, port-blocking, or caller ID, to preclude the abuse of the
> anonymously-used IR.
That's offering crippleware to anonymous users. They deserve the same
rights as other non-anonymous users.
> First, ALL observers of abuse shall report each incident of abuse to the
> responsible party,
So all receivers of spam now mandatorily have to read all their spam
manually to report back through email to an already overloaded and abused
mailserver? I am not going to read hundreds of spams/day. I am not
going to put a fulltime employee on reading my mailserver logs.
And what about people preventing the reception of spam. Are they violating
the report clause?
[ Environmental Polluter business story ]
Explained in previous email
> Faster response is permitted and encouraged provided it is
> not susceptible to errors from mistaken reports or malicious
> identify thefts (colloquially "job jobs").
You can never prevent that anyone. I register spamproduct.com, and
hire John Doe to spam for me from Korea, then proof I have no
business relationship with this person, and claim he''s trying to ruin
my good name by spamming as me. Meanwhile I harvest and get rich.
Add a few pseudo fights a few months before the spams so Google turns
up our fight. Who is then going to take any responsibility for the
(in)action? You put the ISP between two fires. Punishment by LIR or
lawsuit from customer.
> - For defective database information, the registrar shall notify
> the registrant of the defect within 24 hours and require compliance
> within 15 calendar days.
And on day 16, the customer deletes that email address. Nothing gained.
> COST IS NEVER PERMITTED TO JUSTIFY FAILURE TO IMPLEMENT ANTI-ABUSE MEASURES.
No one will agree to this policy. Absolutely no one is going to take the
risk and make this world a bettr place. "Free market" ideals.
> publicly in any appropriate medium making this a public archival record.
We stopped doing this centuries ago (apart from EasyCar, which puts all
the customers who, for whatever reason, possibly valid, return the car
late, on their website)
> - Limiting or withdrawal of peering or hierarchical connectivity
That would constitute a Breach of contract.
> - Limiting or withdrawal of resources (e.g. including but not limited
> to IP address space or domain names, routing announcements, SWIP
> assignments, forward and reverse DNS)
Either breach of contract, or the establishment of contact (and liability)
where there was none before.
> - Limiting or withdrawal of authority over IR (e.g. to register)
Breach of contract. And huge effects to customers of that register.
Let's say we now withdraw the authority of NetworkSolutions for spamming.
What happens to the domasins registerd through them? They expire? You
notify all 4 million domain holders to move?
> No legal cause of action shall exist against any party for obedience to
> this standard.
Return to lawyer immediately. Do not pass Go.
You can't sign away constitutional rights or duties. We can't sign this
document and then you tell me to go bankrupt a company by taking their
address space, and then say they can't sue us.
> jrace[at]attglobal.net
You failed to provide a proper RFC compliant email address. You are in breach
of the UNIVERSAL STANDARD FOR DUTY OF CARE OF INTERNET RESOURCES. Your
domain shall be revoked in 30 days per agreement. You have no rights to sue
nor claim damages. Any ISP reconnecting you shall be in breach of contract
as well, and you shall not be allowed protection of anonimity since you
did not provide a valid reason as per article 2.5
In short. In the idealological universe where these rules could possibly
be adopted, there wouldn't be a single entity dreaming of violating it in
the first place.
Paul
--
God devised pigeons as a means of punishment for man. Probably after
the destruction of Sodom and Gomorrha he wanted to make sure that people
would never again feel comfortable enough in a city to repeat the sins
committed there, and he created the pigeons as a means to make the city
dwellers' lives more miserable, as a constant reminder of their past sins.