|
Internet and e-mail policy and practice
|
Click the comments link on any story to see comments or add your own.
|
23 Jan 2005
Brian McWilliams, author of the pulp favorite Spam Kings (which I must I admit I tech edited), has a new article in Salon called How Microsoft is losing the war on spam. He interviewed me by e-mail during the research on the article, and here's what I said. 1. Given the amount of spam being sent through Trojaned Windows proxies, do you think it's accurate to say that Microsoft is indirectly responsible for much of the spam problem today?Definitely. posted at: 00:37 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/msspam.trackback 11 Jan 2005
I got a letter the other day from AOL postmaster Carl Hutzler, about how the Internet community could get rid of spam, if it really wanted to. With his permission, here are some excerpts. Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care. We need message providers to implement better security on their networks and take responsibility for their networks being sources of spam. The number of ISPs who don't even authenticate their members is frankly appalling (just for starters). AOL has implemented the solution to stop spam on our system. We do not send it any more. We even published the solution in the ASTA [the Anti-Spam Technical Alliance, a group of the largest ISPs] technical document. We are again trying to get the info to other messaging providers via the MAAWG.org group. But no one wanted to listen to one ISP. So we had to apply the set of solutions for every other ISP around the planet for them! 1) The port 25 blocking we do for them (via pattern matches on their dynamic space or getting their actual dynamic IP space from them if their regex set-up is not thought out well) 2) Our Second Received Line rate limits which put reasonable controls on the amount of mail an end user can send through their ISPs mail server. This is why AOL reported our spam is almost eliminated. Yes, I said it, eliminated. I get so little spam on my AOL business account (the one that has 20 pages of google results, countless newsgroup hits, etc). I think I have gotten 10 spams total in my inbox over the last month and many of them go to the spam folder where they should be. Just think how different everyone's spam problem could be if ISPs did a few of these things, and more simply, took responsibility for their customers/networks. Spam would be gone. But no one else is reporting success like this? Why? Because every other ISP is building better and better filters to help their system fend of the spam. But the sources of spam are still there and spammers can keep sending till their hearts content until we stop them at the source.
Why do we all keep building better filters? Because it helps us instead of helping others. And its easy as most of these are shrink wrapped software or services that are easy to apply. Good for Postini and Brightmail and spamassasin, but not a solution, just a bandaid. Why do people do this and never try solving the problem? Security for our networks and messaging platforms is much harder to implement, and likely most importantly, it does not help the ISP stop spam inbound to its network usually. So no one does it. What we need is for providers to do BOTH. You have to implement better filters to survive (we sure do), but we all also have to fix our sources of spam that clog other networks. Eventually as providers do BOTH actions, the problem will go away and everyone will be able to remove the BANDAIDS from the spam wound as we won't need filters and blacklists as much in the future. A Funny example If a spammer had a T1 line provided by [a large network], we all would be up in arms that the network is all of a sudden a blackhat ISP hosting known spammers on the Spamhaus ROKSO list, etc, etc. But the fact that that network and many other ISPs are hosting spammers via trojaned and zombied customers and have no security on their network to prevent this situation or manage it at least, does not seem to bother us (messaging providers) as much as it should. Well shame on us. If you want less spam, then can we all commit to manage our systems better? Carl then went on to comment on a large web hosting company, which will remain nameless both to protect the guilty and because many other web hosts are just as bad. They have been spamming the be-jesus out of AOL for months now because they have customers who run insecure formmail and other CGIs. When will these premier hosting companies write a program to find them before the spammers and prevent customers from installing these open relays (cgi scripts) on their network? When will these companies monitor their scomp [AOL's automated spam reporting] complaints and take them off the air without my team having to constantly call them? When will they stop telling their customer service reps to blame AOL for delivery issues their customers are seeing when they can't mail to AOL because we have temporarily blocked them for the 15th time in 2 months? Should anyone be allowed to operate an email system? Perhaps not. Or perhaps we will find a group of ISPs that band together to create a second email system on top of the current one for email providers that know how to control their networks. And the other people will be on another system, the old one filled with spam. Everything that Carl says is, largely self-evidently, true. What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now? posted at: 00:19 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/carl.trackback 10 Jan 2005
[This doesn't have much to do with e-mail, at least not until the big phone companies take over the Internet market in the US and impose their own Bell-shaped policies on it. So sue me.] I wish the FCC would revisit the key issue of essential facilities, the bits of the telephone infrastructure that everyone needs to use and nobody can afford to duplicate. The other day I read a most interesting little book Lessons from Deregulation, by Alfred Kahn, the architect of airline deregulation in the 1980s. It was published a year ago and is available either as a printed book or as a PDF. Executive summary: he still thinks deregulation is swell. The first half of the book is about airline deregulation, the second half is about telecom deregulation. I found Kahn's analysis of airline deregulation quite persuasive, not surprising since he was in charge of it. The analysis of telecom was much less persuasive. Kahn has been firmly on the side of the Bells in just about every disagreement. He argues, not unreasonably, that forcing competitors to rent facilities to each other below cost, as many state regulators have done, is no way to create a competitive market, and he thinks that cable and wireless will create true competition, but it seemed to me he was missing something critical. What struck me at the end of the book is how completely opposite the outcomes of the two deregulations have been. In the airline industry, the old incumbents are all in dreadful shape, being walloped by nimble new entrants. In the telecom industry, after a flurry of competition aided by dot.com free money and regulatory pushing, the incumbents are crushing the new entrants and are well on their way to establishing a cozy geographically divided duopoly. What's the difference? The old-line incumbent airlines (IALs from now on) certainly had their share of both self-inflicted and external injuries, but the old-line phone companies (ILECs, incumbent local exchange carriers, in telecom-ese) did plenty of dumb things, too. The critical difference is that the ILECs owned the essential facilities, and the IALs didn't. In the airline industry, the essential facilities are airports and air traffic control. Airports are owned by various government agencies and paid for by user fees. ATC has always been Federal and is more or less paid for by ticket taxes. Imagine a world where the IALs owned the airports. You want to add a route to Dallas? Too bad, American owns one airport, Braniff (which is still in business due to its duopoly profits) owns the other, and neither is willing to sell landing and gate slots at a price anyone else can afford. For a while, the CAB required them to sell Unbundled Flight Elements (UFEs) at a set price, but the IALs all moaned and groaned about how unfair the prices were. Remarkably, despite claims that the UFE prices were below their own costs, none of the IALs ever took advantage of the UFE bargains to invade each other's territory. When the new entrants complained to the Civil Aviation Board that the legacy airports gave the IALs a stranglehold on access to passengers, the CAB said that rapidly changing technology would level the playing field, citing as an an example a helicopter service between a parking lot in Philadelphia and an abandoned shopping center in southeast Washington DC. Besides, the IALs are promising to roll out personal jet packs, (FTTP, for Flying To The Premises), although a few soreheads pointed out they'd been promising them since the early 1990s and to date they were only available in the financial districts of New York and San Francisco. Well, enough of that. Nothing like that could ever happen, could it? I'm hardly the first to advocate separating the ILECs into regulated wire companies and unregulated switch companies, but the more I see of the telecom landscape, the more I believe that we'll never have real competition so long as one party owns a facility that nobody else can afford to replicate. The ILECs have a century of practice assigning costs to infrastructure to show how expensive it is, and they're never going to give anyone else a fair price so long as they can sell it to themselves for funny money. posted at: 23:50 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/airport.trackback 02 Jan 2005
The CAN SPAM Act of 2003 went into effect a year ago on Jan 1, 2004. As of that date, spam suddenly stopped, e-mail was once again easy and pleasant to use, and Internet users had one less problem to worry about. Oh, that didn't happen? What went wrong? There are a few good things about CAN SPAM. It made some arguably fraudulent practices specifically illegal, and set per-spam statutory damages. That allowed a variety of lawsuits such as the one where an Iowa ISP won a billion dollar default judgement against a Florida spammer. It also explicitly ratified ISPs authority to set and enforce their own stricter policies about e-mail. But overall, CAN SPAM's weaknesses outweigh its benefits. The biggest problem with CAN SPAM is that it doesn't actually forbid spam, for any normal definition of spam. So long as mail doesn't involve fraudulent elements, and contains specified contact and opt-out information, it's 100% legal until the recipient begs the sender to stop. This has set an extremely low floor for mailers to meet, and far too many now argue that since they comply with CAN SPAM they must be OK. I've gotten spam from the National Council of Churches, who really should know better, to addresses that were clearly scraped from my church's web site and added to the NCC's list without asking permission. When I complained, they pompously assured me that they complied with the letter and spirit of CAN SPAM, an utterly vacuous claim since CAN SPAM says nothing at all about non-commercial e-mail. (The obvious counter-argument is that if they didn't comply with CAN SPAM, they're be criminals, but they evidently don't see it that way.) Another problem is that the remedies are cumbersome, since they require filing in Federal court, so they're likely to be useful only to medium and large businesses who get a lot of spam and can bundle many similar complaints into one case. CAN SPAM wiped out a lot of more stringent state laws, but even so, the remaining state laws are at least as useful as CAN SPAM. For example, the criminal conviction of large-scale spammer Jeremy Jaynes was under the Virginia state law, not CAN SPAM. What does this all portend for the future? A surprising press release from AOL reported that the amount of inbound spam at AOL dropped by 22% compared to a year ago. Other ISPs reported no such drop, so we can only speculate about the causes, but my speculation would be about one part spam filtering, which AOL does well, and four parts legal threats, both the Jaynes criminal case and several civil cases they've filed in the past year. Spammers may turn away from large ISPs and aim more at smaller domains who are less likely to have the resources to sue them. Tune in again next year and find out. posted at: 23:06 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/canspam.trackback |
Topics
My other sitesOther blogsWord
to the Wise
Related sitesCoalition Against Unsolicited Commercial E-mail
|
||||||||||||||||||||||
© 2005-2008 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will
not give, sell, or otherwise transfer addresses maintained by this
website to any other party for the purposes of initiating, or enabling
others to initiate, electronic mail messages.
![[Valid RSS]](http://www.taugh.com/valid-rss.png "Validate my RSS feed"){kind=small}