TELECOM Digest OnLine - Sorted: Re: Getting Serious About the War on Spam

Re: Getting Serious About the War on Spam

Robert Bonomi (
Wed, 20 Apr 2005 10:15:10 -0000

In article <>,
<> wrote:

> Robert Bonomi wrote:

>> Nope. it's because it is, quite simply, *NOT* ICANN's job to do so.

>> Of the various organizations (ICANN, IAB, IETF, etc.) that are the
>> 'authority' for specific functionalities of the greater Internet,
>> _none_ of them have any authority with regard to the 'content' of
>> packets.

> Well then, who IS responsible to do the job? If no such job
> exists, why isn't one created?

When you figure out what the Internet is, you'll understand the answer
to that question.

The Internet is a _voluntary_ co-operative effort of *private* network
operators. *nobody* 'owns' it. *nobody* 'controls' it. Everybody
makes _their_own_rules_ for *THEIR*OWN* network. Unfortunately,
"their" rules do not apply to someone who is _not_ on their network.
When someone chooses to allow people "_not_ on their network" to
access resources "on their network", they are 'extending trust' to
those people to voluntarily obey their _unenforceable_ rules. The
*only* 'enforcement' option available is to deny those 'scofflaws'
access to the resources on their network.

If you "don't like" the way YOUR NETWORK OPERATOR is extending trust
(or not revoking it) to those who abuse that trust, either (a) find a
different network operator, (b) bitch at your existing operator to get
them to change _their_ operation, or (c) disconnect yourself.

>> And *nobody* on the 'net wants it any other way. (Well, except for
>> folks like the government of mainland China, that is.)

> I don't know about that.

Try to find anybody who wants restrictions on what _they_ can
do/say/etc. On the Internet. Even among those who favor restrictions
on what "other people" can do/say/etc. on the Internet.

If 'officialdom' can proscribe sending one kind of message, they can
proscribe sending _any_other_ kind of message.

> I see the net as a great POTENTIAL tool, but one that is fraught
> with risk and problems.

Yeah. So? If you're not prepared to deal with the risks, "don't play
in the street." applies.

If the benefits for you don't outweigh the risks then
*UNPLUG*THE*COMPUTER*. Problem _solved_.

> Between hackers, spammers, perverts, and thieves, I are extremely
> hesitant to do much of anything on the Internet. The newspapers
> have articles constantly about how people have been fleeced from
> Internet troubles -- either stolen identity, "phishing sites",
> or fraudulent sites. Don't count of the authorities to go
> after anyone unless it's a very major deal. (Let me know
> IF any of the principals in the Norvergence collapse are
> called to task -- under oath -- to account in detail for that.
> I am not holding my breath.) At present, there is no
> deterrent.

> I am savvy enough that I don't open email from any source
> I don't know, and I never click on attachments. That has
> protected me, but in doing so I have deleted many legitimate
> emails that I merely didn't recognize. Many other users have
> been badly burned -- whole companies shut down -- because of
> malicious sabotage sent through email.

> Are you telling me this is a good system -- where people have
> to go sorts of trouble to protect themselves and delete
> legitimate items?

If you use "good quality" software, for reading mail -- as opposed to
the cr*p that Microsoft as foisted off on the world, most of those
"problems" simply disappear.

As for the 'getting fleeced' issue, there is *NOTHING*NEW* about that.

"Ponzi schemes" have been around (by _that_ name) since the 1920s.
The 'Spanish prisoner' con goes back even further.

> When Pat T. brought up these problems, I noticed that almost all
> responses were for things _Pat_ should do. In other words, he has to
> make considerable effort to protect himself from malicious efforts
> from others.

> Why isn't more being done to stop the malicious work at the source?

HOW? The -bad guy- *owns* the "source". He has -zero- interest in
"stopping" his own activities.

Shall we impose 'licensing' on every computer that gets connected to
the internet? Including a requirement that the operating system and
all applications be secure and un-exploitable?

(Maybe that's not a bad idea -- it would get rid of *all* those d*mn
virus-infected (and potentially infected) MS-Windows boxes. But, how
many readers of Telecom Digest or the newsgroup would be left _that_
was done? )

> Why is it that most people just wring their hands and say "nothing can
> be done".

Because it is, quite simply, a _fact_. There will *always* be 'bad
guys' out there. And, as long as they can control the 'sending'
system, there is, bluntly, no way to force them to play by the rules.
Want to require certain kinds of headers in e-mail? The bad guy
sender can _forge_ those headers, just as easily as the good guy can
put the right info in them.

When _everybody_ is their own publisher/source,

> If we can put a man on the moon using 1950 based computer technology,
> we can make the Internet safe.

Bullshit. Sorry, but its a fact, nonetheless.. We can't even make the
_streets_ safe, and we've been trying to do that for what, 80+ year.
something like 50,000+ people/year are killed in auto accidents in the
U.S. alone.

>> Not to mention that there is _nothing_ that ICANN can actually _do_
>> that would affect matters. They can't revoke the IP addresses MCI
>> uses, those addresses were issued by ICANN to ARIN.

> So de-issue them.

"So sorry. *You* have been kicked off the Internet. Your addresses
are in an address-block assigned to ARIN that has been reclaimed by
ICANN, because some other user in that block misbehaved."

Why do I think that that concept is doomed to failure in the real

Not to mention that, _by_charter_, ICANN and the RIRs, e.g. ARIN, are
_voluntary-participation_ *technical* coordination agencies only.
Nobody *has* to go to a RIR to get IP addresses. As long as
'whomever' you buy connectivity from will "route" packets to those
addresses to you, it doesn't matter _what_ the RIRs, etc. say. The
only "good news" is that the "rest of the internet' _does_, in
general, limit how _they_ will route traffic to the address-spaces
that ICANN and the RIRs _have_ "authorized".

>> They can't revoke the domain-name(s) MCI uses, those names are part
>> of properly-executed _contracts_ between MCI and the domain registry
>> operator.

> Why do the contracts allow malicious behavior? Why can't
> these contracts explicitly prohibit -- with penalties -- malicious
> behavior? Who writes these contracts?

Because, for starters, there is no 'universal agreement' on what
constitutes "malicious behavior".

There are multiple layers of contracts involved.

ICANN, or some other TLD "issuing authority", enters into contracts
with "approved registrars". Those registrars, subsequently, enter
into contracts with "registrants" of a domain name.

The 'issuer-registrar' contract specifies certain "minimum
requirements" that the registrar-registrant contract must contain.
The 'issuer' is *not* a party to the registrar-registrant contract,
and, thus, _cannot_ act directly against the registrant -- they have
'licensed' the registrar to do certain things, and as a result of that
licensing the 'issuer' *is* _legally_bound_ to certain performance, by
the actions of the (licensed) registrar.

Registrars *are* free to impose 'more restrictive' terms than those
'minimum requirements' in *their* contract with the registrant. There
_are_ at least two 'significant' registrars who *do* include terms in
their registrar-registrant contract that forbids using the registered
domain-name for certain kinds of "abusive" actions -- notably sending
junk e-mail. *AND*, they actually enforce those added terms, although
the quality of the enforcement is somewhat spotty at times.

There's a "real world" difficulty with this, however. When there is
"more than one" registrar (as _is_ the case, today) then anybody who
_does_ write more restrictive terms into their contract is at a
"competitive disadvantage" to those who have only the 'required
minimums' in _their_ contract.


If you're a "bad guy", _which_ kind of a registrar are you going to


AND, obviously, the "quality" of the totality is only as high as the
standards of the _lowest_quality_ operator.

As to "who writes these contracts?", well, the registrar-registrant
contracts are written by the registrars. The 'issuing authority'
generally provides a "sample" registrar-registrant contract -- one
that satisfies the "minimum requirements' of the issuer-registrar

*MANY* registrars adopt that sample boilerplate *without* making any

>> And the operator's contract (with ICANN, or the appropriate
>> 'national' authorizing authority) requires _them_ (the registry
>> operator) to publish *all* properly contracted domains.

> Again -- change the contracts!

The word for that is "impossible". The existing contracts are
*self-renewing* _at_the_same_terms_ (although in the case of one TLD,
with an escalating fee schedule), as long as both parties fulfil their
required acts. This is _expressly_ stated in the contracts.

Changing such a contract requires either: a material breach of the
*existing* contract by one party, allowing the other to exit it, *or*
the _agreement_ of both parties to the changes.

Are you really so naive as to think that the bad guys *will* "agree"
to a contract change -- which provides *no* benefit to _them_ -- and
that would allow the opposite party to harm them (the bad guy) at

I take that back, 'naive' is inappropriate here. "What color is the
sky on _your_ planet?" is more accurate.

>> Those are the *only* aspects of the Internet that fall under ICANN's
>> 'area of responsibility'.
> Sounds like there's a lot that could be done.

If you ignore the realities of contract law, the difficulties of
cross-border enforcement, and some other basic facts of life,

>> Because: (a) there is *NO*ONE* 'in authority'. The net runs by
>> anarchy.

> Did it ever occur to anyone that this 'anarchy' is a very costly and
> inefficient policy? How much does malicious efforts and protections
> against that cost companies? How much traffic is flooding the system,
> requiring increased servers and lines to accomodate malicious traffic?

Hell yes, it's occurred to people.

_Life_ is dangerous. "Mortality rate: 100%"

Nobody _requires_ you to use the Internet.

Yeah, it'd be "nice" if the various defenses were not necessary. But,
in the 'real world' they _are_. Just like locks on your doors.

Using the Internet is a _voluntary_ thing, but you do have to "take it
as it is". If it's "too much trouble", then the decision is simple --
*don't* use it. There _are_ people/businesses who have made that

>> (c) last I knew, MCI had something like a _40%_ share of
>> the U.S. Internet market. It simply isn't practical for
>> any 'significant' player to write off that big a chunk of
>> the potential customer base.

> MCI, being part of a bankrupt empire (resulting from IIRC corrupt
> accounting practices) has little sympathy from me. Perhaps it'd
> better for everyone to dump MCI altogether.

A fair number of those who can _afford_ to do so, *have* done so.
For many, it is simply =not= a viable option.

Like it or not, commercial business operations pay for most of the
cost of of operating the Internet. A commercial business does not
have the "luxury" of a blanket write-off of 40% of their potential
customers. If they attempt it, they *will* lose that business to
their competition who does not do it.

> [TELECOM Digest Editor's Note: Now Lisa, do you understand the
> politics of spam, and why it is such a problem? It amazes me that
> this net could be (like at present) 85-90 percent spam garbage, most
> of which comes via one source -- MCI --

Better check your facts. Comparatively little spam actually
_comes_from_ MCI address-space. MCI is actually fairly good about
stomping actual spam origination. What they _are_ excoriated for --
and *DESERVEDLY*SO* -- is continuing to provide *other* services -- be
it web-server, _incoming_ mail, etc. -- to parties which are
well-known for spamming. It's "the abuse didn't come _through_ *our*
network, so we don't care" mind-set.

For what it's worth: I just ran some statistics from my logs -- of the
last 2137 unsuccessful delivery attempts, a whopping _41_ were from
anywhere in MCI address-space. (BTW, more than 2/3 of look to be from
"zombie" PCs; also more than half had forged AOL/YAHOO/HOTMAIL "from"
addresses, making detection/rejection, 'trivial').

I get 80% of that number of messages from *ONE* ISP in Germany.
I get almost 85% of that number of message that come directly from Nigeria.
I get more messages than that from zombie PC's in Brazil.
I get more messages than that from mainland china -- mostly in English, so
I presume they're "U.S. based" spammers with off-shore servers.
I get more than that number of messages from "" address-space.
I get nearly twice that number were from Verizon address-space.
I get about twice that MCI number from 'LEVEL3" address-space.
I get more than twice that many from Verio address-space
I get more than five times that number were from AT&T address-space.
I get more than _twelve_times_ that number were from a _single_ spammer
getting connectivity from (He sends from his own server, always
the the same machine, registered in his own name, so it 's *really* easy
to block the "" domain. One of these days, I am, however,
going to file a lawsuit against him, for repeated attempted theft of

This isn't to say that blocking all of MCI is a bad idea if it fits
your political agenda, just _don't_ expect it to make any significant
near-term difference in the amount of spam in your inbox.

[[.. munch ..]]

> The contracts you suggest changing (I agree!) only got into place as
> they are when netters rolled over when ICANN demanded it. A tragic
> mistake is that no one seized root long ago and forced the issue.

Some people have tried such things. There have been attempts at
setting up "alternative" root nameservers. with other (non-ICANN
recognized) top-level domains. Of course, for anybody to be able to
_reach_ one of those alternate domains, they have to use a nameserver
"resolver" that kicks the query 'upstairs' to that 'alternative root'
_instead_ of the standard one. This means that -- for the
'alternative domains' to be universally accessible, *everybody* has to
reconfigure their nameserver away from the default configuration.

For some strange reason, *every* such attempt over the last 10+ years
has fizzled into oblivion. One could say that "the masses" _have_
made their wishes known on the subject.

[TELECOM Digest Editor's Note: So Lisa, note how Robert is going to
continue to fight against so many folks on the net who are detirmined
to get rid of spam. No matter how far afield, how far off of first
base he is, he is going to continue to respond as you (and I, and all
the other readers) saw today. He talks about the contracts all of us
who hold domain names had to sign, as though they were 'voluntary'
(what a sad laugh) and as though it is impossible for ICANN (which is
in fact the overall controller around here) to write new contracts
since Robert does not understand what the term 'malicious' means in
everyday language that everyone else with a lick of sense understands.
And he insists that it is impossible for ICANN to build into new
contracts such simple, humble concepts as 'no phishing, no spamming,
no falsification of network addresses' because the contracts out there
now are renewable in perpetuity, or until the savior comes again,
whichever happens first. So, Robert would have us believe that ICANN
(I use them in a generic sense) can't do anything because the existing
contracts are written in stone, renewable forever, and anyway, Robert
knows that there is no reasonable definition of 'malicious' in the
context of our net. And although as I understand the law, it is
generally there to provide for the weakest members of our society,
Robert says if our brains are not as smart as his (I mean, can't any
_real_ man configure his mail server to eliminate viri and spam?) then
our alternative is to shut the computer down. I imagine he would love
it if we did.

So Lisa Hancock, I guess Robert has really explained quite well where
we stand. Don't look for any laws or contracts to protect regular
users, or anything like that, since Robert has explained that is all
quite impossible. And above all, do not pick on poor little MCI, since
Robert (who encourages me to check the facts) has explained that MCI
does quite well in stopping spam which originates in their house, but
as Robert explains it they don't do very well on spam throughput from
other sources, as if there was some real difference between the two,
other than the fact that Robert says there is. And before Robert
starts muddying the water once again patiently explaining to us the
differences in job responsibilities between the various technical
agencies administering things here on the net, bear in mind he will
quite likely explain to us once again that it is all one big anarchy,
which by definition has no 'agencies' -- technical or otherwise -- in
charge of anything.

All I know is, I should receive hazardous duty pay for dealing with
all this shit day after day. PAT]

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Scott Dorsey: "Re: Getting Serious About the War on Spam"
Go to Previous message: Dan Lanciani: "Re: Getting Serious About the War on Spam"
May be in reply to: Lisa Minter: "Getting Serious About the War on Spam"
Next in thread: Scott Dorsey: "Re: Getting Serious About the War on Spam"
TELECOM Digest: Home Page