[Asrg] Projecting

Douglas Otis dotis at mail-abuse.org
Fri Dec 5 15:35:30 PST 2008 

On Dec 1, 2008, at 5:42 PM, Barry Shein wrote:

>
> On December 1, 2008 at 11:04 dotis at mail-abuse.org (Douglas Otis)  
> wrote:
>> It is not hard to imagine why large providers wish to ignore  
>> accounts using compromised systems, as these represent extremely  
>> expensive support issues.
>
> At the risk of being flip, it is not my responsibility to design  
> optimized business models for them.

There is no Internet related revenue stream being made available to  
compensate providers who deal with bot-nets.  Nor is there an  
International Internet police force, men in black helicopters, that  
might impose fines to generate the needed revenues.  If there was some  
way to establish a revenue stream that could be directed toward  
providing corrective incentives, it might help create a much needed  
market force.

As a native view, perhaps to offset support costs, individuals could  
be offered Internet access discounts when they acquire a support and  
insurance package that protects them from being 0wned.  Support and  
insurance premiums might be offset with reduced fees required by  
provider who are able to assign support and monitoring duties to this  
support and insurance agency.  By allowing this agency to also monitor  
their networks, they might be able to increase profits by judiciously  
black-hole routing potential threats as needed.

> It costs me a lot to deal with the spam from their business model  
> optimizations, and earns me nothing.

Which is also why the current Authentication-Results header is wrong  
headed.  It excludes the SMTP client IP address when assessing path  
registration authorization.  This header portrays the domain as an  
"authenticated" message source, and makes it appear as if the provider  
plays no role.

>> Once IPv6 opens the door to 340,000 decillion (10^33)  IP  
>> addresses, the granularity of evidence collection and blocking can  
>> not be retained at the IP address.
>
> Oh please. There won't be 10^33 ip addresses involved. There are  
> only about O(nx10^9), n<10, people on the planet etc etc.

The concern is being misunderstood.  The number of IP addresses  
involved has little to do with the number bad actors.  For every  
address range listed, collected evidence will be needed.  Not only  
does the size of the zone file supported by various DNS servers become  
a concern, so are storage requirements for the evidence.   The process  
of establishing negative reputation assertions is not by the access  
provider permitting abusive traffic.  It is likely funded by list  
subscribers.  These list subscribers will not want to pay a fee  
increased by the resources needed to support the additional monitored  
space.

This might scale when done based upon registration and positive  
reputation.  One then needs some way to identify those registered, and  
hope registration fees are not required, or there may be conflicts of  
interest.   Even checking receipt of a postcard becomes expensive when  
abused.  What transaction system would be efficient at collecting the  
minor cost of mailing a postcard?

> Put another way:
>
>     IF THEY CAN BILL THEM FOR A SERVICE THEY CAN MONITOR THEM.
>
> Ok?

Not okay.  Traditional list providers will be unable to bill those who  
are obtaining large numbers of IPv6 addresses. : ^(

> The rest follows from the above so no point in my responding.
>
> But gack if I could just get back the many sleepless nights I spent  
> because AOL, and others, chose to not verify credit cards or other  
> info before automatically enabling accounts (something we did) and  
> the attack after attack from those accounts being created at script  
> speed and the sanctimonious "you don't understand what marketeers  
> call friction, checking credit cards before enabling would  
> constitute unreasonable marketing friction, go read a marketing book".

Larger providers are not surrounding themselves in virtue, and neither  
are some of the various standards proponents.  :^(

> Until, I guess, those acts started attacking their own systems, then  
> it was "damn the market friction and full steam ahead!"

It was not an attack by their own network responsible for the  
change.   Black-hole listing abusive services helped provide the  
needed market incentive.

-Doug

More information about the Asrg mailing list