Mailing List Archive

Tim,

Presume that we've all met, decided a policy, figured out who it takes
to "officially" make it an Internet policy, and made it happen. Simply
amazing progress has occurred, and it's still morning on the Internet...

Now, let's talk about the hard part: enforcement.

Since the sender of a bulk, unsolicited advertisement may not even be
affiliated with the beneficiary of such mail, how do you intend catch
the culprit? There is nothing in an email message that provides hard
proof of identity, and there is nothing to stop me from sending all of
my advertising as "Tim Bass". Since any host connected to the Internet
can forge email with very little trail, relying on the purported sender
of the message is clearly not possible for enforcement.

Of course, one could always look towards the beneficiary of the message
(i.e. the firm which gains the business as the result of this "misuse")
but that's actually no better than relying on the sender. It doesn't
matter whether the enforcement method is loss of Internet service or
large fines, it will be very difficult for anyone to actually safely
invoke such methods without incurring immense liability. Since anyone
can send a bulk, unsolicited advertisement with "The Silk Road Group"
as the beneficiary, you've now created the ultimate denial of service
attack. Don't like a firm? Send out a massive forged advertisement for
their latest product and watch them get disconnected from the net... :-)

Despite postings to the contrary, this is an extremely difficult problem
to solve in the absence of authentication. While the current ad-hoc methods
of managing such bulk advertising are not perfect, they may be far better
than the quick fixes being proposed.

/John

---

At 10:54 AM 10/15/95, Tim Bass wrote:
>Ladies and Gentlemen......
>
>A couple of interesting points have developed as a result of the latest
>'spam event'. The first one is debatable, but I would like to comment,
>that my mailbox received 'one spam message' (which I deleted in a few
>milliseconds) that generated hundereds of 'anti-spam messages'. Causal
>to the 'spam' I would like to refer to the anti-spam messages as
>'son-of-spam' :-)
>
>Second, it is somewhat clear that as long as we have 'spam' we will have
>a causal event 'son-of-spam' . Neither 'spam' nor 'son-of-spam' are welcome
>e-mail in most in-boxes, and I assume by the responses, many people find
>'son-of-spam' just as annoying as 'spam'. Given that both sides of the
>coin are correct (in their own perception space) as we have seen,
>I would like to put this on the table to the network:
>
>Should we define an new 'postNSF AUP' that addresses what types of messages
>are Acceptable Use of the Internet? Should transit and end user providers
>require customers to agree to 'the new "agreed upon someday" commercial AUP'?
>
>Could we even agree on what a new AUP would look like? Most everyone
>agrees that spam and son-on-spam are a waste of precious bandwidth, time,
>and energy; and unacceptable messages detract everyone from more important
>daily issues and ideas.
>
>I motion we create a working group to develop a draft POST NSF AUP.
>------------------------------------------------------------------
>
>We all agree we need to manage what type of messages are acceptable use of
>the net..... Can we make POST NSF AUP a reality?
>
>Any seconds to the motion?
>
>Tim
>
>--
>+--------------------------------------------------------------------------+
>| Tim Bass | #include<campfire.h> |
>| Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ |
>| The Silk Road Group, Ltd. | take_one_down(); |
>| | pass_it_around(); |
>| http://www.silkroad.com/ | } |
>| | back_to_work(); /*never reached */ |
>+--------------------------------------------------------------------------+

From: Tim Bass <bass@linux.silkroad.com>
Date: Sun, 15 Oct 1995 10:54:40 -0400 (EDT)

A couple of interesting points have developed as a result of the latest
'spam event'. The first one is debatable, but I would like to comment,
that my mailbox received 'one spam message' (which I deleted in a few
milliseconds) that generated hundereds of 'anti-spam messages'. Causal
to the 'spam' I would like to refer to the anti-spam messages as
'son-of-spam' :-)

Second, it is somewhat clear that as long as we have 'spam' we will have
a causal event 'son-of-spam' . Neither 'spam' nor 'son-of-spam' are welcome
e-mail in most in-boxes, and I assume by the responses, many people find
'son-of-spam' just as annoying as 'spam'. Given that both sides of the
coin are correct (in their own perception space) as we have seen,
I would like to put this on the table to the network:

I disagree, strongly. I think anti-spam messages, sent to the
postmasters of the respective ISP's that provide service to the
spammers, is perfectly acceptable. Otherwise, there is no cost to the
ISP's for providing service to the spammers.

As a matter of course, whenever I receive a spam, I will generally send
a complaint to postmaster at the originating site, or perhaps to the
ISP, if I can determine it. In fact, I'm thinking about automating this
procedure, to decrease the amount of time that it takes for me to send
the complaint. If everyone who receives a spam sends one (1) complaint
to the ISP, the ISP would quickly get the idea that spammers are not to
be desired on the Internet.

Other people have talked about enforcement; as near as I can tell, this
is the only kind of enforcement on the Internet that will really work.
Any AUP that discourages people from using this type of enforcement
mechanism, is in my opinion, a step in the wrong direction. (And this
doesn't even take into account the first amendment arguments about
people being able to complaint to ISP's about spammers which the ISP's
are responsible for.)

If the argument is that people shouldn't be sending son-of-spam messages
to the mailing lists, that I can agree with whole-heartedly. But I do
believe that ISP's that host C&S-style spammers deserve to have their
mail hosts overloaded with individual complaints. One complaint per
individual receiving a spam should be plenty to cause an ISP to become
overloaded. :-)

- Ted

P.S. Perhaps ISP's should consider writing into their customer's
contracts some legal language saying that if the ISP receives too many
complaints, that the customer is liable for the cost of processing the
complaints caused by that customer --- the ISP can decide to waive the
fee if the complaints are caused by some mail forgery or other
legitimate misunderstanding.

[.This message with my ISP-related hat off and my Usenet newsgroup
moderator hat on.]

John writes:
> Despite postings to the contrary, this is an extremely difficult problem
> to solve in the absence of authentication. While the current ad-hoc methods
> of managing such bulk advertising are not perfect, they may be far better
> than the quick fixes being proposed.

Just as a warning, some of us on the recieving end of more than our fair
share of net abuse (the collected Usenet moderators) are starting to get
more than a little short fuzed about this. There was a strong move last
week by numerous moderators to demand that spammers real name, address,
and phone number be released by ISPs following abuse events, presumably
to make the sort of ad hoc counterattack which seems to be the only
effective response today more effective.

I argued against it, for the obvious reasons for anyone who's an ISP
(customer confidentiality being a very touchy issue...), and the
moderators are back to simmering without a coherent policy.

That particular proposed solution aside, something is going to have
to be done about the problem. Not so soon that we do the wrong thing,
but there has to be an industrywide public acknowledgement that certain
behaviours are abusive to the net as a whole and are not acceptable.

-george william herbert
gherbert@crl.com
moderator, sci.space.tech & sci.space.science

A better use for your effort is to develop some hacks into majordomo or
another mailing list manager that can trivially make a list only accept PGP
signed (or whatever your favorite authentication system is) messages that
it can confirm with a public keyserver. At the very least all of the major
mailing lists that get regularly nailed by spams can transition and we can
get some authentication of the culprit.

---> Phil

> From: MX%"pjnesser@rocket.com" 15-OCT-1995 23:24:02.30
> Subj: Re: Motion for a new POST NSF AUP

>
> A better use for your effort is to develop some hacks into majordomo or
> another mailing list manager that can trivially make a list only accept PGP
> signed (or whatever your favorite authentication system is) messages that
> it can confirm with a public keyserver. At the very least all of the major
> mailing lists that get regularly nailed by spams can transition and we can
> get some authentication of the culprit.
>
> ---> Phil
>


I had a situation several months ago where a member of the list
started spamming one of my lists because he was having problems
unsubscribing. After contacting his ISP, I initially had problems with
them because they flatly denied that the mail was originating from
their host. I introduced a minor modification into the SMTP server
which logged the IP address as well as the host name. This provided
the evidence that the mail was indeed originating from their host, and
they took the appropriate action.

-HWM

-----BEGIN PGP SIGNED MESSAGE-----

I would really like to see mailing lists starting to distribute
*only* PGP-signed messages, with PGP key published in a keyserver
with appropriate credentials. There already are mailers which call
PGP automatically, so the user is not required to type something
like ~| pgp -fsat every time.

This is not a high magic. This is a matter of three lines of code,
and some patience of the list maintainer.

It is also good as it will proliferate good encryption software, and
teach people how to protect themselves.

- --vadim

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMIIlOUDODjim2XUVAQFhPQP/dS+LMSX5eJ1x4v/nL3eHYlX1DmCAxt6M
Uor3umYz7moHo8ztBe6NoMUj/ovncq4oQhqZEnXj6RtHXHX+zZbupVISnNw+GUUB
E/TJTGRgTkyadqGINA5lHopZJp/tsQ9Rmn1PE6uQelLkkHJ9FS3J5gcpwewmRlQv
oylV8EQ1P48=
=oLiq
-----END PGP SIGNATURE-----

> Another suggestion was that SMTP headers always contain the
> IP address. I've seen this in quite a few mailers already.
> All we need is a slight modification to the SMTP Receipt
> standard. This could be a Best Current Practice, quickly
> published!

Hm, this is already covered. RFC 1123 says:

5.2.8 DATA Command: RFC-821 Section 4.1.1
...
* The FROM field SHOULD contain both (1) the name of the
source host as presented in the HELO command and (2) a
domain literal containing the IP address of the source,
determined from the TCP connection.
...
DISCUSSION:
Including both the source host and the IP source address
in the Received: line may provide enough information for
tracking illicit mail sources and eliminate a need to
explicitly verify the HELO parameter.

Thus, this is not a new suggestion (RFC 1123 is dated Oct 1989).

Regards,

- Håvard

> From: Tim Bass <bass@dune.silkroad.com>
> a) Unenforceable;
> b) Subject to abuse; and
> c) Virtually impossible to authenticate.
>
I disagree with all of these premises.

c) I have been working for years on authentication. Many if not most
PPP links are now authenticated. We finally have a IETF Proposed
Standard for IP authentication.

Another suggestion was that SMTP headers always contain the IP
address. I've seen this in quite a few mailers already. All we need
is a slight modification to the SMTP Receipt standard. This could be
a Best Current Practice, quickly published!

b) Given some degree of authentication, I do not believe that abuse will
be a serious problem. Fake postings "on behalf" of other parties
will be reasonably refutable.

There is the problem of dial-in links and such where the ISP refuses
to disclose who the perpetrator actually is, for "privacy" reasons.
In that case, the message appears to be from the ISP. If the ISP
wishes to take responsibility, and protect the client, that is
certainly the option of the ISP. But it has a cost!

a) I have told folks how to enforce this on the IETF list (last year),
and the DNS list more recently. In the "Janet Dove" spam, here is
what I replied to janetdove@infosat.com:

> Date: Fri, 08 Sep 1995 18:28:18 -0500
> From: janetdove@infosat.com (Janet Dove)
> Subject: ===>> FREE 1 yr. Magazine Sub sent worldwide- 315+ Popular USA Titles
> Newsgroups: info.ietf.isoc,info.ietf.njm,info.ietf.smtp,info.inet.access,info.isode,info.jethro-tull,info.labmgr,info.mach,info.mh.workers,info.nets,info.nsf.grants,info.nsfnet.cert,info.nsfnet.status,info.nupop,info.nysersnmp,info.osf,info.pem-

Your spammed message was sent to multiple newsgroups and mailing lists.
It cost the providers of the service several million US dollars to carry
your spam.

Please justify why this message pertains to the IETF or the Internet
Society.

My fee for use of my computers, line and time to read your message is
$150 each. Please remit $450 to:

William Allen Simpson
1384 Fontaine
Madison Heights, Michigan 48071

Payable within 30 days; compound interest at 2% per each successive 30
days or fraction thereof.

Please note that failure to remit timely payment may result in a class
action suit on behalf of all parties spammed, including each such list
and each individual subscriber.

You may question whether this is enforceable?

I assert that it is. This is based on previous reported case history
for unsolicited fax advertisements. I understand (I am not a lawyer)
that charging for actual losses to my property (cost of my personal
equipment and time) is enforceable.

In short, _money_ is what we are talking about here!


> If we define a Post NSF AUP, then at least everyone who uses the Internet
> will have had the opportunity to have read and understood what the current
> Internet AUP describes.
>
I agree! Or, if they don't read it and understand it: "ignorance is no
defense".

Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2

I personally think slightly smarter exploders might go a long way. For
example:
1) a list server that recognizes the "subscribe me" messages and informs
the subscriber without bothering the whole list,
2) an exploder that "suspends" messages with more than, say 6 lists
and newsgroups, and notifies the sender. If the sender is not a real
address, it automatically is purged.
:

you get the idea.

Bill

-------------------------------------------------------------------------
William B. Norton Merit Network Inc.
e-mail: wbn@merit.edu phone: (313) 936-2656
WWW: http://home.merit.edu/~wbn

On Mon, 16 Oct 1995, Tim Bass wrote:

>
> The motion on the table for a Post NSF AUP appears to be dying. The support
> for my motion is weak in the early stages. I like the idea of PGP authentication
> in list servers, except for the fact that adding PGP authentication to
> list servers will greatly slow down the processing time of large lists.
>
> The large public key rings required for large lists do not scale well.
> Second, the use of PGP authentication would restrict list participation to
> those with the ability to use PGP (this might be a *good* way to promote
> PGP use, on the other hand)
>
> Unless strong support for the AUP motion is observed today, I plan to
> table the motion for a Post NSF AUP for the Internet. The general concensus
> appears to be that an AUP would not be useful. I do not agree, but am
> more than happy to withdraw my motion, given weak support the AUP idea
> has received.
>
> The ideas for PGP authentication merit further discussion, especially
> the points above on reduced processing time with large public key rings.
>
>
> Thanks,
>
> Tim
>
> --
> +--------------------------------------------------------------------------+
> | Tim Bass | #include<campfire.h> |
> | Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ |
> | The Silk Road Group, Ltd. | take_one_down(); |
> | | pass_it_around(); |
> | http://www.silkroad.com/ | } |
> | | back_to_work(); /*never reached */ |
> +--------------------------------------------------------------------------+
>

> From: "Theodore Ts'o" <tytso@MIT.EDU>
> I disagree, strongly. I think anti-spam messages, sent to the
> postmasters of the respective ISP's that provide service to the
> spammers, is perfectly acceptable. Otherwise, there is no cost to the
> ISP's for providing service to the spammers.
>
Good idea! I've only been sending to the perpetrator (which sometimes
bounces).


> As a matter of course, whenever I receive a spam, I will generally send
> a complaint to postmaster at the originating site, or perhaps to the
> ISP, if I can determine it. In fact, I'm thinking about automating this
> procedure, to decrease the amount of time that it takes for me to send
> the complaint.

I also have a template file which I use to save time.

How do you automate finding the postmaster and ISP? I cannot seem to
figure it out.

In the case of the "Janet Dove" spam, the two different months included
different headers:

Received: (from news@localhost) by ixc.ixc.net (8.6.12/8.6.10) id SAA06849; Fri, 8 Sep 1995 18:27:50 -0400
From: janetdove@infosat.com (Janet Dove)
Newsgroups: info.ietf.isoc,info.ietf.njm,info.ietf.smtp,info.inet.access,info.isode,info.jethro-tull,info.labmgr,info.mach,info.mh.workers,info.nets,info.nsf.grants,info.nsfnet.cert,info.nsfnet.status,info.nupop,info.nysersnmp,info.osf,info.pem-de
Subject: ===>> FREE 1 yr. Magazine Sub sent worldwide- 315+ Popular USA Titles
Date: Fri, 08 Sep 1995 18:28:18 -0500
Organization: Association of Overseas Students, Eastern Region
Message-ID: <janetdove-0809951828180001@pm1-49.ixc.net>
NNTP-Posting-Host: pm1-44.ixc.net


Received: from [198.70.48.62] (pm1-62.ixc.net [198.70.48.62]) by cornell.edu (8.6.12/8.6.12) with SMTP id EAA02068; Wed, 11 Oct 1995 04:28:53 -0400
X-Sender: For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok (Unverified)
Message-Id: <v0153050baca1267766ab@[205.230.67.34]>
Date: Wed, 11 Oct 1995 05:03:27 -0500
To: For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok
From: For.a.prompter.reply.please.fax@If.you.do.not.have.a.fax.smail.is.ok (You will
get a quick reply via email within 1 business day of receipt of the info
request form below.)
Subject: *new* reply info: ===>> FREE 1 yr. Magazine Sub sent worldwide- 300+ Popular USA
Titles

As you can see, in the second they were better at hiding! But email to
janetdove didn't bounce.... And the Received tells the IP address.

As to authentication, the headers indicate "pm-", probably a PortMaster.
I _know_ PortMasters have both PAP and CHAP authentication.


> Other people have talked about enforcement; as near as I can tell, this
> is the only kind of enforcement on the Internet that will really work.
>
Yes, email reply is a good start. But, I would like to add another kind.
And the ISP's had better listen up:

The other kind is a lawsuit. It costs about $50 for an individual to
file, and $$$ (thousands) for a company to defend. And for that same
$50, I can sue _both_ the perpetrator, and an uncooperative ISP.

If the ISP fails to authenticate, and/or fails to log and identify the
perpetrator, they are clearly negligent!


> P.S. Perhaps ISP's should consider writing into their customer's
> contracts some legal language saying that if the ISP receives too many
> complaints, that the customer is liable for the cost of processing the
> complaints caused by that customer --- the ISP can decide to waive the
> fee if the complaints are caused by some mail forgery or other
> legitimate misunderstanding.
>
We talked about this last year. If they haven't done it by now, they
have only themselves to blame....

Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2

On Mon, 16 Oct 1995, William Allen Simpson wrote:

> > From: "Theodore Ts'o" <tytso@MIT.EDU>
> > I disagree, strongly. I think anti-spam messages, sent to the
> > postmasters of the respective ISP's that provide service to the
> > spammers, is perfectly acceptable. Otherwise, there is no cost to the
> > ISP's for providing service to the spammers.
> >
> Good idea! I've only been sending to the perpetrator (which sometimes
> bounces).

Heres a better solution: Only send to the postmasters. I was involved
(from the "bouncing site" perspective) with a spam in which the
perpetrator would have been charged with felonies in at least two
states. However, the internet community tipped the individual off by
determining his email address and sending him email cc'd to the
postmaster of the site. As a result, the perpetrator wasn't caught in
the act, and a case could not be built.

forrestc@imach.com

I support the notion of a non-binding AUP, on the grounds that it
wouldn't be _that_ much work to do, but would give us (Internet
denizens) something to point to when our respective governments give
us the "clean up your act before we do it for you" number again.

I don't expect such a non-binding AUP to have any short-term or
dramatic effect on end-user behaviour, however.

Thus, I also support the idea of PGP/listserv and PGP/news-server
integration. At present, I can allow or disallow posting on our news
servers by IP address or range, and by FQDN or domain name. I think
it might be useful to allow PGP-authenticated validated users to post
from any location or host. The creation of a user-list based
permissions scheme would also clear the way for automatic invalidation
of individual users who post to too many newsgroups within too short a
period of time, a la deactivating user accounts after too many
successive failed logins. I disagree with the proposition that this
would place too great a burden on servers... authentication need be
done only at the time the posting is introduced into the Usenet system
or onto the listserv... If someone wants to go to the trouble of
spoofing a whole listserv, perhaps that should be recognized as a
whole we don't feel like dealing with in an initial implementation...
News servers obviously support a limited number of inter-server
connections, which could be easily validated themselves, so they're a
more easily closed system.

-Bill Woodcock

________________________________________________________________________________
bill woodcock woody@zocalo.net woody@applelink.apple.com user@host.domain.com

On Mon, 16 Oct 1995, William B. Norton wrote:

> I personally think slightly smarter exploders might go a long way. For
> example:
> 1) a list server that recognizes the "subscribe me" messages and informs
> the subscriber without bothering the whole list,
> 2) an exploder that "suspends" messages with more than, say 6 lists
> and newsgroups, and notifies the sender. If the sender is not a real
> address, it automatically is purged.

How about the sender must be on the list?

Date: Mon, 16 Oct 95 08:13:54 GMT
From: "William Allen Simpson" <bsimpson@morningstar.com>

> As a matter of course, whenever I receive a spam, I will generally send
> a complaint to postmaster at the originating site, or perhaps to the
> ISP, if I can determine it. In fact, I'm thinking about automating this
> procedure, to decrease the amount of time that it takes for me to send
> the complaint.

I also have a template file which I use to save time.

How do you automate finding the postmaster and ISP? I cannot seem to
figure it out.


Well, I'd only seriously consider bothering the ISP if
postmaster@perp.site hasn't responded, or if it's obvious that perp.site
is a PPP-only site that's connected to an ISP (in which case
root@perp.site is probably the same as perpetrator@perp.site).
Figuring out the ISP isn't too hard; you can look at the nameservers for
perp.site (especially if it's a PPP-only link, the ISP is probably
providing nameservice), or you can use traceroute.

The other thing to keep in mind is that in the case of the magazine
spam, the e-mail contact address for requested responses was posted. So
instead of needing to try to figure out the actual posting address from
the forgery, you can also just simply send complaints to
postaster@grfn.org (looks like the spammers were taking advantage of a
freenet site, which also deserved to get flooded with complaints; they
had several different accounts on that freenet site).

In the case where the perpatrators of the spam leave a 1-800 number as
the contact point, you can simply call them up and give them abuse for
spamming the internet. Again, if enough people do this it will become
economically unfeasible for spammers to continue. (There's an extremely
hilarious story going around about someone who posted the 1-800 number
alt.sex.* as a phone sex line; the poor company got flooded with lots of
calls, which skyrocketed their 1-800 bill and embarassed the heck out of
their (mostly female) receptionists. I don't recommend that people try
this do, since posting the 1-800 number as a phoen sex number is
obviously fraud. But it *is* extremely amusing to hear about it
happening.)

The hard part of trying to automate it is that there are a lot of
hueristics. But it certainly would be possible to build tools that
automated at least part of the detective work.

- Ted

-----BEGIN PGP SIGNED MESSAGE-----

> From: Havard.Eidnes@runit.sintef.no
> 5.2.8 DATA Command: RFC-821 Section 4.1.1
> ...
> * The FROM field SHOULD contain both (1) the name of the
> source host as presented in the HELO command and (2) a
> domain literal containing the IP address of the source,
> determined from the TCP connection.
> ...
> DISCUSSION:
> Including both the source host and the IP source address
> in the Received: line may provide enough information for
> tracking illicit mail sources and eliminate a need to
> explicitly verify the HELO parameter.
>
> Thus, this is not a new suggestion (RFC 1123 is dated Oct 1989).
>
You are correct. Good memory! So, how do we enforce a 6 year old RFC?


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMIIw4GZacKQwIslRAQE/6AQAlLduKbKJVbLKu91zVJhYqXv9WR6sL9QC
TYzic48/4AGUElmlpUge4NvTD6R2VLSxeDQ5nXFT7P/3HMxuvtkZkpDtmyADzjSx
/SauvnRlhgj5TTckfUr1e6zwNJNhQ25G5Pqe6qKzVkv8K3sFCf9AQCRBhN2qTEpW
kQznEBp5raQ=
=hAmv
-----END PGP SIGNATURE-----

I think that AUPs issued by each ISP, but with some common elements
are very important. If we can agree on the common elements that would be
a start. The next step would be for the big providers to include
these common elements in their contracts. My lawyer tells me that
the best way for me to avoid being in the middle is to pass these
contractual responsibilities along in the form of our AUP. We do that.
I suspect that others would too.

I'm not too worried about enforcability at this point. I think
there are two issues here. One is more or less a code of good
conduct. The other is what to do when people don't follow the
code. At this stage I'd be happy if we could just inform people
what acceptable conduct is. We can figure out what to do about
people who don't play along later.

-Jeff Ogden
Merit/MichNet

On Mon, 16 Oct 1995, Bill Woodcock wrote:

> I don't expect such a non-binding AUP to have any short-term or
> dramatic effect on end-user behaviour, however.

The AUP won't have much effect, but the after-effects will. Once the AUP
is announced we will get press coverage about it, any new Internet books
and articles will point out the rules of conduct on the Internet and
mention that breaking the rules could get you kicked out. All this will
make people aware that there ARE rules and that spam is not liked.
Publicity, publicity and more publicity.

Besides, I believe ISOC has been working on a code of conduct for almost
a year. I recall reading about it last fall somewhere at http://www.isoc.org


Michael Dillon Voice: +1-604-546-8022
Memra Software Inc. Fax: +1-604-542-4130
http://www.memra.com E-mail: michael@memra.com

>
> The AUP won't have much effect, but the after-effects will. Once the AUP
> is announced we will get press coverage about it, any new Internet books
> and articles will point out the rules of conduct on the Internet and
> mention that breaking the rules could get you kicked out. All this will
> make people aware that there ARE rules and that spam is not liked.
> Publicity, publicity and more publicity.

I've seen near zero coverage of RFC 1746, which covers
AUP's on the Internet.

> Besides, I believe ISOC has been working on a code of conduct for almost
> a year. I recall reading about it last fall somewhere at http://www.isoc.org

Does it cover the issues listed in RFC 1746? Is anyone at
ISOC paying any attention?
>
> Michael Dillon Voice: +1-604-546-8022
> Memra Software Inc. Fax: +1-604-542-4130
> http://www.memra.com E-mail: michael@memra.com
>
>
--bill

From: Jeff.Ogden@um.cc.umich.edu
>I'm not too worried about enforcability at this point. I think
>there are two issues here. One is more or less a code of good
>conduct. The other is what to do when people don't follow the
>code. At this stage I'd be happy if we could just inform people
>what acceptable conduct is. We can figure out what to do about
>people who don't play along later.

I agree, but I'll even go a bit further.

When issues like this come up people tend to assume they are all in
agreement and talking about the same thing. It's true that in the
extreme they probably are. But my guess is that if a sizeable group
tried to write down what is and is not acceptable it will become
apparent that, again other than the most egregious behavior, agreement
isn't as easy as it may've first appeared.

I suppose one can stick to codifying only the worst sort of behavior,
but that always raises the issue of whether this then implies that
other behaviors are acceptable? If 100 messages are unacceptable, then
are 99 ok? Can we live with zero tolerance only? etc.

I think this all can be resolved with some mere shouting and
screaming. But the exercise should also be enlightening: If a group
such as this has some difficulty agreeing on the boundaries then
surely laying the same out for others clearly, even just as an
informatory document, would be worthwhile. How could the community at
large have been expected to intuit what we can't easily define?

At any rate, it'd be a good start.

--
-Barry Shein

Software Tool & Die | bzs@world.std.com | http://www.std.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD

bmanning@ISI.EDU writes:
> > The AUP won't have much effect, but the after-effects will. Once the AUP
> > is announced we will get press coverage about it, any new Internet books
> > and articles will point out the rules of conduct on the Internet and
> > mention that breaking the rules could get you kicked out. All this will
> > make people aware that there ARE rules and that spam is not liked.
> > Publicity, publicity and more publicity.

> I've seen near zero coverage of RFC 1746, which covers
> AUP's on the Internet.

I think that's because it defines areas an AUP should cover rather
than defining any particular behavior as appropriate or not. It's
just not controversial enough. Now if you publish something that
the media can interpret as "Internet bans advertising!!!!" then
you'll see coverage. :-)

However, I don't believe publicizing an AUP will stop the kinds of
spam I've seen most recently. A well known AUP will stop the guy
who runs Amway out of his basement when he's not at his day job.
Even if he doesn't want to be a good citizen anyway, the threat
of losing his account will be a real threat. It will also stop
established companies that have a public image to worry about.

But it won't stop people like Canter & Siegel. A lot of the spams
I've seen lately don't even want you to respond via the Internet.
Why should they care if they lose their account? They'll just
get another one somewhere. It's just not enough of a threat, yet
it's probably the worst punishment an ISP can inflict.

I do think an AUP is a good idea anyway, because of the groups
that will be swayed by it and the things other than spam that
could be addressed. And I'm rather afraid that with legislation,
the cure would be worse than the disease.

Cathy
--
Catherine Foulston cathyf@rice.edu Rice University Network Management

In discussing spamming problems
"William B. Norton" <wbn@merit.edu> wrote:

> I personally think slightly smarter exploders might go a long way. For
> example:
> ...
> 2) an exploder that "suspends" messages with more than, say 6 lists
> and newsgroups, and notifies the sender. If the sender is not a real
> address, it automatically is purged.

But wouldn't a spammer just defeat this measure by using a shell script, say.
Instead of sending one message to n lists, a script could easily send n
messages each addressed to a single list.

Rick Boivie
rboivie@vnet.ibm.com

The only question that I have is what does this do to your position as a
"common carrier like" organization? It weakens it horrendously. I wish
that it didn't, and when I start my ISP up, Jan 1st (as opposed to the
one I am working for now), I will have an AUP, but just be aware, it
/does/ weaken your position as a "common carrier like" organization. It
is at that point that you should start to seriously consider removing
binaries groups and other things, and finding a way to act immediately on
things like someone saying that one of your users violated a copyright
law or the like. I am not advocating one way or the other, just saying
that you should stand to one side of the road or the other, not the middle.

I plan to stand on the side where I can have an AUP, and plan to have my
lawyer make a fair number of decisions on things like what do I do when
someone tells me a user has violated copyright, etc etc. I also plan to
purchase news services from someone else in the beginning so that I am
not a news distributor, I am only giving people a way to view it (News
will never be stored on my systems). Maybe when the water gets a little
less rocky I'll start using my own news server. Those decisions are
mine, not yours, you can of course make your own. I made mine after
hours of consultation with my lawyer, as well as talking to several other
lawyers. You should do the same.


On Sun, 15 Oct 1995, Tim Bass wrote:

>
> John Curran and I are in total agreement on John's premise that any
> Post NSF AUP is either a) unenforceable or b) subject to abuse. I suggest
> that for the moment, that we agree with John that any AUP is both:
>
> a) Unenforceable;
> b) Subject to abuse; and
> c) Virtually impossible to authenticate.
>
> Giving the above, the question still remains and the original motion is still
> valid for this reason.
>
> If we define a Post NSF AUP, then at least everyone who uses the Internet
> will have had the opportunity to have read and understood what the current
> Internet AUP describes.
>
> It is possible that having a clearly defined AUP will not stop spam and
> other unacceptable uses of the net, and clearly an AUP is not enforceable
> ( and for IP security reasons should not be enforced without absolute
> authentication as John correctly points out).
>
> On the other hand, having a clearly defined AUP may discourage potential
> spammers and child pornographers, etc. (not that we consider spammers
> and child pornography peddlers in the same vein..). Also, having a
> clearly defined Internet AUP will send a signal to the news media and
> government officials that the providers of Internet services are
> capable of formulating policy in an area that, without self-regulation,
> has a strong potential to continue degenerating.
>
> Is a self-formulated Post NSF AUP, without enforcement, still a good idea?
>
> The answer, I suggest, is not obvious, but a debate on the subject
> does have considerable merit, given the events of the past week or so.
>
>
> Tim
>
>
>
>
> --
> +--------------------------------------------------------------------------+
> | Tim Bass | #include<campfire.h> |
> | Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ |
> | The Silk Road Group, Ltd. | take_one_down(); |
> | | pass_it_around(); |
> | http://www.silkroad.com/ | } |
> | | back_to_work(); /*never reached */ |
> +--------------------------------------------------------------------------+
>

Justin Newton * You have to change just to stay caught up.
Vice President/ *
System Administrator *
Digital Gateway Systems *