[e2e] Fwd: Camel's nose in the tent

stanislav shalunov shalunov at internet2.edu
Fri Aug 10 13:57:48 PDT 2001 

"David P. Reed" <dpreed at reed.com> writes:

> At 01:17 PM 8/10/01 -0400, stanislav shalunov wrote:
> >While it's entirely their option to block mail based on arbitrary
> >criteria, including "From:" headers or anything else (as it is the
> >option of their users to avoid ISPs that annoy their own users), and I
> >don't see any great violation of engineering principles of SMTP here
> >(there *would* be a serious violation of these principles if they
> >replaced your "From:" line with what they think is the correct line),
> >it's definitely a poor practice.

> As a matter of law, [...]
> As a matter of contract, [...]

I'm not a lawyer.  I just avoid ISPs that do things like the Verizon
practice (which is similar to practices of many other, equally
misguided, ISPs).

> As a matter of engineering practice, you are wrong.  SMTP provides an 
> end-to-end guarantee that the contents will be preserved intact (modulo 
> adding Received: lines at the front).

I suggested to insert accounting information about the real sender of
the message (taken from RADIUS or DHCP logs) to the message in a form
that doesn't modify headers that a MUA would use.  How exactly does
this change content of a message in transit?

Further, in what form such information is inserted is immaterial.  One
reasonable way of doing so might be to include a username in a form
that's only useful for the ISP (e.g., encrypted with a symmetric key
that ISP's abuse department has access to).  Another would be to
insert this information in a form that allows anyone to reconstruct
the original sender's email address.  The choice between these
alternatives has social importance (what's revealed about me when I
send a message?), but not engineering importance.  One might argue
that requiring users who want anonymity to use a chain of anonymous
remailers is a better choice since it encourages more secure
practices.

In re the end-to-end guarantee that the contents will be preserved
intact (modulo adding Received: lines at the front), you could also
mention the dreaded address canonicalization, MIME autoconversion,
Delivered-To: headers, UIDL: headers, end-of-line autoconversion,
etc., etc.

How would using the "from" clause of the Received: line to specify the
actual user as I suggested be breaking SMTP transparency?  If it does,
in your opinion, break SMTP transparency, then perhaps you should be
aware that sendmail will do it today using RFC1413.

Such additional accounting information would be useful for subsequent
abuse desk investigations.  By making these investigations simple and
consuming little time an ISP can enable itself to act quickly on
complaints sent to abuse@, thus reducing its attractiveness to
spammers while reducing the amount of time a spammer has to send his
messages and thus reducing the amount of spam.

> Finally, Verizon and others are barred from a variety of behaviors
> because they hold a monopoly position in their market (in this case,
> residential high-speed Internet access)

I'm in a Verizon-served region.  I get DSL service from a far more
responsible and technically competent ISP than any RBOC is ever going
to be (and pay about the same amount of money I would pay to Verizon
for their crippled service for a service without NATs, DHCP, or port
or protocol blocking or transfer caps or any such silliness while
dealing with an ISP that doesn't force me to speak to phone monkeys
about things like reverse DNS mappings of my IPs by enabling
decent-quality technical support via email).  Does Verizon really have
a monopoly power if I can happily use a different ISP in their region?
They want to play in the long-distance market.  Thus, they're
obligated to provide facilities for competitors to serve users in
their area.  In my case, Verizon's involvement in providing my ISP
service is that they let the DSL aggregator (who provides ATM service
from my home to my ISP's POP) use a copper pair that Verizon owns.

Verizon, for once, decided to do something about spam that it's
spewing all over the net.  What they did would not significantly
reduce the amount of spam they send and would inconvenience legitimate
users.  Their spam-stopping technique is poor in both social and
engineering sense.  At the same time, there's nothing particularly
vicious about their goal--reducing the amount of spam they inject into
the net.  They need to be told about their poor choices and offered
better ones.

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

"Nuclear war would really set back cable [television]."  -- Ted Turner

More information about the end2end-interest mailing list