OT: Being bombarded by e-mail trojans

From: Patrick Rigney <patrick_at_evocative.com>
Date: Sat Sep 20 12:44:35 2003

> On Fri, 19 Sep 2003, J.C. Wren wrote:
> > That's not the point. The point is Verisign has broken the
> RFC by not

I think my earlier message may have not made it through the night's
maintenance, so I apologize if I'm repeating myself.

I wasn't responding to the NXDOMAIN issue, John. I was responding to the
"hype" about the use of a third-party cookie (Overture) and a one-pixel
image for tracking. That said...

> [And Sellam responded:]
> Ok, this is all making sense now. I can't believe they fucking did this.
> They have just unleashed an avalanche of spam onto my and every other
> server in existence and my business is suffering because of it. Thanks to
> these fucking assholes, it now takes me about 5 times longer to delete
> through spam in my inbox.
> > Verisgn is fixing to get bitch-slapped in a hard way, and if we're
> > *really* lucky, they'll be driven out of business. This kind of crap is
> > not in their charter.
> I'm calling my Congresswhore on Monday, and on Tueday, if this keeps up,
> I'm calling an attorney.


I think the call to your congressperson is more meaningful than the
attorney. And if that's your timetable, don't bother waiting. It isn't
going to stop.

It's clear that VeriSign is contributing to the spam problem by their
actions, but what happens when they cease and desist? Everything goes back
to the way it was yesterday. Spammers continue to use forged email
addresses in legitimate domains, and our mailboxes continue to be choked
with an ever-increasing amount of spam. Every day I get bounces for
messages never sent from my domain... someone simply hijacked it to send
their spam. Checking for the existence of a valid domain name has been a
long-standing filter, but it has always been a weak one that spammers have
easily worked around, and only the stupid and inexperienced ones bother.

IIRC, this whole discussion started with the problem of a mass-mailing worm
sending volumes of mail with a large attachment, and got onto this. This
problem is also not solved by RFC compliance. A mass-mailing worm typically
forges its source identity by using addresses in the infected party's
address book, which are generally going to be valid addresses in valid
domains, and possibly even people you may know as well. They do this to
capitalize on your implicit trust. In any case, VeriSign's actions probably
made no contribution to this problem.

I'm not trying to defend VeriSign here. They are contributing to a problem,
that is clear. I'm trying to point out that the spammers are the real
offenders and their activities predate both SiteFinder and VeriSign, so
while slapping VeriSign to bring them into compliance with the RFCs may be
just, right, and necessary, it is far from solving the problem of spam.
VeriSign's actions are offensive and demonstrate that they are poor
custodians of the responsibility they carry, so it's easy to focus on it,
but it remains only a very small part of the Big Picture.

On The Screensavers (a TechTV show), this 17-year old kid called in and
argued with Pat and Leo over spam, claiming that anything we do to block it
he can work around, and it's worth the effort because he can make $1,000 a
day easily sending bulk advertisements for his clients (see link to their
show notes at the bottom of this message). With that kind of money and no
meaningful consequences, is it any wonder we get this crap in volume? Is it
any wonder that today I am defenseless against my future teenage daughter
opening her email to see things like "Watch me and my teen slut friends **ck
and **ck huge **cks"?!??!? Damage is done on delivery, and God forbid she
opens that message and sees the attached picture. I get emails like this
every day, lots of them. Don't our congressional representatives as well?
Are they awake?!? "Just delete it" isn't an answer. This kind of crap
needs to be illegal, meaningfully punishable, and crisply enforced.

Congress has done an embarrassingly bad job of addressing the spam issue
meangingfully so far--pretty much useless, IMO. They need to be informed,
they need to open their minds and really understand the issues, and they
need to understand why what they have done so far isn't effective, and that
technical solutions alone will not address the problem. And, enforcement
and prosecution needs to be handled as a criminal matter, with real interest
and urgency on the part of law enforcement, not a civil matter that's so
potentially burdensome on the complainant that it's not worth the effort.

One more thing to add... I personally do not believe it is appropriate for
any for-profit company to be in the role VeriSign is in with respect to
domains. I also believe that putting VeriSign out of business at this stage
would be very harmful to the 'net economy and the economy in general. For
better or worse, VeriSign provides a breadth of services upon which a huge
number of businesses relies, and their absence would leave a gaping hole and
huge mess to straighten out. The interruption or absence of these services,
even temporarily, would drive many businesses under, especially in these
delicate, not-quite-recovery-for-everyone times. It is a huge error that
VeriSign has ended up in this role with relatively little supervision, and
reversing that without making a bigger mess of it and killing a lot of
innocent bystanders would take a lot of very delicate, well-planned
dismantling. MO.

John Postel, you are missed.



Scroll down to bottom of page to find "In defense of spam"
Received on Sat Sep 20 2003 - 12:44:35 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:36:26 BST