There was a BOF at IETF last December. The guy running it didn't really want to judge the merits of whether it was good or bad, only if it was technically possible to do something about it. It was a SRO event and ran long. Paul takes that to mean that lots of folks are against this stuff. A couple of Internet-Drafts are in process and one may be available in the ID repository now. That draft suggests what should be done to mail software to make this easier (most mail software is not configured this way by default and the hope is that having an RFC saying what should be done will influence what vendors do).
There is another working group that is working towards writing some kind of document that basically says that SPAM is bad.
What I am doing is supporting the Smith Bill (see www.cause.org). Besides that, I am also running RBL (Realtime Blackhole List). This is really a list I created of sites that have spammed me and would not stop spamming me when I asked them to stop. Until there is a law that makes spam illegal, the RBL is really a holding action. There are 110 people subscribed to the list now. People must subscribe to get the list.This is important to keep the list real-time. BGP and DNS access is available. Check maps.vix.com for the details.
Paul's comments as best I could transcribe them appear in this font.-- Ed.
How many entities are in the RBL? Is it growing?
There are about 450 in there right now. It is gradually increasing.
Would it be possible to create a mechanism to prevent dialup folks from connecting to SMTP servers other than those provided for your use by your provider?
I thought about this. There is something called the Global Roaming Agreement that permits local ISPs from having to have modem bank everywhere. This means that the dialup users could have a different address depending on where they are in the company. It's possible to make this work with radius, but most hardware can't handle this on large numbers of ports.
Bill Norton: What's going to happen as a result of the BOF at the IETF? Is there a generally accepted definition of SPAM?
If there is a preexisting relationship between the sender and the receiver (like registering software), you may have given the vendor the permission to send you advertisements. Paul has attempted to work with vendors to have this
The IETF has decided to create a narrowly-focused working group.
Avi Freedman: I can offer access to the machines used to create the Boardwatch performance report. Contact me for the details on how the access works. I know this does not really fit into this discussion, but I wanted to make this comment anyway.
How many complaints do you have to get to be added to RBL?
Because of the volunteers I have available now, we really try to work with the site (usually a relay site).
Jeremy Porter: We can pass laws in the US to make it illegal, but it won't deal with the international problem. Won't it continue to grow at the rate the Internet grows?
It will really grow as resources permit, so it will probably grow at a smaller rate. The Smith law does reach both the sender and the spam house responsible. See the bill for all the details.
Jeremy Porter: It seems easier for me to pursue dealing with spammers who are geographically local to me. It seems like we need more than a law like a group of volunteers' time to pursue local spammers.
I am delighted to see this, and you are right that we will need more than law.
Bill Norton: What he should tell folks to do about Spam?
Going to court is difficult, but it can work. However, if you don't want to dedicate you staff to pursuing this issue, you should include something in your terms and conditions that would prohibit spamming. Check the web page for more on what you can do fairly easily.
Stopping mail relay is a good idea.
However, dealing with abuse reports will continue to eat staff time unless you (as an ISP) commit to stopping spam from your customers. And, it will still eat time. Hopefully, just not as much.
Someone says: There is a denial of service attack where someone can fake spam from another domain and the RBL could drop them when they are not guilty.
Yes, this is bad. That's why investigation must be done before action is taken.
I also think that the flat rate paradigm [for access to the Internet] is doomed. There will be a day when folks will need to pay to transit email.
Christian Huitema asks if Paul has considered looking to see if the bodies of messages are similar enough to keep spam out?
This is a good idea and there is a lot of good work in this area. Unfortunately, it inflicts a high computational load.
Bill Norton: Would the IETF solution a new type of mail system?
It will probably not be a new mail system, but more adding some kind of authentication system in SMTP. It probably would have been done in DRUMS, but there is considerable feeling that it should be done sooner than DRUMS.