Motion for a new POST NSF AUP


  Presume that we've all met, decided a policy, figured out who it takes
  to "officially" make it an Internet policy, and made it happen. Simply
  amazing progress has occurred, and it's still morning on the Internet...

  Now, let's talk about the hard part: enforcement.

  Since the sender of a bulk, unsolicited advertisement may not even be
  affiliated with the beneficiary of such mail, how do you intend catch
  the culprit? There is nothing in an email message that provides hard
  proof of identity, and there is nothing to stop me from sending all of
  my advertising as "Tim Bass". Since any host connected to the Internet
  can forge email with very little trail, relying on the purported sender
  of the message is clearly not possible for enforcement.

  Of course, one could always look towards the beneficiary of the message
  (i.e. the firm which gains the business as the result of this "misuse")
  but that's actually no better than relying on the sender. It doesn't
  matter whether the enforcement method is loss of Internet service or
  large fines, it will be very difficult for anyone to actually safely
  invoke such methods without incurring immense liability. Since anyone
  can send a bulk, unsolicited advertisement with "The Silk Road Group"
  as the beneficiary, you've now created the ultimate denial of service
  attack. Don't like a firm? Send out a massive forged advertisement for
  their latest product and watch them get disconnected from the net... :slight_smile:

  Despite postings to the contrary, this is an extremely difficult problem
  to solve in the absence of authentication. While the current ad-hoc methods
  of managing such bulk advertising are not perfect, they may be far better
  than the quick fixes being proposed.


A better use for your effort is to develop some hacks into majordomo or
another mailing list manager that can trivially make a list only accept PGP
signed (or whatever your favorite authentication system is) messages that
it can confirm with a public keyserver. At the very least all of the major
mailing lists that get regularly nailed by spams can transition and we can
get some authentication of the culprit.

---> Phil