Motion for a new POST NSF AUP

From: Tim Bass <>
a) Unenforceable;
b) Subject to abuse; and
c) Virtually impossible to authenticate.

I disagree with all of these premises.

c) I have been working for years on authentication. Many if not most
   PPP links are now authenticated. We finally have a IETF Proposed
   Standard for IP authentication.

   Another suggestion was that SMTP headers always contain the IP
   address. I've seen this in quite a few mailers already. All we need
   is a slight modification to the SMTP Receipt standard. This could be
   a Best Current Practice, quickly published!

b) Given some degree of authentication, I do not believe that abuse will
   be a serious problem. Fake postings "on behalf" of other parties
   will be reasonably refutable.

   There is the problem of dial-in links and such where the ISP refuses
   to disclose who the perpetrator actually is, for "privacy" reasons.
   In that case, the message appears to be from the ISP. If the ISP
   wishes to take responsibility, and protect the client, that is
   certainly the option of the ISP. But it has a cost!

a) I have told folks how to enforce this on the IETF list (last year),
   and the DNS list more recently. In the "Janet Dove" spam, here is
   what I replied to

        > Date: Fri, 08 Sep 1995 18:28:18 -0500
        > From: (Janet Dove)
        > Subject: ===>> FREE 1 yr. Magazine Sub sent worldwide- 315+ Popular USA Titles
        > Newsgroups: info.ietf.isoc,info.ietf.njm,info.ietf.smtp,info.inet.access,info.isode,info.jethro-tull,info.labmgr,info.mach,,info.nets,info.nsf.grants,info.nsfnet.cert,info.nsfnet.status,info.nupop,info.nysersnmp,info.osf,info.pem-

        Your spammed message was sent to multiple newsgroups and mailing lists.
        It cost the providers of the service several million US dollars to carry
        your spam.

        Please justify why this message pertains to the IETF or the Internet

        My fee for use of my computers, line and time to read your message is
        $150 each. Please remit $450 to:

          William Allen Simpson
          1384 Fontaine
          Madison Heights, Michigan 48071

        Payable within 30 days; compound interest at 2% per each successive 30
        days or fraction thereof.

        Please note that failure to remit timely payment may result in a class
        action suit on behalf of all parties spammed, including each such list
        and each individual subscriber.

   You may question whether this is enforceable?

   I assert that it is. This is based on previous reported case history
   for unsolicited fax advertisements. I understand (I am not a lawyer)
   that charging for actual losses to my property (cost of my personal
   equipment and time) is enforceable.

   In short, _money_ is what we are talking about here!

If we define a Post NSF AUP, then at least everyone who uses the Internet
will have had the opportunity to have read and understood what the current
Internet AUP describes.

I agree! Or, if they don't read it and understand it: "ignorance is no
          Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2

   Another suggestion was that SMTP headers always contain the
   IP address. I've seen this in quite a few mailers already.
   All we need is a slight modification to the SMTP Receipt
   standard. This could be a Best Current Practice, quickly

Hm, this is already covered. RFC 1123 says:

      5.2.8 DATA Command: RFC-821 Section 4.1.1
         * The FROM field SHOULD contain both (1) the name of the
              source host as presented in the HELO command and (2) a
              domain literal containing the IP address of the source,
              determined from the TCP connection.
              Including both the source host and the IP source address
              in the Received: line may provide enough information for
              tracking illicit mail sources and eliminate a need to
              explicitly verify the HELO parameter.

Thus, this is not a new suggestion (RFC 1123 is dated Oct 1989).


- Håvard