mnm

m.n.m
FAQDemoDownloadContact

SMTP will not be fixed

The IETF initially disregarded—and later declined to mitigate—the vulnerability of SMTP to social engineering attacks by cybercriminals, even though similar fraud had been practiced by telephone and fax for decades prior to the standardization of email. The IETF instead committed to the principle that anyone, claiming any identity (i.e. “real name”), must be able to email you any content, without limits. Their justification has long been that “spam” is inevitable but manageable, and therefore a minor irritation. As a result, email became and will forevermore be a universal cyberattack channel.

A significant number of people have offered proposals to prevent email abuse, with the intention of working on the issue, only to be dismissed and even mocked. Indeed, IETF members began circulating the text below in an effort to curtail critique. The clear (but bizarre) implication is that a protocol that prevents weaponization of electronic correspondence is pointless.

Feel free to comment on Twitter.


Source: rhyolite.com. Format altered for clarity.


You might be an anti-spam kook if…

Each item in the following list was suggested by the words or actions of people who presented themselves to the IETF or elsewhere as having discovered the FUSSP. Some of the items may seem obscure to those who have not dealt with the IETF.

Almost all of those who have inspired this list mean well. In many cases, they are not in the habit of thinking critically and believe that “Star Trek” accurately depicts the creation of hardware, software, and even social or political mechanisms.

spam fighter You have discovered the Final Ultimate Solution to the Spam Problem (FUSSP).
trailblazer You are the first to think of the FUSSP.
knows the competition You started looking for the FUSSP after observing that it is impossible to filter more than 99% of spam with fewer than 0.1% false positives by currently available mechanisms.
knows the competition 2 Despite being the inventor of the FUSSP, you are unfamiliar with false positive, false negative, UBE, tarpit, teergrube, Brightmail, Postini, SpamAssassin, DNS blacklist, HELO, RBL, or mail envelope.
entrepreneur You will make money by licensing the FUSSP.
entrepreneur 2 You will build the FUSSP as soon as you find some investors.
entrepreneur 3 Since most spammer domain names are bought with stolen credit card numbers, delay domain name activation for 30 days.
netizen You don't plan to make a fortune from the FUSSP, but you do expect recognition as its generous and public spirited netizen inventor.
don't get no respect You are hurt and angry because you are not respected as spam fighter.
don't get no respect 2 People don't see the value of the FUSSP because they have axes to grind, are jealous, or are too stupid to understand it.
don't get no respect 3 You invented the FUSSP but thieves stole the idea. Never mind that the so called thieves talked about your idea in public and used it long before you first thought of it.
don't get no respect 8 You have no solutions for the problems in the FUSSP and your implementation and deployment plan is tell to Google, but you do know that Arthur C. Clarke wrote "When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong."
spam fighter 2 You realized how to stop spam during the more than six weeks you've been fighting it.
e-postage The FUSSP assumes that your attention is so important that strangers will pay money to send you mail.
knows SMTP Despite having invented the FUSSP, you not only don't know the difference between the SMTP envelope and SMTP headers. You doubt there is such a thing as the SMTP envelope because email doesn't involve paper.
knows SMTP 2 Despite having invented the FUSSP, your SMTP header and DSN reading skills are such that when you send a mail message to two sites and one rejects it, you can't tell that only one rejected it, not to mention which one.
critical thinker You cannot name several potentially fatal flaws in the FUSSP.
senior IETF member All you need to do to get the FUSSP implemented and deployed is to publish an RFC or get a law passed.
programmer You don't recognize any significant difference between deploying and implementing the FUSSP.
senior IETF member 2 You plan to publish an RFC mandating the FUSSP but have never heard of RFC 2223 or RFC 2026.
knows SMTP 3 Inventing the FUSSP did not require that you know the difference between RFC 821 and RFC 822 or that they have been replaced by RFC 2821 and RFC 2822.
senior IETF member 3 You don't know the relevance of consensus or IESG approval to publishing RFCs.
senior IETF member 4 You think all RFCs have the same standing.
spammers are stupid Spammers won't ignore, subvert, or exploit the FUSSP if you publish it as an RFC.
spammers are stupid 2 Spammers can't use automation or cheap labor for puzzle solving, character recognition, or other hoops that the FUSSP requires of legitimate mail senders.
spammers are stupid 3 The FUSSP depends on spammers or mail recipients changing their behavior without any immediate gain.
senior IETF member 5 The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.
irresistible bandwagon The FUSSP will be the only spam defense used, or at least everyone will make special provisions for it.
programmer 2 The FUSSP is easy to implement and deploy, but you have done neither.
senior IETF member 6 Your job is done after having explained the FUSSP to the IETF or The Industry.
senior IETF member 7 Programmers will drop everything to implement the FUSSP.
senior IETF member 8 You think that a violation of an RFC by an SMTP client or server is good and sufficient reason to reject all mail from the system's domain.
programmer 3 With standards, the implementation cost is about zero, so the FUSSP will be practically universally deployed within months of being documented in an RFC.
knows SMTP 4 You know that SMTP has no authentication and have never heard of SMTP-AUTH, SMTP-TLS, S/MIME, or PGP.
knows SMTP 5 You know that the failure of SMTP servers to authenticate the SMTP clients of strangers is a major bug in SMTP instead of an expression of a primary design goal.
knows SMTP 6 Despite discovering the FUSSP, you don't know the meanings of MTA, MUA, SMTP server, SMTP client, or submission server.
programmer 4 The FUSSP requires a small number of central servers on the Internet to handle certificates, act as pull servers for bulk mail, account for mail charges, or whatever, and that is good thing or not a problem
programmer 5 The FUSSP uses central servers to manage all mailing list subscriptions on the Internet, handle digital signatures for mail, and track spam. Your impression that Google has 100% uptime shows that this problem can be solved by using a bunch of Linux systems.
programmer 6 The central servers required by the FUSSP to handle all mailing list subscriptions, digital signatures for mail and so forth will be run by a non-profit organization. It will be easy to find or create a non-profit organization that everyone will trust.
programmer 7 The FUSSP requires that anyone wanting to send mail obtain a certificate that will be checked by all SMTP servers.
programmer 8 The FUSSP involves certificates, but there is no barrier to spammers buying many independent certificates.
programmer 9 You know that certifying that a user legitimately claims a name and has never used some other name is cheap and easy.
programmer 10 You feel that most Internet users would be happy to pay $5/month to avoid spam and you do not know the price of anti-virus software or data.
programmer 13 The FUSSP involves ISPs issuing certificates to users and the ISPs that today don't terminate the accounts of spammers and don't investigate prospective customers enough to refuse service to spammers today will refuse FUSSP certificates to known spammers and revoke the certificates of new spammers.
activist The FUSSP involves convincing everyone to not buy anything advertised with spam.
knows SMTP 7 You have never heard of RFC 2554 or RFC 2487 and the FUSSP includes fixing the lack of authentication in SMTP.
knows SMTP 8 The FUSSP won't work on mobile clients such as cell phones and PDAs and that is not a problem.
programmer 11 The FUSSP involves replacing SMTP.
programmer 12 The FUSSP involves replacing TCP/IP, because you consider TCP/IP insecure, and never mind that you do not define "security."
spam fighter 3 You routinely send single reports of single examples of objectionable mail to more than two dozen addressees.
spam fighter 4 Your definition of spam differs significantly from "unsolicited bulk email."
complicated The FUSSP cannot be described in fewer than 100,000 words.
don't get no respect 4 The existence of this list is proof that the spam problem will never be solved by the people currently working on it.
don't get no respect 5 You frequently use terms from math, statistics, and information theory, but have never heard of The Law of Large Numbers and think entropy is something about heat.
don't get no respect 6 Nothing in this list applies to your solution to the spam problem except some entries that are neither ironic nor silly.
don't get no respect 7 This list was written specifically to insult you.