Tuesday, June 28, 2005


Frustrated by spam? Blame the IETF. I sure did today on their primary mailing list. I probably sparked a war :) Just in case they choose to block the post, it is here for posterity's sake.

Some guy named John wrote something that sort of triggered a lot of bottled up angst for the IETF. Partly because the IETF has turned, in the past few years, into a bunch of technically-correct drunkards. Instead of actually doing stuff at BOF (Birds of a Feather) meetings, they get drunk. Every time I receive a piece of spam, I think about how the IETF is not doing anything about it. Anyway, here is John's post and my witty reply:

> John C Klensin wrote:

>> But the notion that the IETF can prevent something from happening or
>> being deployed by declining to register it, or by turning our
>> collective backs on it without any real explanation -- even at the
>> waist of the hourglass-- is, in this world, just delusional. And, if
>> that delusion prevents the IETF community from explaining, carefully
>> and in public why the idea is a bad one, then it is we who are putting
>> the Internet at risk.
>> john

(This message is duplicated on my blog, so, moderators, don't even bother trying to block it).

So...why hasn't the IETF labeled SMTP and POP3, not just a bad idea, but a terrible one and scrapped (obsoleted, terminated, or whatever you want to call it) both protocols and come up with something completely new without a migration path (i.e. the terminated SMTP and POP3 protocols can't talk to the new protocol and vice versa)?

While that is some lovely writing, I have yet to see the IETF do anything constructive in lieu of the spam that plagues the Internet. In my book, the IETF is to blame for spam, both its existence and its continuation. Also, from what I can tell over the past few years of watching this list, no one in the IETF has the guts nor the spinal column needed to do anything about it. Instead of all of you getting drunk at BOF meetings, how about actually fixing the spam problem and perhaps a few other protocols while you are at it. You are the Internet _Engineering_ Task Force. It is your job to make new protocols and fix broken protocols, and it is the implementor's responsibility to follow changes without complaint. If you terminate SMTP and POP3 or simply re-write the core Internet protocols from the ground-up, every implementation out there MUST follow. If the IETF thinks it can do nothing about spam, then it is already delusional and the world needs a new organization that isn't blind to the world's needs. We wouldn't have the problems today that we currrently have if the IETF was actually doing its job.

All I have to ask is: Who around here loves receiving spam? Who is ultimately responsible for the spam people get?

Bite the bullet, get some guts, and grow a spine. Sure it is scary to replace major protocols in such a radical fashion, but we all know it is long overdue, so just do it. Implementors around the world will love you if you do (spam drives them up the wall because they have to constantly counter-act it with new "needless" features in their servers).

Note that this is partly my personal angst, partly an implementor's view, partly because spam is a real problem that isn't being dealt with, and partly because SMTP and POP3 are so incredibly old and riddled with hacks for MIME, attachments, multi-byte character sets/unicode, and use cleartext transmissions (except over more recent SSL/TLS hacks). At some point the hacks have to hit a limit and spam was the indicator of that limit, only the IETF ignored it and kept going.

Frankly, I wouldn't be surprised if, in the near future, companies and individuals started suing the IETF for damages for every spam message they receive. I'll bet a class action lawsuit against the IETF would get public attention real fast...and not in a good light either for the IETF.

So, what do you think? Am I being a bit overzealous? The IETF manages (more like guards, but manages will suffice) RFC822 and related kin. RFC822 is the most basic definition for SMTP. The most absolutely mind-boggling thing is that the IETF is well aware of spam and yet they explicitly state, and I quote, "those RFCs [pertaining to SMTP and POP3] are not open to changes." Therefore, it is logical to conclude that the IETF not only is aware of spam, they also have zero plans to do anything about it. In medicine, this is called negligence...something for which doctors can be sued. For this reason, it is also logical to conclude that the IETF can be sued for damages for every spam message ever sent. I've heard that companies have to wade through 40,000 spam messages a day to get at the 150 good ones buried inside. Spam filters cause e-mail to be dropped, bounced, and otherwise be lost forever from legitimate users. Companies with spam filters have the huge potential to lose a lot of customers from filtered e-mail. The solution is to go to the source, but the IETF is the source and they aren't changing SMTP or POP3. If you want to sue someone for spam, try the IETF.