do you think that earthlink would automatically blacklist aol if it found incoming spam from aol? I think that earthlink would contact aol and say ... your ingress filtering doesn't seem to be working. It would only be after all attempts to understand aol's ingress filtering that earthlink might take action. again ... it is analogous to somebody hearing about traffic lights for the first time and coming up with all the reasons why people would ignore traffic lights. I would claim that the current issue isn't that spam exists (aka traffic violations), it is that there are billions of spams each day. and that this easily cuts the majority of it if the top ten start doing ingress mail filtering and that ingress mail filtering is orders of magnitude more efficient than other kinds of solutions. the blacklisting isn't for the mistakes ... it is for the ISPs that obviously aren't going to follow the traffic rules. so there are lots of kinds of tunneling. the major ISPs are already doing ingress filtering for email not coming from a recognizable customer. so tunneling actually reduces to a common vulnerability with ISPs not doing ingress email filtering (aka the tunneling issue to a ISP that isn't doing ingress email filtering is common vulnerability with a customer directly getting an email account with ISP that isn't doing ingress email filtering). So the issue comes back to ISPs that are recognized as not doing ingress email filtering. So lets say this gets something like 80 percent of the traffic violations. So the majority of the random traffic violations are now starting to be taken care of. There are 1) the corporations effectively operating as private ISPs, 2) compromised machines, 3) random anarchy. So both #2 and #3 are vulnerabilities treated just the same as a real spammer getting a real account and directly doing spam. These two vulnerabilities should be caught be ingress email filtering. Real spammers caught by ISP ingress filtering, compromised machines caught by ISP ingress filtering, and hit&run anarchist caught by ingress filtering .... all appear to be a common vulnerability caught by ingress email filtering. The issues actual reduce to a very few simple, non-complex vulnerabilities from a business process standpoint (ignoring all the technology twists and turns): 1) ISPs that do ingress email filtering and 2) ISPs that do not do ingress email filtering. If ISPs are doing ingress email filtering .... then all the situations of known spammers, spammers masquerading enormously getting accounts, spammers compromising other machines and masquerading enormously, tunneling, etc ... all get taken care of. There are still the periodic traffic accidents where somebody might be able to do a couple hundred before getting cut .... but it probably reduces over 90 percent of the traffic. So the remain issue is whether an ISP is following the traffic laws and doing ingress email filtering or flagrantly flaunting the law and letting millions of spam thru. This is regardless of whether it is a real public ISP ... or effectively a corporate/private ISP. The other ISPs then use blacklisting. The first line of defense is that all ISPs are to do ingress email filtering and the 2nd line of defense is that the major ISPs do blacklisting on the ISPs that obviously are flaunting the law. The primary business issue is that majority of spam is being done for some profit .... that the cost of sending the spam is less than the expected financial return. This should address the 99 percentile. Again, it is very simple, first line of defense is ingress email filtering. This is only a moderate extension of what the major ISPs are currently doing with regard to not accepting email from entities that are obviously not their customers, current traffic limiting business rules, etc. The second line of defense is blacklisting ISPs that aren't following the traffic rules. I claim, it actually is rather much simpler and much more effective. So back to the obvious traffic violations. One is the compromised machines. Large proportion of the compromised machines are their because they all got hit by spamming virus. I claim, that over time if over 90 percent of spamming gets cut ... then 90 percent of the machines that get compromised by virus in spam can also get cut. Situation is now down to large number of compromised machines each sending couple hundred emails each ... staying under the ingress filtering radar. That is orders of magnitude better than the current situation but it is starting to reduce the case to manageable traffic violations. So this scenario gets down to providing significantly more focus on compromised machines ... and back to a recent comment about lots of vendors saying that consumers won't pay for better security ... because they have no motivation. This is somewhat the insurance industry theory of improving on severity of traffic accidents (what motivated automobile manufactory to build safer cars). My ISP currently charges me extra over the flat rate for certain behavioral activities. Violating ingress email filtering rules would be such a valid inducement. I get ingress email filtering accident insurance the premiums are based on the integrity of the machine i'm operating. So, two simple rules .... 1) ISPs do ingress email filtering, and 2) ISPs blacklist other ISPs that flagrantly violate the ingress email filtering rules. With a sizeable reduction in spam, there is corresponding sizeable reduction in compromised machines. However, compromised machines that do spam and hit the ISPs ingress email filtering rules, get fined. It is treated as accident and operating an unsafe vehicle. You can get accident and fine insurance .... but the premium is related to kind of machine you operate. Some inducement for consuming public to purchase safer machines. The two simple rules ... with the fines for violations then provides some inducement for consumer buying habit regarding purchasing safer machines. And it is all quite similar to policies and practices currently in place. -- Anne & Lynn Wheeler http://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm