At a meeting a few weeks ago, a bunch of us made the claim that the NANOG list could in most cases be self-policing. In that spirit, it seems worth pointing out that this discussion of the Russian Mafia, Chechen freedom fighters, the EFF, and China, seems to be heading in a direction that would be a bit off-topic for the NANOG list. -Steve On Mon, 15 Nov 2004, Steven Champeon wrote:
on Mon, Nov 15, 2004 at 02:47:14PM -0800, Tom (UnitedLayer) wrote: On Mon, 15 Nov 2004, Steven Champeon wrote:
And this affects those of us with not-so-old, not-so-slow machines how?
By the fact that there is no way in hell that he could relay a large amount of spam...
You seem to be confusing the single instance with the widespread application of the policy. My problem is with the latter, which is what the EFF is pledged to defend in the face of widespread damage to the medium they hope to save thereby.
Put simply, I'm fine with a few well-known anonymizing mail servers. I also reserve the right to reject mail from them.
I am not fine with an organization pledged to defend the principle for /all mail servers and spam sources/ regardless of whether they are under the control of spammers (and with no mind paid to the fact that a great deal of spam is sent via compromised machines that are unlikely to be used by freedom fighters or whistleblowers, etc.)
Come on - do you really think the Russian mafia is going to allow free use of their botnets so that Chechnian freedom fighters can post propaganda? I don't. Not even if they were paid for it.
The bottom line is that Gilmore, and the EFF, have taken a very soft stance on spam, believing it to be less important than "free speech" or "anonymous speech".
By definition, the EFF's main concern is free speech and privacy.
And I have supported them in the past for exactly their dedication to that concern. However, they now confuse government censorship on the one hand, with the abuses of a system by fraudsters and others (often in league with the very same countries whose censoring governments the EFF opposes) on the other.
Alan Ralsky hosts his servers in China. Do you really think that the goal of protecting freedom is served by encouraging everyone not to reject mail from those servers? Given that China's rDNS is so hosed or nonexistent as to make local, automated judgements difficult to impossible, it's far easier for those of us who don't want Ralsky's junk to simply reject all mail from China. If China doesn't like it, they should reconsider hosting Ralsky. The same goes for any country or ISP hosting or enabling spammers. And yes, I know that's a broad brush, and may not be appropriate for everyone. That's my whole point - that by ceding the spam battle over a misguided idea of protecting free speech, the EFF is actually encouraging others to paint with similarly broad brushes in their own defense - and undermining their own intentions.
I didn't make the decision to allow 419/AFFers to post through Tiscali's webmail servers - Tiscali did, and they continue to let the abuses occur.
Bigpond has largely fixed their 419/AFF problem, by disallowing use of their webmail accounts to non-AU users (in the process, they also broke their Received: header trace information, but hey). Got a problem with their policy? I don't.
I had a user here who got upwards of 100/day - nearly all 419/AFF spam. Much of that has disappeared, thanks to the implementation here of policies that others were incapable of making, in order to deal with /their/ abuse problem, not mine.
Privacy is a great goal. In my mind, it has its price. If I want to vote to protect my privacy, I register. If I want to drive a car, I get a license and get insured, and can prove it in case I run into someone else. If you want to be on the Internet, I damn well better be able to contact you (or someone who has taken responsibility for your presence here) in the event that you run dictionary attacks against my mail server, or try to send a million spam messages through your broadband channel, or run a worthless and buggy OS without a firewall and thereby let yourself get owned by anyone and become a vector for abuse.
Barring that, I'll just block you and anyone who looks like you, and call it a day, and selectively unblock or whitelist once you've met my policy criteria.
Those who prattle on about rights forget about their corresponding responsibilities, and undermine their very case by appearing to lack any sense of the price we pay for the former through the latter.
http://eff.org/wp/?f=SpamCollateralDamage.html
Wow. So, any collateral damage is unacceptable?
To me, and people who rely on email for reliable communication, yes absolutely. Collateral damage is unacceptable, period.
Then it would behoove you to support efforts to make email accountable rather than decry such attempts as censorship. Lacking other solutions to the spam problem, everyone tries their own. Which is more important? That we can all get behind industry-wide proposals, or that we all uniquely splinter useful protocols due to our own necessities, dictated by the demands of real usage? I'd love to stop wasting time chasing the rats out of my mail server. Until then, I am doing what I can to analyze inbound spam and adjust my policies accordingly to keep it out.
Rather than fight for the rights of the vast majority of the suffering masses just yearning to send email reliably, the EFF has chosen, de facto, to defend the rights of the spammers, who benefit enormously from the existence of unaccountable servers/proxies.
Its even worse when administered punitively (like SPEWS/etc) because its done with the intent of disrupting other people's lives.
Sure - in order to get their attention (or their ISP's attention) and presumably alert them to, and get them to fix, their abuse problems. I don't use SPEWS here (for various reasons) but I don't have any problem at all with someone else building a policy that includes the use of SPEWS.
If you're going to fight something, and you feel its worthwhile, fight it on the high-road.
That's what I'm doing. I am fighting the widespread lack of accountability of email senders by implementing policies that demand same; if I can't report abuse to a living person with some expectation of a change in the behavior of their customers, I don't accept mail from them. Sadly, this has meant that sometimes legitimate mail is rejected, with an informative message saying why. The EFF, on the other hand, wants email to remain an unaccountable medium for the sake of a miniscule amount of potential messages whose content could well be delivered in other ways.
In a nutshell, email requires accountability. The EFF apparently thinks that is too high a price to ask for email.
I think you're missing the point. Anonymous communication saves lives, allows people to "blow the whistle", and in general it serves the greater good to have it exist.
At what expense?
Email already has an "audit trail" built into it,
No, it does not. More accurately, the mail server /you control/ has a minor amount of tracing information that it can insert into a message; all else is untrustable - and the EFF wants to further undermine the remainder in the case of relayed mail (by defending the principle of anonymous relay transmissions). I already reject mail from servers whose webmail implementations do not include useful tracing information (just as I reject mail from those systems if the origin is a common source of Nigerian 419/AFF junk). Don't like it, and you're a user/supporter of said systems? Put pressure on the systems in question /to fix their servers/ so that the fraudsters are kept out, or so that they can be tracked and dealt with.
and you can at least track it to some extent if you know what you're doing.
No, sorry, that's false, too. You can /make an effort/ to rely on untrusted information, to posit a source beyond the last relay; that is all.
Does email need a DNA signature for the sender? In my mind no, you can get that if you use PGP signatures and look how few people actually use that.
You undermine your own case here. Let the anonymous senders create and post keys via public servers then encrypt their messages with those keys. Authentication is not the same as encryption or identification, nor do any of them necessarily compromise anonymity or demand unaccountability in sending mail.
Anyway, the bottom line is that I no longer pay the EFF to fight on the side of my enemies. All else boils down to "my network, my rules" and "it'd be great if we all had the same rules and could talk to all the other networks".
-- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
-------------------------------------------------------------------------------- Steve Gibbard scg@gibbard.org +1 415 717-7842 (cell) http://www.gibbard.org/~scg +1 510 528-1035 (home)