On Fri, Oct 26, 2001 at 01:01:04AM -0700, Paul A Vixie wrote:
That's vaporware at the moment. Until it's realized, senders must follow a universal standard for determining whether their traffic will be welcomed by receivers and intermediate systems whose AUP's aren't published in a mechanised form and with whom the sender has no direct relationship, or contract, or terms of service.
The burden is on the sender? We'd better all turn off our hosts. The sender (and in many cases the receiver as well) have no method to verify all intermediate systems. The range of unwritten grey is also huge. Consider: 1) If I request a web page without first asking permission, is that wrong? 1a) If I then immediately reload it fetching it twice, is that wrong? 1b) If I wget the whole site, is that wrong? 1c) wget it once an hour? 1d) Request web pages as fast as my system allows? 2) If I send e-mail to someone@pobox.com containing a picture of people in the office, which includes some women, and it happens to forward to a server in Afghanistan where women can't be seen without their face covered, is it my fault? 3) If someone wget's my web server downloading several hundred megs and I decide then to send a single ping back, and do a single DNS lookup, is that wrong? 3a) I ping every host in their netblock once, is that wrong? 3b) I leave a standard once-a-second ping running for a day to check them out? 3c) I flood ping them from all my hosts as fast as I can? There is a long legal tradition in civil life that if you don't want someone to do something, you must give them notice. Put a sign that says 'no solicitations' on your door, and if someone rings your doorbell to sell you something then you have a legitimate complaint. If you hang no such sign, or if you put it on your back door when everyone comes up to your front door then you have no complaint, and your recourse is to ask them to leave. For the more serious events, there is criminal law preventing them from bringing 200 people to your door (an illegal gathering) and the like. The networking world is similar. Put up a web server and you can't complain about someone downloading your web page once. Put up a host, and someone pings you a small number of times, you can't complain either. Make the front page of your web site say 'unauthorized access prohibited' and then someone gets the front page and continues to spider the whole site, and you might have a claim. If you filter pings, and someone still sends tons of them your way, and you might have a claim. If someone SMURF floods you that's a criminal matter as an attack, regardless. Also important is the notion of transaction, which seems to have been lost in this discussion. If a user requests a web page it is quite possible that the web server may attempt to use a mechanism other than HTTP to communicate with the client. In the simple example, consider a web server that for each page downloaded pings the client once and uses that data to improve the client experience. In my opinion, that ping is part of the transaction of getting the web page that the user requested, and as such cannot be considered abusive. This is particularly true when the volume is high. I've seen queries before from sites hosting thousands of users accessing popular sites who complain that the site then sends back a couple of hundred pings. It amazes me that people think the Internet is going to be different than the real world. I don't know about the rest of the people on here, but I get my share of telephone soliciter and junk mail even with using some of the junkbusters techniques. It's legal, and the way the world works. The same thing happens in cyberspace. When I receive the e-mail about how someone's IDS caught a user sending a single traceroute to their site I have to wonder how this person has so much free time as to investigate such things. If you connect to the net you will get pinged from time to time. Someone may traceroute to you. Heck, they might try to get a web page from you. If you don't like it, block it. If they only try once or twice and then go away, don't complain about it. They came up, read the 'sign' as it were, and went away. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org