----- Original Message -----
From: "William Herrin" <bill@herrin.us>
Interesting. I want to abstract and restate what I think you just said and ask you to correct my understanding:
Making a service accessible to the public via the Internet implicitly grants some basic permission to that public to make use of the service, permission which can not be revoked solely by saying so.
That's correct; did you think it wasn't? The offer is *in the presence of a standard service on a standard port*; if I put a SMTP receiver on tcp/25, you are, yes, implicitly permitted to try to use it to send me email. There *is no place* to put "saying permission is revoked", so where would someone look, even if their daemon wanted to look.
If that's the case, what is the common denominator? What is the standard of permission automatically granted by placing an email server on the internet, from which a particular operator may grant more permission but may not reasonably grant less? Put another way, what's the whitelist of activities for which we generally expect our vendor to ignore complaints, what's the blacklist of activities for which a vendor who fails to adequately redress complaints is misbehaving and what's left in the gray zone where behavior might be abusive but is not automatically so?
If there are specific things you want people not to do, *make it impossible for them to do those things* (ssh authentication, for example). Above that, I suppose that rate limiting failures is expected of a connecting client... Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274