Re: Fwd: Re: Digital Island sponsors DoS attempt?
Philosophically I think the EFF is right. Blocking a single legitimate e-mail is very bad, and should be avoided at all costs.
Bad for whom? Only for the sender? Does this sender have rights which should supercede the property rights of recipients and of infrastructure owners? If so then who gets to decide whether mail is legitimate or not? The sender again? If so then why should anyone ever be allowed to filter out "spam", either as a recipient, or as an infrastructure owner? That way lies madness. Senders have no such rights, and the determination of a message's legitimacy lies with recipients (and perhaps infrastructure owners) NOT senders. A sender's rights are determined by their contract with their ISP, and an ISP's rights are determined by their contracts with their peers and transit providers.
Practically I think that the tactics of MAPS and ORBS and other blacklists are necessary right now. I'd like nothing better than to see them go away because better technology has come along.
Agreed. (And note that I no longer have an operational role at MAPS.)
Legally (eg, if congress were going to pass a new law) I'm very much on the side of the EFF, because the law must be pure and true, because anything less impinges on our civil liberties.
I also want the law to be pure and true, but there is no civil liberty involving the transmission of e-mail or any other traffic whose cost of delivery is paid in any way by anyone other than that sender.
On Sun, Oct 28, 2001 at 12:28:47PM -0800, Paul Vixie wrote:
Philosophically I think the EFF is right. Blocking a single legitimate e-mail is very bad, and should be avoided at all costs.
Bad for whom? Only for the sender? Does this sender have rights which should supercede the property rights of recipients and of infrastructure owners? If so then who gets to decide whether mail is legitimate or not? The sender again? If so then why should anyone ever be allowed to filter out "spam", either as a recipient, or as an infrastructure owner?
I was using legitimate in the sense of 'e-mail that the receiver wanted to receive'. That could extend to other services as well. Consider when MAPS blocks a web site because someone is wack-a-mole spamming directing people to the web site. It may be the case that there are users out there that never received spam, but wanted to view the web site and are prevented. On a philosophical level I have a real problem with that. It's easy to take this to an extreme as well, if your network ever generates a single spam it should be disconnected from the Internet. Legitimate also takes on other forms. If I choose online billing for phone service, and then don't pay I may not _want_ a message from the phone company saying 'pay up or else', nor do I think most people would defend blocking such a message as blocking "spam". To more precisely define it, UCE is what I care about, those three words, Unsolicited Commercial E-mail fairly precisely define the bad type of e-mail. If the methods employed to block UCE block solicited commercial e-mail, or any form of non-commercial e-mail then we need to find better methods. (Note, this leaves a small potential problem, in that people promoting religious beliefs and the like might attempt to bulk e-mail under the guise of it being non-commercial. For now I will assume any interesting entity must have real $$'s invested, and therefor fits a broad definition of commercial. If it believed this would be a real problem I'll think about it and form an opinion.)
I also want the law to be pure and true, but there is no civil liberty involving the transmission of e-mail or any other traffic whose cost of delivery is paid in any way by anyone other than that sender.
Witness ORBS, who had a judgment against them for doing bad things. In a way, all those who used and supported ORBS were guilty as well. I also don't want to see anti-spam provisions in laws that make us give up rights, like governmental ability to wiretap all communications without a warrant to scan for spam. That would be bad, as they would be scanning many non-spam communications. The spill over from fighting spam can have some dangerous consequences. I also think it's very important to get past the 'who pays' argument. It's a good argument from a technology point of view, or from the individual's point of view, but it doesn't work in the abstract. Worst case is someone will develop and popularize (or legislate) a settlement system where the sender can pay for the entire transaction. If we assume the sender and receiver are expending equal resources we just doubled the cost to spammers. I suspect that would be a non-issue to the spammers. It's still orders of magnitude cheaper than direct mail, or TV or any of the alternatives. I don't think any of us want to 'rewire' the net to provide a settlement system that in the end would only legitimize spam, and likely increase the amount most users receive. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Sun, Oct 28, 2001 at 04:15:42PM -0500, Leo Bicknell wrote:
To more precisely define it, UCE is what I care about, those three words, Unsolicited Commercial E-mail fairly precisely define the bad type of e-mail. If the methods employed to block UCE block solicited commercial e-mail, or any form of non-commercial e-mail then we need to find better methods. (Note, this leaves a small potential problem, in that people promoting religious beliefs and the like might attempt to bulk e-mail under the guise of it being non-commercial. For now I will assume any interesting entity must have real $$'s invested, and therefor fits a broad definition of commercial. If it believed this would be a real problem I'll think about it and form an opinion.)
I am trying to be good :) If you change one word in your definition... you cover the "small potential problem" (which has been seen already) without losing anything. Unsolicited Bulk E-mail. I don't care if its Commercial, Religious, Charity or other, if its bulk and unsolicited, its wrong. The example that immediately jumps to mind was (if memory serves) May or June 2000... a little girl Sarah Payne was abducted in the UK. After a few days, people all over the world started getting spammed asking for help. There was no evidence that she left the country, yet a mass mailing went out with no regards to geography. Did I feel bad for Sarah's family? Yes, especially as I had driven up and down the road she was abducted near several times around the time she went missing. Were the spammers well meaning? Yes. My problem with it? "It does not scale". How many kids go missing every week from somewhere in the world? -- John Payne http://sackheads.org/jpayne/ john@sackheads.org http://sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
On Sun, Oct 28, 2001 at 09:26:02PM -0800, John Payne wrote:
I am trying to be good :) If you change one word in your definition... you cover the "small potential problem" (which has been seen already) without losing anything.
Unsolicited Bulk E-mail.
I'm not sure I like the use of the word bulk. The reason is that it is not precise. Is 10 bulk? 50? Is it only bulk if I use a "spam tool"? Unsolicited, Commercial, and E-mail all have precise definitions. particularly if we're going to get something (eventually) into a useful law I think we need to make sure it is entirely defined of precise terms. You do cite a good example of my "small potential problem". Nothing immediately comes to mind as a good way to catch it without causing good things to get caught up as well. I'm going to think about it. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Mon, Oct 29, 2001 at 08:46:09AM -0500, Leo Bicknell wrote:
On Sun, Oct 28, 2001 at 09:26:02PM -0800, John Payne wrote:
I am trying to be good :) If you change one word in your definition... you cover the "small potential problem" (which has been seen already) without losing anything.
Unsolicited Bulk E-mail.
I'm not sure I like the use of the word bulk. The reason is that it is not precise. Is 10 bulk? 50? Is it only bulk if I use a "spam tool"?
Bulk is more than 1 copy. How do I know if something is bulk? A simple test. Is this something that could have been sent to someone else with either no modification, or a trivial "mailmerge" operation. It then becomes up to the spammer to prove otherwise to his abuse desk, who will probably have received multiple complaints anyway.
Unsolicited, Commercial, and E-mail all have precise definitions. particularly if we're going to get something (eventually) into a useful law I think we need to make sure it is entirely defined of precise terms.
Sure... but focusing on commercial is dangerous.
You do cite a good example of my "small potential problem". Nothing immediately comes to mind as a good way to catch it without causing good things to get caught up as well. I'm going to think about it.
My feelings are if its unsolicited and bulk, then it ain't good. SPAM-L is one mailbox over that way ----> -- John Payne http://sackheads.org/jpayne/ john@sackheads.org http://sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
I'm not sure I like the use of the word bulk. The reason is that it is not precise. Is 10 bulk? 50? Is it only bulk if I use a "spam tool"?
Bulk is more than 1 copy. How do I know if something is bulk? A simple test. Is this something that could have been sent to someone else with either no modification, or a trivial "mailmerge" operation. It then becomes up to the spammer to prove otherwise to his abuse desk, who will probably have received multiple complaints anyway.
I generally measure bulk in a more subjective but more useful way. If someone composes ten pages of text and sends it to three people, I don't consider that bulk. If someone sends one paragraph of text they composed to fifty people, that's bulk. If someone ads 'look at this' to twenty pages they stole from someone else and sends it to 10 people, that's bulk. The test is, is this person trying to spread a minimum amount of original content to the maximum number of people? Or is the content specifically targeted to each person by a human being? In other words, is this a rifle being aimed or a machine gun being sprayed? Is a person trying to use email as a publishing means? I have no objection if someone who honestly saw a message I wrote and thought I'd be suitable for a particular job emails me asking if I'm interested. However, the same email would be bulk if sent to everyone who posts to NANOG, even if says, "I saw your post about "Re: Fwd: Re: Digital Island sponsors DoS attempt" and thought you might be interested in buying our premium fishing worms". DS
On Mon, 29 Oct 2001 08:46:09 EST, Leo Bicknell <bicknell@ufp.org> said:
Unsolicited, Commercial, and E-mail all have precise definitions.
We've got commercial and e-mail nailed down enough for the lawyers. Unsolicited? Umm.. 47 USC 227 (which includes the "junk fax" law) says (47 USC 227(a)(3)): * (3) The term ''telephone solicitation'' means the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person, but such term does not include a call or message (A) to any person with that person's prior express invitation or permission, (B) to any person with whom the caller has an established business relationship, or (C) by a tax exempt nonprofit organization. What exactly does "established business relationship" mean in the context of (for example) the NANOG mailing list? (Note that once there is a business relationship, there's no requirement that the solicitation has to be related - I continually get calls from various financial institutions plugging other services) No, I don't know the answer here - but it would probably go along with "membership in the same professional society" or "same country club" or similar. However, I've seen enough user's groups and similar that have "thou shalt not recruit/advertise/etc" rules that I have to suspect such behavior is otherwise legal (although slimy and frowned upon). /Valdis
On Mon, Oct 29, 2001 at 12:24:37PM -0500, Valdis.Kletnieks@vt.edu wrote:
What exactly does "established business relationship" mean in the context of (for example) the NANOG mailing list? (Note that once there is a business relationship, there's no requirement that the solicitation has to be related - I continually get calls from various financial institutions plugging other services)
Sadly I think we'll always be getting "spammed" by people we do business with, and I don't think there's any way to write the rules so this doesn't happen. While slightly more obvious in e-mail, it's not much different than what happens in other mediums: * You get a bill from someone, and in the same envelope they have flyers for some of their new products. * You get a call from your credit card company offering travel insurance for all the purchases you make on the call. * You call customer service for your new computer and while on hold hear ads about cut-rate internet service. I think the legislative presumption needs to be that if you're doing business with someone then they can contact you about pretty much anything, and if you don't like their contacting you can end the business relationship so they can't do it anymore. Writing rules to eliminate such communications I think would very quickly start to step on normal business practices, and even if everyone on nanog wanted that the $$$'s that make business and politics go around would never go for it. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Mon, Oct 29, 2001 at 12:33:05PM -0500, Leo Bicknell wrote:
On Mon, Oct 29, 2001 at 12:24:37PM -0500, Valdis.Kletnieks@vt.edu wrote:
What exactly does "established business relationship" mean in the context of (for example) the NANOG mailing list? (Note that once there is a business relationship, there's no requirement that the solicitation has to be related - I continually get calls from various financial institutions plugging other services)
Sadly I think we'll always be getting "spammed" by people we do business with, and I don't think there's any way to write the rules so this doesn't happen.
Some have some comments on this in Australia are at: http://www.caube.org.au/australia.htm Basically the positions from the government and industry bodies over here have been that commercial e-mail must be opt-in if there is no existing business relationship, otherwise opt-out. David. -- David Luyer Phone: +61 3 9674 7525 Network Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983 http://www.pacific.net.au/ NASDAQ: PCNTF
It took me a while to get back to this.
Unsolicited Bulk E-mail.
I'm not sure I like the use of the word bulk. The reason is that it is not precise. Is 10 bulk? 50? Is it only bulk if I use a "spam tool"?
What's worse, "bulk" cannot be proved by a single victim (recipient), which is how a lot of ISP "abuse desks" close tickets: "you were the only one who complained, so it wasn't spam."
Unsolicited, Commercial, and E-mail all have precise definitions. particularly if we're going to get something (eventually) into a useful law I think we need to make sure it is entirely defined of precise terms.
I've seen a fair amount of spam recently that had no commercial intent. It doesn't stop being spam just because the desire is to get me to vote for some candidate or support some government or even NGO program. For a better standard than UBC/UCE, see http://mail-abuse.org/standard.html.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vixie said:
That way lies madness. Senders have no such rights, and the determination of a message's legitimacy lies with recipients (and perhaps infrastructure owners) NOT senders.
How is the recipient of a message that has been blocked before he sees it to decide whether it was legitimate? Since most of what MAPS is about is reducing complaints from customers to their ISP, and thereby reducing support costs, I guess the question is answered. If no one complains, there is no problem. Since no one can complain about unseen messages, that means that collateral damage is not really a problem, since it does not increase support costs.
A sender's rights are determined by their contract with their ISP, and an ISP's rights are determined by their contracts with their peers and transit providers.
And with their customers, who are the ones that are sending and receiving all this email in the first place. - --- "The avalanche has already begun. It is too late for the pebbles to vote" - Kosh -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9yOMEksS4VV8BvHEQKMmgCdGnIQtSxDbPyYDxViE2qtQuCqFMIAn1qa Bd9d5t903V0vMu4vF1h8Ebmg =kjig -----END PGP SIGNATURE-----
The customer has a choice of providers and can choose a provider that doesn't use MAPS. When I used to run an ISP, we had two different mail systems. 1 for those that wanted everything, and 1 for those that wanted things filtered. Providers should inform their customers that they are using some level of filtering. Seems most of them are, and that most customers want it. Just driving around the Bay Area one can see signs that promote Spam Free Email from various providers.. On Sun, Oct 28, 2001 at 03:01:04PM -0800, Mike Batchelor wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Vixie said:
That way lies madness. Senders have no such rights, and the determination of a message's legitimacy lies with recipients (and perhaps infrastructure owners) NOT senders.
How is the recipient of a message that has been blocked before he sees it to decide whether it was legitimate?
Since most of what MAPS is about is reducing complaints from customers to their ISP, and thereby reducing support costs, I guess the question is answered. If no one complains, there is no problem. Since no one can complain about unseen messages, that means that collateral damage is not really a problem, since it does not increase support costs.
A sender's rights are determined by their contract with their ISP, and an ISP's rights are determined by their contracts with their peers and transit providers.
And with their customers, who are the ones that are sending and receiving all this email in the first place.
- --- "The avalanche has already begun. It is too late for the pebbles to vote" - Kosh
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBO9yOMEksS4VV8BvHEQKMmgCdGnIQtSxDbPyYDxViE2qtQuCqFMIAn1qa Bd9d5t903V0vMu4vF1h8Ebmg =kjig -----END PGP SIGNATURE-----
While I am, and have been, a MAPS supporter for a very long time, the truth is that this assertion is not nearly as true today as it was when the RBL was first implemented, particularly in the realm of bradband access. While I normally would not object to any ISP using MAPS or other spam and/or content filters, the "get another provider if you object" argument doesn't work nearly as well if there's only one DSL or cable provider that serves the customer. If Covad were to go under tomorrow, Verizon DSL would be my sole choice for high-speed access to my home - I have no line of sight to either of the satellite access providers, and the cable plant hasn't been upgraded to support cable access yet. And I can't afford to bring in a T1, unfortunately :/ So if Verizon were to start filtering mail based on the RBL list or any other list, or filter traffic based on legal/moral issues (say, to block napster/gnutella clients), what other options are there, other than going back to dialup? -Chris On Sun, Oct 28, 2001 at 03:36:50PM -0800, John M . Brown wrote:
The customer has a choice of providers and can choose a provider that doesn't use MAPS.
--------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
On Mon, Oct 29, 2001 at 01:05:00PM -0500, Christopher A. Woodfield wrote:
[...] the "get another provider if you object" argument doesn't work nearly as well if there's only one DSL or cable provider that serves the customer.
[...] Not to sound too trite, but in general you *do* get what you pay for. No one said that your choice of providers would all have equal costs. If you are in a place where DSL works, you can most likely get a T1 to any provder you wish. Pick one that doesn't get placed on the RBL. -- John Osmon "It was half way to Rivendell when the drugs john@osmon.net began to take hold" -- Hunter S Tolkien "Fear and Loathing in Barad Dur" (Stolen from another .sig)
[Think it's about time for a subject change.] At 11:23 AM 10/29/2001 -0700, John Osmon wrote:
On Mon, Oct 29, 2001 at 01:05:00PM -0500, Christopher A. Woodfield wrote:
[...] the "get another provider if you object" argument doesn't work nearly as well if there's only one DSL or cable provider that serves the customer.
[...]
Not to sound too trite, but in general you *do* get what you pay for. No one said that your choice of providers would all have equal costs.
If you are in a place where DSL works, you can most likely get a T1 to any provder you wish. Pick one that doesn't get placed on the RBL.
Personally, I agree with Christopher. Unfortunately, I do not see a way around it. If you do not filter spamers, how do you stop them? If you do filter spamers, how to do stop from occasionally hurting people in Christopher's situation? I dunno. Suggestions? Just to be clear, I would not, do not, and cannot tell another network how to filter their e-mail, traffic, prefixes, etc. I have no right to do so. (But I certainly will make fun of some of them for the way they filter - which is a right I have. :)
John Osmon "It was half way to Rivendell when the drugs
-- TTFN, patrick
In case it wasn't obvious from my first post, I'm talking about residential access here. Aside from those who get their employer to pay for it (and even /then/ there's rarely a choice of providers), how many people have T1s coming into their homes? -Chris
If you are in a place where DSL works, you can most likely get a T1 to any provder you wish. Pick one that doesn't get placed on the RBL.
-- John Osmon "It was half way to Rivendell when the drugs john@osmon.net began to take hold" -- Hunter S Tolkien "Fear and Loathing in Barad Dur" (Stolen from another .sig)
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
[thanks for the subject change Patrick] Actually, it was obvious that you mean residential access. However, it appears that you are trying to equivicate "residential" and "cheap." It ain't necessarily so. I still say, you get what you pay for. There are always alternatives, but most people are unwilling to pay for them. There is not moral good/bad value to that point - it simply *is*. Sometimes the layer 2 choice will limit your choice of layer 3 providers - that is simply part of the price. This fact will not change regardless of the number of people with <pick any specific layer 2 connection> coming into their house (or business). Back to the original point: only buy bandwidth from folks that provide you with the value you seek. A cheap provider that isn't blocked by the RBL is perfect if you don't need to talk with folks on networks that subscribe to the RBL. You might need to pay more to get to a provider that isn't blocked... John On Mon, Oct 29, 2001 at 01:57:41PM -0500, Christopher A. Woodfield wrote:
In case it wasn't obvious from my first post, I'm talking about residential access here. Aside from those who get their employer to pay for it (and even /then/ there's rarely a choice of providers), how many people have T1s coming into their homes?
-Chris
If you are in a place where DSL works, you can most likely get a T1 to any provder you wish. Pick one that doesn't get placed on the RBL.
-- John Osmon john@osmon.net
On 01:05 PM 10/29/2001 -0500, Christopher A. Woodfield wrote:
While I am, and have been, a MAPS supporter for a very long time, the truth is that this assertion is not nearly as true today as it was when the RBL was first implemented, particularly in the realm of bradband access. While I normally would not object to any ISP using MAPS or other spam and/or content filters, the "get another provider if you object" argument doesn't work nearly as well if there's only one DSL or cable provider that serves the customer.
The customer is under no obligation to use their access provider for their email. There are literally hundreds of options for your email provider, including dozens of free email providers, and many others who charge a very small amount per month/year. If having a choice about how email is filtered or not filtered is important to the customer, the options are practically endless.
If Covad were to go under tomorrow, Verizon DSL would be my sole choice for high-speed access to my home - I have no line of sight to either of the satellite access providers, and the cable plant hasn't been upgraded to support cable access yet. And I can't afford to bring in a T1, unfortunately :/ So if Verizon were to start filtering mail based on the RBL list or any other list, or filter traffic based on legal/moral issues (say, to block napster/gnutella clients), what other options are there, other than going back to dialup?
For email, see above. For traffic filtering based on port (rather than content), you have a completely different issue. We have employees who can't use the M$ VPN client to VPN to the exchange server because their high-speed Internet is via cable modem. The cable modem service uses the VPN system for communication between the cable modem box and the head end office, and so that system isn't available (is "blocked") to the customer. Our work-around is to setup an SSH tunnel instead. It's not as simple, but it gets the employee into our servers without passing data in the clear. If it's really really important for you to get to napster/gnutella, you will have to find a similar way past roadblocks, or, yes, go back to dial-up. There's no law that says that the broadband options available to any one end user have to meet that end user's desires. Supply and demand will create companies and services/products that are profitable and meet (most) customer demands, just as it does with other products like cars and trucks. I'd REALLY like a truck with Dodge body styling, interior, and Cummins engine, with a Ford automatic transmission (Dodge is notorious for crappy automatic trannies) and those kewl extendo mirrors. (For towing that furrytractor :-) jc
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The customer is under no obligation to use their access provider for their email.
Oh yeah? http://www.mail-abuse.org/dul/enduser.htm That avenue has also been closed off in the name of fighting spam. But thank you for playing. - --- "The avalanche has already begun. It is too late for the pebbles to vote" - Kosh -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO982YUksS4VV8BvHEQIeAgCeN02BfWfkUd4g8PqP01Sbd+V0nXAAnige Ih6E+S4N25ZLEWhUhk2AKZEl =F4PT -----END PGP SIGNATURE-----
On Tue, Oct 30, 2001 at 03:23:13PM -0800, Mike Batchelor wrote:
The customer is under no obligation to use their access provider for their email.
Oh yeah? http://www.mail-abuse.org/dul/enduser.htm
That avenue has also been closed off in the name of fighting spam. But thank you for playing.
There's a difference between using a different email provider and going direct-to-MX. -- John Payne http://sackheads.org/jpayne/ john@sackheads.org http://sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
On Tuesday, October 30, 2001, at 06:30 , John Payne wrote:
The customer is under no obligation to use their access provider for their email.
There's a difference between using a different email provider and going direct-to-MX.
There's also a difference between using the RBL (rbl.mail-abuse.org) and the DUL (dialups.mail-abuse.org)... ... but I won't get into that. -rt (I know, I know, the other list, 7 mailboxes down, on the right, secret word is "Spamford"...) -- Ryan Tucker <rtucker@netacc.net> Network Operations Manager, NetAccess, Inc. http://www.netacc.net/ • (585)419-8252
It took me a while to get back to this.
While I normally would not object to any ISP using ... content filters, the "get another provider if you object" argument doesn't work nearly as well if there's only one DSL or cable provider that serves the customer.
Without that argument, there's a clear path to "since your customers have no choice, you are not allowed to filter content." While this probably applies to DSL since it's "like telco" and there's already legislation about what telcos can't filter because of their old "natural monopoly" status, I don't think it applies to Critial Path or MSN or AOL or any other mail server operator -- there is choice, and thankfully, there is no hint of legislation coming for "mail server content filtering policies."
On 03:01 PM 10/28/2001 -0800, Mike Batchelor wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Vixie said:
That way lies madness. Senders have no such rights, and the determination of a message's legitimacy lies with recipients (and perhaps infrastructure owners) NOT senders.
How is the recipient of a message that has been blocked before he sees it to decide whether it was legitimate?
What business is it of yours what procedures other people might take to block email they don't want delivered into their inbox?
Since most of what MAPS is about is reducing complaints from customers to their ISP, and thereby reducing support costs, I guess the question is answered. If no one complains, there is no problem. Since no one can complain about unseen messages, that means that collateral damage is not really a problem, since it does not increase support costs.
Hi, Bob? This is Susan. I haven't received a reply from you regarding the email I sent yesterday, did you get it? You didn't? Hmmm. Let me try resending it. Hi Bob? This is Susan again. Did you get that second email yet? No?! Maybe you should call your ISP to find out why! Yes, I already called mine, they don't have any info, they say the mail server logs show that both the messages were delivered to your ISP. Hi, Mr. ISP support guy? This is Bob. It seems that I'm not getting all of my email.... ...................... Collateral damage IS a problem, but that's part of why it works to reduce spam. jc
On Sun, Oct 28, 2001 at 09:26:39PM -0800, JC Dill wrote:
Since most of what MAPS is about is reducing complaints from customers to their ISP, and thereby reducing support costs, I guess the question is answered. If no one complains, there is no problem. Since no one can complain about unseen messages, that means that collateral damage is not really a problem, since it does not increase support costs.
Hi, Bob? This is Susan. I haven't received a reply from you regarding the email I sent yesterday, did you get it? You didn't? Hmmm. Let me try resending it.
Hi Bob? This is Susan again. Did you get that second email yet? No?! Maybe you should call your ISP to find out why! Yes, I already called mine, they don't have any info, they say the mail server logs show that both the messages were delivered to your ISP.
Hi, Mr. ISP support guy? This is Bob. It seems that I'm not getting all of my email....
You're assuming that the filterer is silently discarding the message and not bouncing it. If a site is blocked from sending mail via MAPS or any other method, the receiver must send a bounce message to the sender to avoid breaking SMTP. Assuming the filterer is not breaking SMTP by silently discarding messages, Bob will receive a message saying that his message couldn't be delivered, with an explanation. --Adam -- Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
On Sun, 28 Oct 2001 21:53:24 PST, Adam McKenna <adam-nanog@flounder.net> said:
You're assuming that the filterer is silently discarding the message and not bouncing it. If a site is blocked from sending mail via MAPS or any other method, the receiver must send a bounce message to the sender to avoid breaking SMTP.
Assuming the filterer is not breaking SMTP by silently discarding messages, Bob will receive a message saying that his message couldn't be delivered, with an explanation.
"550 Mail from open relay " $&{client_addr} " refused - see http://www.orbs.org/verify.php3?address="$&{client_addr} Where $&{client_addr} is replaced with a dotted-quad IP. You'd be amazed how many support people at ISPs can't figure that out. Even *after* they visit the page. I know this because I've gotten my share of mail "I got this message, and my ISP people dont understand". Of course, to quote Douglas Adams, that sort of ISP should be "first up against the wall when the revolution comes" ;) Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Sun, 28 Oct 2001, JC Dill wrote:
Hi, Mr. ISP support guy? This is Bob. It seems that I'm not getting all of my email....
You obviously didn't start out in a support position, did you? Talk about not scaling well... Charles
......................
Collateral damage IS a problem, but that's part of why it works to reduce spam.
jc
Hi, Bob? This is Susan. I haven't received a reply from you regarding
the
email I sent yesterday, did you get it? You didn't? Hmmm. Let me try resending it.
Hi Bob? This is Susan again. Did you get that second email yet? No?! Maybe you should call your ISP to find out why! Yes, I already called mine, they don't have any info, they say the mail server logs show that both the messages were delivered to your ISP.
Hi, Mr. ISP support guy? This is Bob. It seems that I'm not getting all of my email.... ...................... Collateral damage IS a problem, but that's part of why it works to reduce spam.
There are ways to get around this. I participated in a Brightmail beta sponsored by @Home for two of my personal email accounts. All my "filtered mail" was not deleted but moved to some other mailbox. I had the ability of logging in periodically and seeing what mail was caught as spam. False positives were easy to eradicate (a click or two), one mailing list I was on was caught as spam and less than 24 hours after submission, mail was flowing properly again. I post with my personal email address (without modification) on Usenet so I get a fair share of spam (20-30 pieces or more per day among a few of my email accounts). Brightmail was a godsend, I am willing to live with a few false positives and not have to deal with hitting delete 20 times.
On Sun, 28 Oct 2001, Mike Batchelor wrote:
Since most of what MAPS is about is reducing complaints from customers to their ISP, and thereby reducing support costs, I guess the question is answered. If no one complains, there is no problem. Since no one can complain about unseen messages, that means that collateral damage is not really a problem, since it does not increase support costs.
I'm not sure how you've managed to avoid this, but when using the various blacklists in an ISP setting where I've worked, there certainly has been "collateral damage" in unseen messages causing increased support load (cost). Our customers will call up complaining "My aunt can't email me anymore, but she can email everyone else in the family." or "Since sometime last week I can't get email from business associate X, and this has cost me thousands of dollars per day in sales." There's always someone to complain. I think over time, as people have seen more and more porn site or penis/breast enlargement spams, they've gotten more understanding of "we can't accept mail from that ISP's mail server because it's an open relay and was being used to broadcast spam". -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sun, Oct 28, 2001 at 12:28:47PM -0800, Paul Vixie wrote:
Bad for whom? Only for the sender? Does this sender have rights which should supercede the property rights of recipients and of infrastructure owners? If so then who gets to decide whether mail is legitimate or not? The sender again? If so then why should anyone ever be allowed to filter out "spam", either as a recipient, or as an infrastructure owner?
As an infrastructure owner, the important thing is that if you're going to announce reachability, it should be real. If you blackhole stuff in the middle of a netblock and distribute it as an untainted netblock in your BGP, you're depriving people of clean routes. Other than that, exercise your policy to your heart's content. -- Jeff Haas NextHop Technologies
participants (18)
-
Adam McKenna
-
Charles Sprickman
-
Christopher A. Woodfield
-
David Luyer
-
David Schwartz
-
JC Dill
-
Jeffrey Haas
-
jlewis@lewis.org
-
John M . Brown
-
John Osmon
-
John Payne
-
Leo Bicknell
-
Mike Batchelor
-
Patrick W. Gilmore
-
Paul Vixie
-
Ryan Tucker
-
Valdis.Kletnieks@vt.edu
-
Wojtek Zlobicki