[Bill, Jim and William are longtime Net-denizens. Previous Politech message: http://www.politechbot.com/p-03967.html --Declan] --- Date: Mon, 09 Sep 2002 11:35:19 -0700 To: declanat_private, openrelayat_private, gnuat_private From: Bill Stewart <bill.stewartat_private> Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship Cc: politechat_private I still use my old Netcom account for dialup access, even though they've since been eaten by Mindspring and Earthlink. The first time I was affected by open relay blockers, it was because Netcom had open relays and was on one of the blocklists, so any email that came from smtp.ix.netcom.com was rejected by people who used that list, though I don't think it actually relayed for non-customers. There was an easy workaround - I set Eudora to use an open relay at Netcom that wasn't blocklisted :-) Eventually they closed their open relays and got off the list. There are two different ways to block relay traffic - standard internet style, which is to give an error message (which the sender of legitimate email can read and use to fix or at least identify the problem), and silently dropping mail from sites with relays, which is obnoxious to legitimate mail senders (spammers don't really care) and makes the internet less robust and more fragile, both technically and culturally. And of course, if you block all email from a site you think has relays, you're also blocking email from the system administrator there who may be trying to resolve the problem. Open relays were a positive community service back in the old days, when the net wasn't as well connected and when there was a wide diversity of email protocols in use - UUCP, Bitnet, Fidonet, and others, before the near-total dominance of SMTP over TCP/IP. They're still useful today for people who move around - my laptop spends some time at work, connected to the company LAN, some time at home, dialed into one of the several ISPs I use, and some time at home, using a VPN to connect to work. If I'm at a hotel, I'll usually use my work dialup account. Back when relays were still available, I could set my web browser to point to my company's mail server, which had the same name both inside and outside the firewall, so my email could always get out These days, if I want to click on a mailto: link on a web page, I have to reconfigure Netscape depending on which network I'm on, or else not bother - leave it set for one network, and cut&paste to my regular email client if I'm on the other. Similarly, if I want to send mail from my home identity at the office, I have to reconfigure. That would be annoying enough, but Earthlink also blocks outgoing email that doesn't go through their email relay servers, so if I use their dialup, I need to configure for their relay, and if I use my work dialup, I need to configure for a relay that's not Earthlink, because Earthlink's mail relay blocks traffic from outsiders. Unfortunately, relays today are primarily a target for abuse by spammers, who crank millions of messages through any one they find, which lets them increase their outgoing message rate without actually buying their own bandwidth, and makes it easier to avoid being caught and shut down, and for a while the efforts of the open relay blocking list folks helped reduce the amount of spam by getting ISPs to close them. I get so much spam these days it's hard to tell if the anti-relay policies are helping, but at least my mail filters know that anything sent from a Korean elementary school is spam, and the US ISP anti-relay policies make the Korean broadband network a popular target for abusers. Bill Stewart --- Date: Mon, 9 Sep 2002 11:07:20 -0700 To: John Gilmore <gnuat_private> From: Jim Warren <jwarrenat_private> Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship Cc: declanat_private Hey John -- Great to see your msg, reposted by Declan. (Thanks Declan!) >Skipping spam is quick. I've always had the same view of spam as you -- a minor irritant. Quick to delete-at-a-glance in Eudora's in-box (usually takes well under a minute). And I hold this view, even though, like you, I've been very public on the net for decades, and am thus on *lots* of spam-lists. Also better than the junk snailmail that we contribute daily to our ever-shrinking landfill (electrons are fully recycled). I have limited sympathy with the never-bother-me-ever-in-any-way crowd. The anti-spam forces are of special concern, in that they are just as eager to let someone else's always-imperfect computer auto-censor unsolicited NONcommercial email -- notably community messages, political perspectives, etc. These are, after all, the *reason* behind the First Amendment's [supposedly] absolute protections of [voiceless] speech, [paperless] press and [bodyless] assembly. You wanna vote in elections and thus impact MY life with YOUR government choices?! Then I wanna be free to present my views to you, for you to consider or discard as you choose! This is perhaps THE most crucial aspect of any society that seeks to be free. (However, unlike the corporate-directed Supreme Court, I *do* differentiate between loot-hustling "commercial spam", versus noncommercial political or community "spam", but that's a different issue.) But! (1) *my* spam DOES arrive via a pseudo-broadband IDSL (ISDN-based) "high speed" link. Thus, it takes only a minute or two each morning (plus the constant trickle all day). (2) I arrange to have other things to do while the overnight spam megadose arrives, along with an occasional "real" message. (3) I DO use an efficient mail-reader (Eudora Pro) that makes it easy for me to perform my own censorship-at-a-glance, thank you very much. But what about those folks who -- unlike you 'n' me ('n' Declan, et al) -- do NOT have broadband connections? What about that *large* majority who still suffer the consequences of (low-cost) dial-up? Even moreso, what about those outside the short range of the phone cartel's urban central offices ... farther away, where their voice-grade phone lines are so flakey they are gleeful when they occasionally squeeze 28.8 Kbs out of 'em? (This happens with my neighbors in "Silicon Heights" -- the pseudo-rural skyline and coastside of the San Francisco Peninsula that's only a half-hour's commute from SillyCon Valley, but still back in the 1950's as far as phone quality is concerned.) For them, downloading the daily spam-glut can take 10-15 minutes ... sometimes worse. [Yeah, I know the libertarian solution -- money. But many don't have much of it. And for more'n a decade, the phone monopoly has remained blithely unresponsive to the *many* "inconvenient" non-urban dwellers who ARE willing to pay for higher-speed lines. We want it; they won't provide it! It's ISDN 144 Kbs ordialup -- and there are only a limited number of ISDN lines! Land-based wireless doesn't work either -- due to the lack of line-o-sight and waving forest limbs. {I've long advocated that we create our own short-hop wireless web, but that's costly, plus being crash-prone for many ungeeks.} And the few satellite-link wireless pipes are fast mostly because they're little-utilized.] What about the folks who actually have lives *beyond* <gasp!> the net -- who do NOT really want to spend so much of their waking hours and phone-connect time waiting to see any morsels of LEGIT email? What about the self-abusers who voluntarily use Outlack <sic> Exprass <sic> or similar "free" email browsers -- that may automatically download all the @#$%^& idiotic image-files that accompany more'n'more spam (sort of glut's glut)? (Yeah, I tell 'em to switch to Eudora, too. But "free" Eudora comes with its own endless splatter of pop-up ads, and $45+ for full-function, ad-free Eudora is real money to some folks -- although less than the cost of most post boxes.) I pose these not in support of outsider's spam censorship -- but only to recognize problems that DO exist. >Figuring out that someone's communication to >you is being censored, and recovering from that, is hard. This is perhaps THE biggest argument against automated censorship (of spam, or anything else!). I *might* favor a truly accurate spam-whacker. But NONE of 'em are. What's worse, the victims ("customers") afflicted with such automated censorship don't even know about the legit messages that they're missing. A completely unacceptable, BAD situation! >Luckily, most telephones aren't carried through the censored Internet, so at >least when you don't reply to someone's email, they can phone you to >ask you what's up. Ahhh, but that's only because of the nasty ol' must-serve, can't-censor government regulations that the PUC, FCC and ICC force on the poor, struggling phone cartel. The Baby Bells aren't *allowed* to control voice-call content. And except for physical limits, they're not *allowed* to decide to-whom they will and will not provide service. Universal service -- one of the many "awful" consequences of anti-libertarian govt regulations. <grin> However, some of the Bells -- that own and control essentially ALL of the connectivity -- ARE proposing to control which ISP their broadband Internet customers *must* use, and which ads their net customers *must* accept. Sort of the opposite of spam-blocking! --jim --- Date: Mon, 09 Sep 2002 10:26:05 -0400 From: William Allen Simpson <wsimpsonat_private> To: declanat_private CC: politechat_private Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship As much as I respect John Gilmore, I have to disagree with his test: > From: John Gilmore <gnuat_private> > A simple rule for anti-spam measures that preserves non-spammers' > freedom to communicate is: No anti-spam measure should ever block a > non-spam message. But there isn't a single anti-spam organization > that actually follows this rule. And for good reason. That's censuring speech based on CONTENT. All civil libertarians should shudder. It's also technically infeasible, particularly as folk disagree what is "spam", as opposed to "UCE", as opposed to just "junk". Technical solutions for technical problems. Speaking as a small network operator and long time Internet security advocate, there is a good reason for using a technical measure. We all agree that non-standards compliant servers threaten the security of the network. We all agree that most of the messages that our customers complain about come from those non-standards compliant machines. We all agree that we are drowning in a flood of these unwanted messages. Yes, there are good messages that are also blocked. Bruce Schneier's CrytoGram -- a well known security industry newsletter -- was blocked last month by a server that was misconfigured for a few days. But the problem was not content based, it was technical. Furthermore, the open-relay lists help cut our costs. We were spending roughly $16,000 of a budget of $60,000 to carry these messages, which then cost us even more for technical support to handle the customer complaints. And in the end, money matters, especially to the small ISP. In a perfect world, there would be no relays at all -- the Internet was designed to be end-to-end (think peer to peer). Unfortunately, there's a badly designed computer operating system that won't operate without a relay, as an incentive to buy their servers. That OS is also responsible for the current scourge of KLEZ worms. Years ago, we designed Transport Layer Security for email. If everybody turned that on, we'd have a better technical handle for containing the floods, and identifying the culprits. And we'd have better personal privacy, too! With TLS, even the message To/From headers are encrypted (hop-by-hop rather than end-to-end). No more snooping, say goodbye to Carnivore. So, let's be technically proactive, and encourage civil liberty at the same time. That's not "coercive", that's good sense. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 --- From: "Charbeneau, Chuck" <CCharbeneauat_private> To: "'declanat_private'" <declanat_private> Subject: RE: John Gilmore on Earthlink, anti-spam rules, and censorship Date: Mon, 9 Sep 2002 08:31:59 -0400 > From: Declan McCullagh [mailto:declanat_private] > Subject: FC: John Gilmore on Earthlink, anti-spam rules, and > censorship > > Also, here's an excellent essay on spam that John wrote back > in February (I even quoted from it in my weekly column that will > appear on News.com in a few hours): > http://www.politechbot.com/p-03204.html Just as a technology note on the issue, Paul Graham has an excellent article (August 2002) on using a Bayes algorithmic technique for filtering spam at the client (user based filtering). http://www.paulgraham.com/spam.html Using his excellent examples as a guide and Perl as my tool, I created filters that have proven to be 99.9x% accurate (where x depends on the corpus of bad email I use to prime the filter) with 0 false positives. Maybe with more examples such as this, we can start creating more intelligent tools for the identification and squashing of spam not just for the single client, but for the larger consumer as well, and hopefully increase the reliability of the (sometimes) self-professed black lists. Or maybe we can remove the need altogether. Chuck Charbeneau Applications Engineer Lear Corporation --- Date: Mon, 9 Sep 2002 11:21:35 +0200 (MET DST) From: Paul Wouters <paulat_private> To: Declan McCullagh <declanat_private>, <gnuat_private> Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship Oops, ofcourse John's email address is gnuat_private, not johnat_private Paul Date: Mon, 9 Sep 2002 11:03:09 +0200 (MET DST) From: Paul Wouters <paulat_private> To: Declan McCullagh <declanat_private> cc: John Gilmore <johnat_private>, Hugh Daniel <hughat_private> Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship On Mon, 9 Sep 2002, Declan McCullagh wrote: (CC:ed to John's uncensored email address) > http://www.politechbot.com/p-03204.html I think John is leaving out a few important issues in his reasoning. (And as one of the people maintaining one of John's mailservers of his Freeswan Projct, we have had many heated discussions on this topic, so John won't be too suprised about my response here :) 1) The cost of sending bulk email might have gone done to practically nothing, the cost of receiving mail has gone up dramaticly, as a result of both bulk email, virusses, and the combination of the two, the anti-virus "warnings" (aka free commercials). Not so much in bandwidth costs, those indeed have gone down so much as to not matter much. But especially a virus, and the resulting anti-virus mass of messages one receives, hits you as a denial of service. (though costs for receiving spam on mobiles/pda/sms etc is still expensive) 2) It is not that ISP's just want to censor to have fun with the law or their mailservers. John is forgetting something that Jamie Zawinski, former Mozilla/Netscape developer realised with shock years ago, when he became, through Netscape's sale, an AOL employee. Jamie realised that AOL wasn't censoring for fun, for principles, moral, nor ethics. It was censoring for PROFIT. Regardless of how John, me, Jamie and most people on Politechbot might feel, the large majority just wants a clean email feed. They are willing to pay extra for it. If other ISP's want to compete, they also "need" to offer this censored version of email. If they don't, they will lose customers to those ISP's that do offer that service. In the end, every ISP will be censoring email. We will have to wait for the market to change, and let captalism do its job. I believe John is partially right about filtering. It should be done by the user, and not its representative (wether it be a government, telco, or parent). However, some pre-filtering can surely be done: 1 Block virusses (and do NOT sent replies to viri that are known to fake the sender address, such as KLEZ, nor to any mail with a Precedent:bulk header, used for mailinglists). 2 Block the above mentioned anti virus messages (Antivirus vendors are just too keen on sending you their commercial in the disguised form of a warning. 3 Block dangerous (and mostly with propriety extensions) files. 4 Block any mail that has been authoratively deemed false. Eg, some obscure site in Serbia claiming to be Yahoo. DNSSEC may help us here, once we get it (finally!) deployed. The first one is an illegal message anyway, and I see it as the postal service recognising a packaged bomb, and refusing to deliver it. The third kind is like refusing to deliver a package with sharp items on the outside, which might hurt the mailman or receiver. For some spam statistics, see http://www.xtdnet.nl/paul/spam/ Paul Wouters (Co-Founder of a Dutch ISP, and volunteer on John's Freeswan Project) --- From: "G. Waleed Kavalec" <gregat_private> To: <declanat_private> Subject: Gilmore, et al Date: Mon, 9 Sep 2002 13:06:03 -0500 Declan By now you probably have numerous replies to Gilmore. Allow me to summarize. Gilmore has been quoted as saying "The internet interprets censorship as damage and routes around it". Well he now encountered the flip side of this same paradigm. Spam is an infection, and the internet is generating antibodies. G. Waleed Kavalec --- Date: Mon, 9 Sep 2002 12:21:05 -0400 (EDT) From: John Mozena <mozat_private> To: Declan McCullagh <declanat_private> Cc: gnuat_private Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship On Mon, 9 Sep 2002, Declan McCullagh wrote: > Date: Sun, 08 Sep 2002 10:39:19 -0700 > From: John Gilmore <gnuat_private> > A simple rule for anti-spam measures that preserves non-spammers' > freedom to communicate is: No anti-spam measure should ever block a > non-spam message. You have as much "freedom to communicate" as the server's owner wants to give you. If they don't like the way your server behaves, or the kind of traffic you're initiating, or even how you spell your name, they can block you. Their property, their rules. Unless we decide that ISPs are common carriers, you've got no right to use their networks beyond what rights you might negotiate in a contract. > Anti-spam is to Internet freedom as anti-terrorism is to > Constitutional rights. The most ridiculous justifications are > routinely accepted and believed. The lemmings all cheer when > somebody restricts our freedom to communicate "because of > spam". Thanks, Annalee, for exposing Earthlink's fraud. This analogy is flawed. You're comparing the power of a government to the power of a private corporation. Corporations have no First Amendment responsibilities to uphold free speech, they merely have responsibilities to their customers and their shareholders to maximize the utility of their assets. Unfortunately, in today's day and age, ISPs are deciding that draconian filtering is a necessary tool to keep their networks functioning correctly and their customers happy. It's not pretty, it's not good and it's not a long-term solution, but it's the only thing they can do right now. Oh, and if you think that "skipping spam is quick," ask MSN Hotmail how quickly they can skip the 80 percent of the incoming e-mail to their subscribers that's spam these days. That's the nature of spam today, and that's why you get zealous -- occasionally overzealous, to be honest -- network administrators with itchy filter fingers. -- John C. Mozena - Fight spam, join CAUCE at www.cauce.org mozat_private - www.mozena.org "The legitimate powers of government extend to such acts only as they are injurious to others." -- Thomas Jefferson, 1782 --- From: "Ben Serebin" <benat_private> To: <declanat_private> References: <5.1.1.6.0.20020909002736.019d4a10at_private> Subject: Re: John Gilmore on Earthlink, anti-spam rules, and censorship Date: Mon, 9 Sep 2002 11:09:35 -0400 Hello Declan, This is one post you could have skipped. Actually, I tend to always disagree with John G. Spam is a global epic we are currently facing and is only getting significantly worse fast. I completed disagree with him, and think blackhole lists are a great way to "encourage" greater participation of closing open relays. Regulations are needed similar to the way the US needed regulations to curb the anti-spam fax problem that was a problem years back. -Ben --- Date: Mon, 9 Sep 2002 11:19:33 -0300 (BRT) From: Rik van Riel <rielat_private> X-X-Sender: rielat_private To: Declan McCullagh <declanat_private> cc: John Gilmore <gnuat_private>, <annaleeat_private> Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship In-Reply-To: <5.1.1.6.0.20020909002736.019d4a10at_private> On Mon, 9 Sep 2002, Declan McCullagh wrote: > A simple rule for anti-spam measures that preserves non-spammers' > freedom to communicate is: No anti-spam measure should ever block a > non-spam message. But there isn't a single anti-spam organization > that actually follows this rule. If that were practical, surely somebody would have done it by now. Simply refusing email from easily abusable servers can be automated and has been very effective to reduce the flow of spam. Furthermore, it is easy enough for people to secure their setup so they will no longer be sponsoring the spammer's activities. > Instead they block non-spam messages (such as every message from an > "open relay"), as a coercion tactic, to "encourage" those sites to > change their policies. You have freedom of speech, I have the freedom to decide not to listen. If a site does not want to accept email from sites that are easily abused by spammers, it is their full right to not accept that email. > I refuse to be coerced, and you should refuse too. I refuse to be coerced by your statement ;) I have no problem with either of us having different opinions on what anti-spam organisations "should" or "should not" do. I think everybody has the right to decide for themselves to decide what to do, without you, I or anybody else telling us what to do. kind regards, Rik van Riel (PS. Declan, feel free to publish this on the politech list) -- Bravely reimplemented by the knights who say "NIH". http://www.surriel.com/ http://distro.conectiva.com/ Spamtraps of the month: septemberat_private tracat_private --- Date: Mon, 9 Sep 2002 09:41:29 -0400 (EDT) From: Patti Spicer <pattiat_private> X-X-Sender: pattiat_private To: declanat_private I had a similar experience with AOL. I own "cyphergirl.com". My husband owns "spikesplace.org". Both domain names point to the same website, and we each have our own "vanity" addresses. All of this is hosted by a friend of ours who has an HPUX server. I was trying to get together with my cousin (on AOL) to shop for her bridesmaid dresses, when my email suddenly started being returned. For every email that I would send to anyone on AOL, I would get a message back that my email server had been blacklisted for spamming, and for more into to see http://postmaster.info.aol.com/ . I used to work with this friend of ours as a UNIX Admin, so I telnet'd over to our server and checked things out. Our server was not an open relay. We hadn't been hacked. No one on the server was spamming... heck, it was a server for personal websites of people who work in the IT industry. Every email that I sent to AOL was rejected -- no matter what address I sent it to. I couldn't even email postmaster@ or abuse@. Our server was not an open relay, but I couldn't even contact anyone to find out what had happened. Our friend spent over two hours on the phone with them, and they suddenly un-blacklisted us. No explaination, no apology. To this day, AOL still tries to relay email off of us.... constantly testing the server. In reality, they should be blacklisting all of their own users for spamming or propogating the Klez virus. Idiots. (The AOL admins, not the users. :) ) --patti --- From: "G. Waleed Kavalec" <gregat_private> To: <declanat_private> References: <5.1.1.6.0.20020909002736.019d4a10at_private> Subject: Re: John Gilmore on Earthlink, anti-spam rules, and censorship Date: Mon, 9 Sep 2002 08:23:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; I would like to respond to the letter from John Gilmore. > (I now get my email via uucp, because an anti-spam zealot > at Verio canceled my T1.) "Gilmore's home network includes what anti-spam crusaders call an "open relay" -- a mail server that accepts and forwards e-mail from anyone. For decades, the practice was considered central to good network citizenship. But in recent years, spammers have begun hijacking open relays to multiply, sometimes a thousand fold, the number of junk messages they can send at once." http://www.theregister.co.uk/content/8/17639.html > Whether you are on the list is unrelated to whether you > send spam. I've never sent spam in my life, > but there I was on the list. Just because I loaned my gun to a bank robber why should the police confiscate it? I never robbed any banks, but they took my gun anyway. > A simple rule for anti-spam measures that preserves non-spammers' > freedom to communicate is: No anti-spam measure should ever block a > non-spam message. But there isn't a single anti-spam organization > that actually follows this rule. You are free to communicate. I am free not to listen. Live with it. > The policies of some of these organizations have gotten increasingly > bizzare. My DNS registrar was blacklisted because they let anyone > register a domain. Yes, it's true. Anyone who pays them the small > fee can register a domain, and it stays registered until they stop > paying. It's a radical idea; you pay your money and you get the > service you're paying for. Absent Acceptable Use Policies and Terms of Services, such registrars are as spam-friendly as any open relay. If the spam-blocking ISP's choose not to listen to anything spewed from domains so registered they're probably saving their customers time and money. > When toad.com was on the net, mail from it would get > through to almost everywhere, despite being blacklisted by most of the > zealot blacklists. The lists, and their proper use, are maturing. As are many of us. G. Waleed Kavalec --- Date: Mon, 9 Sep 2002 07:47:12 -0400 (EDT) From: "Matthew G. Saroff" <msaroffat_private> Reply-To: "Matthew G. Saroff" <msaroffat_private> To: Declan McCullagh <declanat_private> Mr. Gilmore is complaining because Earthlink blocks his email, and Verio, a company that whose business is selling T1 access, refuses to do business with him. I'm inclined to believe, based on this, that he has misconfigured his system (an open relay), and has been unable or unwilling to rectify the problem. The simple rule that "No anti-spam measure should ever block a non-spam message", reminds of the old HL Menkin adage, "For every complex problem, there is a solution that is simple, neat, and wrong." The rule that he just described would allow more than 95% of all spam to get through. I've used a number of spam filters, and except for those that have uniquely identifiable domains related to spamming domains (very unlikely these days, as the spammers are aware of the filtering) all of them had a 2-3% false positive rate. Running an open server is allowing someone interested in theft of service to borrow your lock picks, and refusing email from open servers is banning co-conspirators from one's property. I do not own a domain or manage a server, but I was mailbombed by someone using an open relay recently. The person running the relay, IT for a high school in Colorado, but was incompetent to such a level that he was unable to understand that his windows based mail server program configuration was separate from having an open relay. He finally shut down the server when I explained that I had received 250 emails while I was talking to him. Nowhere in his letter does Mr. Gilmore make the claim that he was misidentified, he merely claims that it is his (I assume dangerously [see previous paragraph] misconfigured) server has some sort of right to use other people's servers. The fact that he does not claim that he was placed on the list without good cause implies that his system was not configured to the minimal standards of (at least) Earthlink and Verio. He is trying to assert a property right, when he is actually asserting a trespass right. -- Matthew Saroff --- Date: Mon, 9 Sep 2002 03:31:15 -0700 From: "James J. Lippard" <lippardat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship > Date: Sun, 08 Sep 2002 10:39:19 -0700 > From: John Gilmore <gnuat_private> > To: annaleeat_private, politechat_private, gnuat_private > Subject: Re: Earthlink's anti-spam censorship > > Earthlink has been blocking all mail from "toad.com" for years -- > despite toad not even being on the Internet any more. (I now get my > email via uucp, because an anti-spam zealot at Verio canceled my T1.) > > Earthlink has a little "enemies list". Whether you are on the list is > unrelated to whether you send spam. I've never sent spam in my life, > but there I was on the list. I had about a dozen friends using toad.com was an open mail relay that was used by third parties to send spam. Gilmore refused to close the relay, despite knowing that his server was being so abused. See http://groups.google.com/groups?q=toad.com+spam&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=85a9db%24a2f%241%40panix6.panix.com&rnum=2 for an example of spam relayed through his server, and http://www.theregister.co.uk/content/6/17639.html for an article on this issue by Kevin Poulsen that gives a good summary of the arguments from Gilmore and anti-spammers. I'll note that Gilmore's argument in this article that ISPs are common carriers is factually incorrect (you can't risk losing what you never had in the first place), and he seems to take the position that ISPs do not have the right to set policies for the networks they own. (Most ISPs have AUPs that explicitly prohibit open mail relays.) Gilmore insisted that he needed to maintain an open mail relay (anybody can relay mail through it) because he had a few friends who needed to relay mail through it--instead of simply using a method of relay authentication. Current software can be configured to allow relaying on the basis of a username/password or X.509 certificate, as well as the less flexible method of allowing relaying by IP address or domain name of the sending host. Another option is "POP-before-SMTP" authentication, requiring that the sender check their mail using the POP3 protocol prior to relaying mail, when coming from a new/non-standard location. Any of these mechanisms were available to Gilmore. > A simple rule for anti-spam measures that preserves non-spammers' > freedom to communicate is: No anti-spam measure should ever block a > non-spam message. But there isn't a single anti-spam organization In other words, if you can't block spam with 100% perfection, don't block anything at all. Sorry, that's not how I want to run my own mail servers, and I "refuse to be coerced." > that actually follows this rule. Instead they block non-spam messages > (such as every message from an "open relay"), as a coercion tactic, to > "encourage" those sites to change their policies. I refuse to be > coerced, and you should refuse too. [...] > EFF ran "SpamAssassin" on its internal mail for a while; but it marked > an entire issue of our Effector newsletter as "spam", due to bogus > rules like "Too many capital letters" and "Discussions of how to > unsubscribe". It also marked or deleted important messages sent by > individuals to our lawyers. Most EFF staff got rid of it. Instead of reconfiguring? SpamAssassin is a scoring-based mechanism where the effect of the different rules and the threshold for identifying a piece of email as spam is configurable. It also only marks messages--whether you choose to sideline those messages to a separate folder for later review, have them automatically deleted, or have them all go to the same mailbox, just with the spam messages marked, is up to you. > Skipping spam is quick. Figuring out that someone's communication to I guess I get more spam than Mr. Gilmore. I find SpamAssassin and the use of other spam filtering and rejection techniques to be great time savers. [...] -- Jim Lippard lippardat_private http://www.discord.org/ GPG Key ID: 0xF8D42CFE --- From: "Suresh Ramasubramanian" <sureshat_private> To: <declanat_private>, <politechat_private> Cc: <gnuat_private> References: <5.1.1.6.0.20020909002736.019d4a10at_private> Subject: Re: John Gilmore on Earthlink, anti-spam rules, and censorship Date: Mon, 9 Sep 2002 16:06:56 +0800 Organization: Outblaze Limited - http://www.outblaze.com declanat_private (Declan McCullagh) [Monday, September 09, 2002 1:23 PM]: [ok, since John Gilmore was kind enough to ask the readers of Politech not to believe in me ... here's a little more] :( > A simple rule for anti-spam measures that preserves non-spammers' > freedom to communicate is: No anti-spam measure should ever block a > non-spam message. But there isn't a single anti-spam organization > that actually follows this rule. Instead they block non-spam messages A simple corollary to that rule should be that NO anti-spam measure should leave a single spam unblocked. Can't really have the cake and eat it too. > The policies of some of these organizations have gotten increasingly > bizzare. My DNS registrar was blacklisted because they let anyone > register a domain. Yes, it's true. Anyone who pays them the small Cite please? Which registrar, which DNSBL, and was that registrar providing other services (such as DNS, MX, URL forwarding and such) as well to whatever domain got registered that some unnamed blocklist apparently had a problem with? > anti-spammers. Instead, they wanted the registrar to somehow ensure > that no spam message ever referenced any domain registered by that > registrar -- or immediately cancel the domain if a spam message ever > did. "Do that or we'll blacklist you." Raving idiocy. Please do understand that there are more than enough raving idiots on both sides of the "spam" line - both spammers and anti-spammers. In fact, I'd go as far as to say that certain members of Homo Sapiens are raving idiots. How does that extend to "all antispammers are raving idiots", or "all human beings are raving idiots" for that matter? > Don't believe reports, such as the one Declan reposted from Suresh > Ramasubramanian, that "most ISPs around the world block [mail from] > open relays". When toad.com was on the net, mail from it would get > through to almost everywhere, despite being blacklisted by most of the Most ISPs? Almost Everywhere? Such broad and sweeping generalizations :( Well ok - I've been guilty of a generalization myself, using the word "most". Here's a reworded version, which I hope Mr.Gilmore won't mind - Several ISPs (including some very large ones) do use blocklists (either third party or internal) to filter mail from open relays. Especially open relays through which they have received spam. I do remember at least several spam runs being relayed through a toad.com machine - and at least one virus which was set to relay all its payload through what is probably the most famous open relay in the world. > zealot blacklists. The blacklists are not very pervasive, because > they block so much legitimate mail that customers won't put up with > them. Unfortunately, most email users won't put up with getting spammed either :( > EFF ran "SpamAssassin" on its internal mail for a while; but it marked > an entire issue of our Effector newsletter as "spam", due to bogus Er, perhaps that's because spamassasin was misconfigured with slightly bogus rulesets, and then set to a hair trigger sensitivity - and without whitelisting trusted lists either? Content filtering is far more surgical than blocklists - unfortunately, it doesn't scale all too well for extremely large systems. Yes, the internet treats blocking as censorship and routes around it. However - * There's more noise than signal out there on the 'net these days, to the point where at least one account I have is practically unuseable because of spam / virii. * The internet is no longer the friendly and courteous place it was in the mid '80s, where leaving open relays available to the world was the right thing to do. Today, all that will happen is that someone will abuse all the trust you show by leaving your relay open, and pump several megs worth of spam through it - enough to DoS a server, in some cases - and cost serious amounts of money in other cases (where bandwidth is far costlier than it is in the states). * Yes, the Internet interprets blocking as censorship and routes around it. I can't agree more. Yes, lots of people in various countries are using proxies to access search engines like google. Excellent. Unfortunately, all that blocking that goes on (at the user level, and the server level) just makes spammers try harder and harder to route around those blocks. :( When it comes to a tradeoff between letting spam clog the mailboxes of my users and blocking mail from open relays, I'll take the blocking mail option any day - but that's just me I suppose. -srs (speaking only for myself) ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan CNET Radio 9:40 am ET weekdays: http://cnet.com/broadband/0-7227152.html -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 03:24:19 PDT