FC: Politech members reply to John Gilmore on spam and censorship

From: Declan McCullagh (declanat_private)
Date: Mon Sep 09 2002 - 21:54:27 PDT

  • Next message: Declan McCullagh: "FC: More on China's redirecting of Google to third-party sites"

    [Bill, Jim and William are longtime Net-denizens. Previous Politech 
    message: http://www.politechbot.com/p-03967.html --Declan]
    
    ---
    
    Date: Mon, 09 Sep 2002 11:35:19 -0700
    To: declanat_private, openrelayat_private, gnuat_private
    From: Bill Stewart <bill.stewartat_private>
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and
       censorship
    Cc: politechat_private
    
    I still use my old Netcom account for dialup access,
    even though they've since been eaten by Mindspring and Earthlink.
    The first time I was affected by open relay blockers,
    it was because Netcom had open relays and was on one of the blocklists,
    so any email that came from smtp.ix.netcom.com was rejected
    by people who used that list, though I don't think it actually
    relayed for non-customers.   There was an easy workaround -
    I set Eudora to use an open relay at Netcom that wasn't blocklisted :-)
    Eventually they closed their open relays and got off the list.
    
    There are two different ways to block relay traffic -
    standard internet style, which is to give an error message
    (which the sender of legitimate email can read and use to
    fix or at least identify the problem),
    and silently dropping mail from sites with relays,
    which is obnoxious to legitimate mail senders
    (spammers don't really care) and makes the internet
    less robust and more fragile, both technically and culturally.
    And of course, if you block all email from a site you think has relays,
    you're also blocking email from the system administrator there
    who may be trying to resolve the problem.
    
    Open relays were a positive community service back in the old days,
    when the net wasn't as well connected and when there was a
    wide diversity of email protocols in use - UUCP, Bitnet, Fidonet,
    and others, before the near-total dominance of SMTP over TCP/IP.
    
    They're still useful today for people who move around -
    my laptop spends some time at work, connected to the company LAN,
    some time at home, dialed into one of the several ISPs I use,
    and some time at home, using a VPN to connect to work.
    If I'm at a hotel, I'll usually use my work dialup account.
    Back when relays were still available, I could set my web browser
    to point to my company's mail server, which had the same name
    both inside and outside the firewall, so my email could always get out
    These days, if I want to click on a mailto: link on a web page,
    I have to reconfigure Netscape depending on which network I'm on,
    or else not bother - leave it set for one network, and cut&paste to
    my regular email client if I'm on the other.  Similarly,
    if I want to send mail from my home identity at the office,
    I have to reconfigure.   That would be annoying enough,
    but Earthlink also blocks outgoing email that doesn't go through
    their email relay servers, so if I use their dialup,
    I need to configure for their relay, and if I use my work dialup,
    I need to configure for a relay that's not Earthlink,
    because Earthlink's mail relay blocks traffic from outsiders.
    
    Unfortunately, relays today are primarily a target for abuse by spammers,
    who crank millions of messages through any one they find,
    which lets them increase their outgoing message rate
    without actually buying their own bandwidth, and makes it
    easier to avoid being caught and shut down,
    and for a while the efforts of the open relay blocking list folks
    helped reduce the amount of spam by getting ISPs to close them.
    I get so much spam these days it's hard to tell if the
    anti-relay policies are helping, but at least my mail filters know
    that anything sent from a Korean elementary school is spam,
    and the US ISP anti-relay policies make the Korean broadband network
    a popular target for abusers.
    
                     Bill Stewart
    
    ---
    
    Date: Mon, 9 Sep 2002 11:07:20 -0700
    To: John Gilmore <gnuat_private>
    From: Jim Warren <jwarrenat_private>
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    Cc: declanat_private
    
    Hey John --
    
    Great to see your msg, reposted by Declan.  (Thanks Declan!)
    
    
    >Skipping spam is quick.
    
    I've always had the same view of spam as you -- a minor irritant. Quick to 
    delete-at-a-glance in Eudora's in-box (usually takes well under a 
    minute).  And I hold this view, even though, like you, I've been very 
    public on the net for decades, and am thus on *lots* of spam-lists.
    
    Also better than the junk snailmail that we contribute daily to our 
    ever-shrinking landfill (electrons are fully recycled).
    
    I have limited sympathy with the never-bother-me-ever-in-any-way crowd.
    
    The anti-spam forces are of special concern, in that they are just as eager 
    to let someone else's always-imperfect computer auto-censor unsolicited 
    NONcommercial email -- notably community messages, political perspectives, 
    etc.  These are, after all, the *reason* behind the First Amendment's 
    [supposedly] absolute protections of [voiceless] speech, [paperless] press 
    and [bodyless] assembly.
    
    You wanna vote in elections and thus impact MY life with YOUR government 
    choices?!  Then I wanna be free to present my views to you, for you to 
    consider or discard as you choose!  This is perhaps THE most crucial aspect 
    of any society that seeks to be free.
    
    (However, unlike the corporate-directed Supreme Court, I *do* differentiate 
    between loot-hustling "commercial spam", versus noncommercial political or 
    community "spam", but that's a different issue.)
    
    But!
    (1) *my* spam DOES arrive via a pseudo-broadband IDSL (ISDN-based) "high 
    speed" link.  Thus, it takes only a minute or two each morning (plus the 
    constant trickle all day).
    (2) I arrange to have other things to do while the overnight spam megadose 
    arrives, along with an occasional "real" message.
    (3) I DO use an efficient mail-reader (Eudora Pro) that makes it easy for 
    me to perform my own censorship-at-a-glance, thank you very much.
    
    
    But what about those folks who -- unlike you 'n' me ('n' Declan, et al) -- 
    do NOT have broadband connections?  What about that *large* majority who 
    still suffer the consequences of (low-cost) dial-up?
    
    Even moreso, what about those outside the short range of the phone cartel's 
    urban central offices ... farther away, where their voice-grade phone lines 
    are so flakey they are gleeful when they occasionally squeeze 28.8 Kbs out 
    of 'em?  (This happens with my neighbors in "Silicon Heights" -- the 
    pseudo-rural skyline and coastside of the San Francisco Peninsula that's 
    only a half-hour's commute from SillyCon Valley, but still back in the 
    1950's as far as phone quality is concerned.)
    
    For them, downloading the daily spam-glut can take 10-15 minutes ... 
    sometimes worse.
    
    [Yeah, I know the libertarian solution -- money.  But many don't have much 
    of it.  And for more'n a decade, the phone monopoly has remained blithely 
    unresponsive to the *many* "inconvenient" non-urban dwellers who ARE 
    willing to pay for higher-speed lines.  We want it; they won't provide 
    it!  It's ISDN 144 Kbs ordialup -- and there are only a limited number of 
    ISDN lines!  Land-based wireless doesn't work either -- due to the lack of 
    line-o-sight and waving forest limbs. {I've long advocated that we create 
    our own short-hop wireless web, but that's costly, plus being crash-prone 
    for many ungeeks.}  And the few satellite-link wireless pipes are fast 
    mostly because they're little-utilized.]
    
    What about the folks who actually have lives *beyond* <gasp!> the net -- 
    who do NOT really want to spend so much of their waking hours and 
    phone-connect time waiting to see any morsels of LEGIT email?
    
    What about the self-abusers who voluntarily use Outlack <sic> Exprass <sic> 
    or similar "free" email browsers -- that may automatically download all the 
    @#$%^& idiotic image-files that accompany more'n'more spam (sort of glut's 
    glut)?  (Yeah, I tell 'em to switch to Eudora, too.  But "free" Eudora 
    comes with its own endless splatter of pop-up ads, and $45+ for 
    full-function, ad-free Eudora is real money to some folks -- although less 
    than the cost of most post boxes.)
    
    I pose these not in support of outsider's spam censorship -- but only to 
    recognize problems that DO exist.
    
    
    >Figuring out that someone's communication to
    >you is being censored, and recovering from that, is hard.
    
    This is perhaps THE biggest argument against automated censorship (of spam, 
    or anything else!).
    
    I *might* favor a truly accurate spam-whacker.  But NONE of 'em are. What's 
    worse, the victims ("customers") afflicted with such automated censorship 
    don't even know about the legit messages that they're missing.  A 
    completely unacceptable, BAD situation!
    
    
    >Luckily, most telephones aren't carried through the censored Internet, so at
    >least when you don't reply to someone's email, they can phone you to
    >ask you what's up.
    
    Ahhh, but that's only because of the nasty ol' must-serve, can't-censor 
    government regulations that the PUC, FCC and ICC force on the poor, 
    struggling phone cartel.  The Baby Bells aren't *allowed* to control 
    voice-call content.  And except for physical limits, they're not *allowed* 
    to decide to-whom they will and will not provide service.  Universal 
    service -- one of the many "awful" consequences of anti-libertarian govt 
    regulations.  <grin>
    
    However, some of the Bells -- that own and control essentially ALL of the 
    connectivity -- ARE proposing to control which ISP their broadband Internet 
    customers *must* use, and which ads their net customers *must* 
    accept.  Sort of the opposite of spam-blocking!
    
    --jim
    
    ---
    
    Date: Mon, 09 Sep 2002 10:26:05 -0400
    From: William Allen Simpson <wsimpsonat_private>
    To: declanat_private
    CC: politechat_private
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    
    As much as I respect John Gilmore, I have to disagree with his test:
    
     > From: John Gilmore <gnuat_private>
     > A simple rule for anti-spam measures that preserves non-spammers'
     > freedom to communicate is: No anti-spam measure should ever block a
     > non-spam message.  But there isn't a single anti-spam organization
     > that actually follows this rule.
    
    And for good reason.  That's censuring speech based on CONTENT.  All
    civil libertarians should shudder.
    
    It's also technically infeasible, particularly as folk disagree what
    is "spam", as opposed to "UCE", as opposed to just "junk".
    
    Technical solutions for technical problems.
    
    Speaking as a small network operator and long time Internet security
    advocate, there is a good reason for using a technical measure.  We all
    agree that non-standards compliant servers threaten the security of the
    network. We all agree that most of the messages that our customers
    complain about come from those non-standards compliant machines.  We
    all agree that we are drowning in a flood of these unwanted messages.
    
    Yes, there are good messages that are also blocked.  Bruce Schneier's
    CrytoGram -- a well known security industry newsletter -- was blocked
    last month by a server that was misconfigured for a few days.  But the
    problem was not content based, it was technical.
    
    Furthermore, the open-relay lists help cut our costs.  We were spending
    roughly $16,000 of a budget of $60,000 to carry these messages, which
    then cost us even more for technical support to handle the customer
    complaints.  And in the end, money matters, especially to the small ISP.
    
    In a perfect world, there would be no relays at all -- the Internet was
    designed to be end-to-end (think peer to peer).
    
    Unfortunately, there's a badly designed computer operating system that
    won't operate without a relay, as an incentive to buy their servers.
    That OS is also responsible for the current scourge of KLEZ worms.
    
    Years ago, we designed Transport Layer Security for email.  If everybody
    turned that on, we'd have a better technical handle for containing the
    floods, and identifying the culprits.
    
    And we'd have better personal privacy, too!  With TLS, even the message
    To/From headers are encrypted (hop-by-hop rather than end-to-end). No
    more snooping, say goodbye to Carnivore.
    
    So, let's be technically proactive, and encourage civil liberty at the
    same time.  That's not "coercive", that's good sense.
    --
    William Allen Simpson
         Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
    
    ---
    
    From: "Charbeneau, Chuck" <CCharbeneauat_private>
    To: "'declanat_private'" <declanat_private>
    Subject: RE: John Gilmore on Earthlink, anti-spam rules, and censorship
    Date: Mon, 9 Sep 2002 08:31:59 -0400
    
     > From: Declan McCullagh [mailto:declanat_private]
     > Subject: FC: John Gilmore on Earthlink, anti-spam rules, and
     > censorship
     >
     > Also, here's an excellent essay on spam that John wrote back
     > in February (I even quoted from it in my weekly column that will
     > appear on News.com in a few hours):
     > http://www.politechbot.com/p-03204.html
    
    Just as a technology note on the issue, Paul Graham has an excellent article
    (August 2002) on using a Bayes algorithmic technique for filtering spam at
    the client (user based filtering).
    
    http://www.paulgraham.com/spam.html
    
    Using his excellent examples as a guide and Perl as my tool, I created
    filters that have proven to be 99.9x% accurate (where x depends on the
    corpus of bad email I use to prime the filter) with 0 false positives.
    
    Maybe with more examples such as this, we can start creating more
    intelligent tools for the identification and squashing of spam not just for
    the single client, but for the larger consumer as well, and hopefully
    increase the reliability of the (sometimes) self-professed black lists.  Or
    maybe we can remove the need altogether.
    
    Chuck Charbeneau
    Applications Engineer
    Lear Corporation
    
    ---
    
    Date: Mon, 9 Sep 2002 11:21:35 +0200 (MET DST)
    From: Paul Wouters <paulat_private>
    To: Declan McCullagh <declanat_private>, <gnuat_private>
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    
    
    Oops, ofcourse John's email address is gnuat_private, not johnat_private
    
    Paul
    
    Date: Mon, 9 Sep 2002 11:03:09 +0200 (MET DST)
    From: Paul Wouters <paulat_private>
    To: Declan McCullagh <declanat_private>
    cc: John Gilmore <johnat_private>, Hugh Daniel <hughat_private>
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    
    On Mon, 9 Sep 2002, Declan McCullagh wrote:
    
    (CC:ed to John's uncensored email address)
    
     > http://www.politechbot.com/p-03204.html
    
    I think John is leaving out a few important issues in his reasoning.
    (And as one of the people maintaining one of John's mailservers of his
      Freeswan Projct, we have had many heated discussions on this topic, so
      John won't be too suprised about my response here :)
    
    1) The cost of sending bulk email might have gone done to practically
        nothing, the cost of receiving mail has gone up dramaticly, as a
        result of both bulk email, virusses, and the combination of the two,
        the anti-virus "warnings" (aka free commercials).
        Not so much in bandwidth costs, those indeed have gone down so much
        as to not matter much. But especially a virus, and the resulting
        anti-virus mass of messages one receives, hits you as a denial of
        service. (though costs for receiving spam on mobiles/pda/sms etc is
        still expensive)
    
    2) It is not that ISP's just want to censor to have fun with the law or
        their mailservers. John is forgetting something that Jamie Zawinski,
        former Mozilla/Netscape developer realised with shock years ago,
        when he became, through Netscape's sale, an AOL employee. Jamie
        realised that AOL wasn't censoring for fun, for principles, moral,
        nor ethics. It was censoring for PROFIT.
        Regardless of how John, me, Jamie and most people on Politechbot might
        feel, the large majority just wants a clean email feed. They are
        willing to pay extra for it. If other ISP's want to compete, they also
        "need" to offer this censored version of email. If they don't, they will
        lose customers to those ISP's that do offer that service. In the end,
        every ISP will be censoring email. We will have to wait for the market
        to change, and let captalism do its job.
    
    I believe John is partially right about filtering. It should be done by
    the user, and not its representative (wether it be a government, telco, or
    parent). However, some pre-filtering can surely be done:
    
    1 Block virusses (and do NOT sent replies to viri that are known to fake
       the sender address, such as KLEZ, nor to any mail with a Precedent:bulk
       header, used for mailinglists).
    2 Block the above mentioned anti virus messages (Antivirus vendors are
       just too keen on sending you their commercial in the disguised form of
       a warning.
    3 Block dangerous (and mostly with propriety extensions) files.
    4 Block any mail that has been authoratively deemed false. Eg, some obscure
       site in Serbia claiming to be Yahoo. DNSSEC may help us here,
       once we get it (finally!) deployed.
    
    The first one is an illegal message anyway, and I see it as the postal
    service recognising a packaged bomb, and refusing to deliver it. The third
    kind is like refusing to deliver a package with sharp items on the outside,
    which might hurt the mailman or receiver.
    
    For some spam statistics, see http://www.xtdnet.nl/paul/spam/
    
    Paul Wouters
    (Co-Founder of a Dutch ISP, and volunteer on John's Freeswan Project)
    
    ---
    
    From: "G. Waleed Kavalec" <gregat_private>
    To: <declanat_private>
    Subject: Gilmore, et al
    Date: Mon, 9 Sep 2002 13:06:03 -0500
    
    Declan
    
    By now you probably have numerous replies to Gilmore.
    
    Allow me to summarize.
    
    Gilmore has been quoted as saying
    
          "The internet interprets censorship as damage and routes around it".
    
    
    Well he now encountered the flip side of this same paradigm.
    
    Spam is an infection, and the internet is generating antibodies.
    
    
    
    G. Waleed Kavalec
    
    ---
    
    Date: Mon, 9 Sep 2002 12:21:05 -0400 (EDT)
    From: John Mozena <mozat_private>
    To: Declan McCullagh <declanat_private>
    Cc: gnuat_private
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    
    On Mon, 9 Sep 2002, Declan McCullagh wrote:
    
     > Date: Sun, 08 Sep 2002 10:39:19 -0700
     > From: John Gilmore <gnuat_private>
    
     > A simple rule for anti-spam measures that preserves non-spammers'
     > freedom to communicate is: No anti-spam measure should ever block a
     > non-spam message.
    
    You have as much "freedom to communicate" as the server's owner
    wants to give you. If they don't like the way your server
    behaves, or the kind of traffic you're initiating, or even how
    you spell your name, they can block you. Their property, their
    rules. Unless we decide that ISPs are common carriers, you've got
    no right to use their networks beyond what rights you might
    negotiate in a contract.
    
     > Anti-spam is to Internet freedom as anti-terrorism is to
     > Constitutional rights. The most ridiculous justifications are
     > routinely accepted and believed. The lemmings all cheer when
     > somebody restricts our freedom to communicate "because of
     > spam".  Thanks, Annalee, for exposing Earthlink's fraud.
    
    This analogy is flawed. You're comparing the power of a
    government to the power of a private corporation. Corporations
    have no First Amendment responsibilities to uphold free speech,
    they merely have responsibilities to their customers and their
    shareholders to maximize the utility of their assets.
    Unfortunately, in today's day and age, ISPs are deciding that
    draconian filtering is a necessary tool to keep their networks
    functioning correctly and their customers happy. It's not pretty,
    it's not good and it's not a long-term solution, but it's the
    only thing they can do right now.
    
    Oh, and if you think that "skipping spam is quick," ask MSN
    Hotmail how quickly they can skip the 80 percent of the incoming
    e-mail to their subscribers that's spam these days. That's the
    nature of spam today, and that's why you get zealous --
    occasionally overzealous, to be honest -- network administrators
    with itchy filter fingers.
    
    -- 
    John C. Mozena - Fight spam, join CAUCE at www.cauce.org
    mozat_private - www.mozena.org
    
    "The legitimate powers of government extend to such acts only
    as they are injurious to others." -- Thomas Jefferson, 1782
    
    ---
    
    From: "Ben Serebin" <benat_private>
    To: <declanat_private>
    References: <5.1.1.6.0.20020909002736.019d4a10at_private>
    Subject: Re: John Gilmore on Earthlink, anti-spam rules, and censorship
    Date: Mon, 9 Sep 2002 11:09:35 -0400
    
    Hello Declan,
    
             This is one post you could have skipped. Actually, I tend to 
    always disagree with John G.
    
             Spam is a global epic we are currently facing and is only getting 
    significantly worse fast. I completed disagree with him, and think 
    blackhole lists are a great way to "encourage" greater participation of 
    closing open relays. Regulations are needed similar to the way the US 
    needed regulations to curb the anti-spam fax problem that was a problem 
    years back.
    
    -Ben
    
    ---
    
    Date: Mon, 9 Sep 2002 11:19:33 -0300 (BRT)
    From: Rik van Riel <rielat_private>
    X-X-Sender: rielat_private
    To: Declan McCullagh <declanat_private>
    cc: John Gilmore <gnuat_private>, <annaleeat_private>
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    In-Reply-To: <5.1.1.6.0.20020909002736.019d4a10at_private>
    
    On Mon, 9 Sep 2002, Declan McCullagh wrote:
    
     > A simple rule for anti-spam measures that preserves non-spammers'
     > freedom to communicate is: No anti-spam measure should ever block a
     > non-spam message.  But there isn't a single anti-spam organization
     > that actually follows this rule.
    
    If that were practical, surely somebody would have done it by now.
    Simply refusing email from easily abusable servers can be automated
    and has been very effective to reduce the flow of spam. Furthermore,
    it is easy enough for people to secure their setup so they will no
    longer be sponsoring the spammer's activities.
    
     > Instead they block non-spam messages (such as every message from an
     > "open relay"), as a coercion tactic, to "encourage" those sites to
     > change their policies.
    
    You have freedom of speech, I have the freedom to decide not to
    listen. If a site does not want to accept email from sites that
    are easily abused by spammers, it is their full right to not
    accept that email.
    
     > I refuse to be coerced, and you should refuse too.
    
    I refuse to be coerced by your statement ;)
    
    I have no problem with either of us having different opinions
    on what anti-spam organisations "should" or "should not" do.
    I think everybody has the right to decide for themselves to
    decide what to do, without you, I or anybody else telling us
    what to do.
    
    kind regards,
    
    Rik van Riel
    (PS. Declan, feel free to publish this on the politech list)
    -- 
    Bravely reimplemented by the knights who say "NIH".
    
    http://www.surriel.com/         http://distro.conectiva.com/
    
    Spamtraps of the month:  septemberat_private tracat_private
    
    ---
    
    Date: Mon, 9 Sep 2002 09:41:29 -0400 (EDT)
    From: Patti Spicer <pattiat_private>
    X-X-Sender: pattiat_private
    To: declanat_private
    
    I had a similar experience with AOL.  I own "cyphergirl.com".  My husband
    owns "spikesplace.org".  Both domain names point to the same website, and
    we each have our own "vanity" addresses.  All of this is hosted by a
    friend of ours who has an HPUX server.  I was trying to get together with
    my cousin (on AOL) to shop for her bridesmaid dresses, when my email
    suddenly started being returned.  For every email that I would send to
    anyone on AOL, I would get a message back that my email server had been
    blacklisted for spamming, and for more into to see
    http://postmaster.info.aol.com/ .  I used to work with this friend of ours
    as a UNIX Admin, so I telnet'd over to our server and checked things out.
    Our server was not an open relay.  We hadn't been hacked.  No one on the
    server was spamming... heck, it was a server for personal websites of
    people who work in the IT industry.
    
    Every email that I sent to AOL was rejected -- no matter what address I
    sent it to.  I couldn't even email postmaster@ or abuse@.  Our server was
    not an open relay, but I couldn't even contact anyone to find out what had
    happened.  Our friend spent over two hours on the phone with them, and
    they suddenly un-blacklisted us.  No explaination, no apology.  To this
    day, AOL still tries to relay email off of us.... constantly testing the
    server.  In reality, they should be blacklisting all of their own users
    for spamming or propogating the Klez virus.  Idiots. (The AOL admins, not
    the users. :)    )
    
    --patti
    
    ---
    
    From: "G. Waleed Kavalec" <gregat_private>
    To: <declanat_private>
    References: <5.1.1.6.0.20020909002736.019d4a10at_private>
    Subject: Re: John Gilmore on Earthlink, anti-spam rules, and censorship
    Date: Mon, 9 Sep 2002 08:23:49 -0500
    MIME-Version: 1.0
    Content-Type: text/plain;
    
    I would like to respond to the letter from John Gilmore.
    
     > (I now get my  email via uucp, because an anti-spam zealot
     > at Verio canceled my T1.)
    
    "Gilmore's home network includes what anti-spam crusaders call an "open
    relay" -- a mail server that accepts and forwards e-mail from anyone. For
    decades, the practice was considered central to good network citizenship.
    But in recent years, spammers have begun hijacking open relays to multiply,
    sometimes a thousand fold, the number of junk messages they can send at
    once."
    http://www.theregister.co.uk/content/8/17639.html
    
    
     > Whether you are on the list is unrelated to whether you
     > send spam.  I've never sent spam in my life,
     > but there I was on the list.
    
    Just because I loaned my gun to a bank robber why should the police
    confiscate it?
    I never robbed any banks, but they took my gun anyway.
    
    
     > A simple rule for anti-spam measures that preserves non-spammers'
     > freedom to communicate is: No anti-spam measure should ever block a
     > non-spam message.  But there isn't a single anti-spam organization
     > that actually follows this rule.
    
    You are free to communicate.  I am free not to listen.  Live with it.
    
    
     > The policies of some of these organizations have gotten increasingly
     > bizzare.  My DNS registrar was blacklisted because they let anyone
     > register a domain.  Yes, it's true.  Anyone who pays them the small
     > fee can register a domain, and it stays registered until they stop
     > paying.  It's a radical idea; you pay your money and you get the
     > service you're paying for.
    
    Absent Acceptable Use Policies and Terms of Services, such registrars are as
    spam-friendly as any open relay. If the spam-blocking ISP's choose not to
    listen to anything spewed from domains so registered they're probably saving
    their customers time and money.
    
     > When toad.com was on the net, mail from it would get
     > through to almost everywhere, despite being blacklisted by most of the
     > zealot blacklists.
    
    The lists, and their proper use, are maturing.  As are many of us.
    
    
    G. Waleed Kavalec
    
    ---
    
    Date: Mon, 9 Sep 2002 07:47:12 -0400 (EDT)
    From: "Matthew G. Saroff" <msaroffat_private>
    Reply-To: "Matthew G. Saroff" <msaroffat_private>
    To: Declan McCullagh <declanat_private>
    
             Mr. Gilmore is complaining because Earthlink blocks his email, and
    Verio, a company that whose business is selling T1 access, refuses to do
    business with him.
             I'm inclined to believe, based on this, that he has misconfigured
    his system (an open relay), and has been unable or unwilling to rectify
    the problem.
             The simple rule that "No anti-spam measure should ever block a
    non-spam message", reminds of the old HL Menkin adage, "For every complex
    problem, there is a solution that is simple, neat, and wrong."  The rule
    that he just described would allow more than 95% of all spam to get
    through.
             I've used a number of spam filters, and except for those that
    have uniquely identifiable domains related to spamming domains (very
    unlikely these days, as the spammers are aware of the filtering) all of
    them had a 2-3% false positive rate.
             Running an open server is allowing someone interested in theft of
    service to borrow your lock picks, and refusing email from open servers is
    banning co-conspirators from one's property.
             I do not own a domain or manage a server, but I was mailbombed by
    someone using an open relay recently.  The person running the relay, IT
    for a high school in Colorado, but was incompetent to such a level that he
    was unable to understand that his windows based mail server program
    configuration was separate from having an open relay.
             He finally shut down the server when I explained that I had
    received 250 emails while I was talking to him.
             Nowhere in his letter does Mr. Gilmore make the claim that he was
    misidentified, he merely claims that it is his (I assume dangerously [see
    previous paragraph] misconfigured) server has some sort of right to
    use other people's servers.
             The fact that he does not claim that he was placed on the list
    without good cause implies that his system was not configured to the
    minimal standards of (at least) Earthlink and Verio.
             He is trying to assert a property right, when he is actually
    asserting a trespass right.
    
    -- 
       Matthew Saroff
    
    ---
    
    Date: Mon, 9 Sep 2002 03:31:15 -0700
    From: "James J. Lippard" <lippardat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: John Gilmore on Earthlink, anti-spam rules, and censorship
    
     > Date: Sun, 08 Sep 2002 10:39:19 -0700
     > From: John Gilmore <gnuat_private>
     > To: annaleeat_private, politechat_private, gnuat_private
     > Subject: Re: Earthlink's anti-spam censorship
     >
     > Earthlink has been blocking all mail from "toad.com" for years --
     > despite toad not even being on the Internet any more.  (I now get my
     > email via uucp, because an anti-spam zealot at Verio canceled my T1.)
     >
     > Earthlink has a little "enemies list".  Whether you are on the list is
     > unrelated to whether you send spam.  I've never sent spam in my life,
     > but there I was on the list.  I had about a dozen friends using
    
    toad.com was an open mail relay that was used by third parties to send spam.
    Gilmore refused to close the relay, despite knowing that his server was being
    so abused.
    
    See
    http://groups.google.com/groups?q=toad.com+spam&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=85a9db%24a2f%241%40panix6.panix.com&rnum=2
    for an example of spam relayed through his server, and
    http://www.theregister.co.uk/content/6/17639.html for an article on
    this issue by Kevin Poulsen that gives a good summary of the arguments
    from Gilmore and anti-spammers.  I'll note that Gilmore's argument in
    this article that ISPs are common carriers is factually incorrect (you can't
    risk losing what you never had in the first place), and
    he seems to take the position that ISPs do not have the right to set
    policies for the networks they own.  (Most ISPs have AUPs that explicitly
    prohibit open mail relays.)
    
    Gilmore insisted that he needed to maintain an open mail relay
    (anybody can relay mail through it) because he had a few friends who
    needed to relay mail through it--instead of simply using a method of
    relay authentication.  Current software can be configured to allow
    relaying on the basis of a username/password or X.509 certificate, as
    well as the less flexible method of allowing relaying by IP address or
    domain name of the sending host.  Another option is "POP-before-SMTP"
    authentication, requiring that the sender check their mail using the
    POP3 protocol prior to relaying mail, when coming from a
    new/non-standard location.  Any of these mechanisms were available to
    Gilmore.
    
     > A simple rule for anti-spam measures that preserves non-spammers'
     > freedom to communicate is: No anti-spam measure should ever block a
     > non-spam message.  But there isn't a single anti-spam organization
    
    In other words, if you can't block spam with 100% perfection, don't
    block anything at all.  Sorry, that's not how I want to run my own
    mail servers, and I "refuse to be coerced."
    
     > that actually follows this rule.  Instead they block non-spam messages
     > (such as every message from an "open relay"), as a coercion tactic, to
     > "encourage" those sites to change their policies.  I refuse to be
     > coerced, and you should refuse too.
    
    [...]
    
     > EFF ran "SpamAssassin" on its internal mail for a while; but it marked
     > an entire issue of our Effector newsletter as "spam", due to bogus
     > rules like "Too many capital letters" and "Discussions of how to
     > unsubscribe".  It also marked or deleted important messages sent by
     > individuals to our lawyers.  Most EFF staff got rid of it.
    
    Instead of reconfiguring?  SpamAssassin is a scoring-based mechanism
    where the effect of the different rules and the threshold for
    identifying a piece of email as spam is configurable.  It also only
    marks messages--whether you choose to sideline those messages to a
    separate folder for later review, have them automatically deleted, or
    have them all go to the same mailbox, just with the spam messages
    marked, is up to you.
    
     > Skipping spam is quick.  Figuring out that someone's communication to
    
    I guess I get more spam than Mr. Gilmore.  I find SpamAssassin and the
    use of other spam filtering and rejection techniques to be great time
    savers.
    
    [...]
    
    -- 
    Jim Lippard        lippardat_private       http://www.discord.org/
    GPG Key ID: 0xF8D42CFE
    
    
    ---
    
    From: "Suresh Ramasubramanian" <sureshat_private>
    To: <declanat_private>, <politechat_private>
    Cc: <gnuat_private>
    References: <5.1.1.6.0.20020909002736.019d4a10at_private>
    Subject: Re: John Gilmore on Earthlink, anti-spam rules, and censorship
    Date: Mon, 9 Sep 2002 16:06:56 +0800
    Organization: Outblaze Limited - http://www.outblaze.com
    
    declanat_private (Declan McCullagh) [Monday, September 09, 2002 1:23 PM]:
    
    [ok, since John Gilmore was kind enough to ask the readers of Politech not
    to believe in me ... here's a little more] :(
    
     > A simple rule for anti-spam measures that preserves non-spammers'
     > freedom to communicate is: No anti-spam measure should ever block a
     > non-spam message.  But there isn't a single anti-spam organization
     > that actually follows this rule.  Instead they block non-spam messages
    
    A simple corollary to that rule should be that NO anti-spam measure should
    leave a single spam unblocked.  Can't really have the cake and eat it too.
    
     > The policies of some of these organizations have gotten increasingly
     > bizzare.  My DNS registrar was blacklisted because they let anyone
     > register a domain.  Yes, it's true.  Anyone who pays them the small
    
    Cite please?  Which registrar, which DNSBL, and was that registrar providing
    other services (such as DNS, MX, URL forwarding and such) as well to
    whatever domain got registered that some unnamed blocklist apparently had a
    problem with?
    
     > anti-spammers.  Instead, they wanted the registrar to somehow ensure
     > that no spam message ever referenced any domain registered by that
     > registrar -- or immediately cancel the domain if a spam message ever
     > did.  "Do that or we'll blacklist you."  Raving idiocy.
    
    Please do understand that there are more than enough raving idiots on both
    sides of the "spam" line - both spammers and anti-spammers.  In fact, I'd go
    as far as to say that certain members of Homo Sapiens are raving idiots.
    How does that extend to "all antispammers are raving idiots", or "all human
    beings are raving idiots" for that matter?
    
     > Don't believe reports, such as the one Declan reposted from Suresh
     > Ramasubramanian, that "most ISPs around the world block [mail from]
     > open relays".  When toad.com was on the net, mail from it would get
     > through to almost everywhere, despite being blacklisted by most of the
    
    Most ISPs?  Almost Everywhere?  Such broad and sweeping generalizations :(
    
    Well ok - I've been guilty of a generalization myself, using the word
    "most".  Here's a reworded version, which I hope Mr.Gilmore won't mind -
    
    Several ISPs (including some very large ones) do use blocklists (either
    third party or internal) to filter mail from open relays.  Especially open
    relays through which they have received spam.
    
    I do remember at least several spam runs being relayed through a toad.com
    machine - and at least one virus which was set to relay all its payload
    through what is probably the most famous open relay in the world.
    
     > zealot blacklists.  The blacklists are not very pervasive, because
     > they block so much legitimate mail that customers won't put up with
     > them.
    
    Unfortunately, most email users won't put up with getting spammed either :(
    
     > EFF ran "SpamAssassin" on its internal mail for a while; but it marked
     > an entire issue of our Effector newsletter as "spam", due to bogus
    
    Er, perhaps that's because spamassasin was misconfigured with slightly bogus
    rulesets, and then set to a hair trigger sensitivity - and without
    whitelisting trusted lists either?
    
    Content filtering is far more surgical than blocklists - unfortunately, it
    doesn't scale all too well for extremely large systems.
    
    Yes, the internet treats blocking as censorship and routes around it.
    
    However -
    
    * There's more noise than signal out there on the 'net these days, to the
    point where at least one account I have is practically unuseable because of
    spam / virii.
    
    * The internet is no longer the friendly and courteous place it was in the
    mid '80s, where leaving open relays available to the world was the right
    thing to do.  Today, all that will happen is that someone will abuse all the
    trust you show by leaving your relay open, and pump several megs worth of
    spam through it - enough to DoS a server, in some cases - and cost serious
    amounts of money in other cases (where bandwidth is far costlier than it is
    in the states).
    
    * Yes, the Internet interprets blocking as censorship and routes around it.
    I can't agree more.  Yes, lots of people in various countries are using
    proxies to access search engines like google.  Excellent.  Unfortunately,
    all that blocking that goes on (at the user level, and the server level)
    just makes spammers try harder and harder to route around those blocks. :(
    
    When it comes to a tradeoff between letting spam clog the mailboxes of my
    users and blocking mail from open relays, I'll take the blocking mail option
    any day - but that's just me I suppose.
    
         -srs (speaking only for myself)
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q=declan
    CNET Radio 9:40 am ET weekdays: http://cnet.com/broadband/0-7227152.html
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 03:24:19 PDT