[Politech] Debate over DearAOL.com between Suresh Ramasubramanian and Danny O'Brien [sp]

From: Declan McCullagh (declan@private)
Date: Sat Apr 15 2006 - 08:03:33 PDT


Suresh is postmaster for Outblaze.com, which manages email for tens of 
millions of Internet users.

Danny is EFF's activist coordinator and is involved in setting up the 
DearAOL.com project.

I think I captured the entirety of their exchange. Probably best to read 
it from the top down.

Previous Politech messages:
http://www.politechbot.com/2006/04/15/details-on-how/
http://www.politechbot.com/2006/04/13/why-was-moveonorg/
http://www.politechbot.com/2006/04/15/john-gilmore-on/

-Declan


-------- Original Message --------
Subject: Re: [IP] Why was Moveon.org blocked by AOL? Did recipients want 
      the email messages? [sp]
Date: Fri, 14 Apr 2006 16:39:34 +0530 (IST)
From: Suresh Ramasubramanian <suresh@private>
To: dave@private, suresh@private
CC: danny@private, declan@private
References: <20060414082600.GA16537@private> 
<BE049889-B2CB-43EF-885A-6E55AB794C5B@private>

On Fri, April 14, 2006 15:26, David Farber wrote:
 >
 > From: "Danny O'Brien" <danny@private>
 > I think I can answer these questions.
 >
 > No-one receives any mail from any dearaol.com address. I run a
 > Mailman list

The dearaol.com URL is / was being blocked by AOL as it turns out.

My reference was to the "send this message to a friend" function on the
dearaol.com site, and which, like all send to a friend functions, is prone
to misuse.  Try this experiment. Go to the dearaol.com site, and "sign the
dearaol.com petition as an individual", giving information there like
"my@private" (which by the way is a spamtrap on the domain email.com,
which does exist).  You are then presented with a page that asks you to
enter the email addresses of a bunch of your friends, to whom you can pass
on the message about dearaol.com.  No way is that ever going to be
confirmed optin or anything at all like it.

Plus several even worse managed newsletters that'd refer to this campaign.
  Whatever the source, you'd find a whole lot of email getting reported as
spam, that has the dearaol.com URL in it.

 > (And I should point out to Suresh that if he believes lists that aren't
 > confirmed double opt-in are spam, he's going to have serious problems 
with

No, Danny - I dont believe that they are spam. But I *know* (forget
"believe") that they have a greater than normal chance of getting a high
number of bad addresses into them - though in practice, for most lists,
that's not a very big problem.  However, combine that with a "Tell all
your friends about this" pages on campaign sites and you get something
that's far better at generating irritating chain mail than it is 0at
spreading memes.

 > Somehow - and this is what AOL's tech support folk told me when I
 > called them this morning - they identified www.dearaol.com as a 
"morpher".
 > This is a site that redirects user clicks to many different sites.
 > It's true: www.dearaol.com has round-robin DNS.  I plead guilty to
 > load-balancing of the most heinous kind.

Ah.  Multiple IP addresses mapped to a single A record - that's round
robin DNS.  The 1 minute TTL (time to live) part of that A record is what
makes it hard for a filter that's exclusively machine based to distinguish
it from a site that's hosted on "botnet" virus infected PCs and sets
multiple hosts with short TTLs just so that the spam site can skip from
one virus infected PC to another at a moment's notice.

What you get with those virus hosted sites is somethign that looks very
similar only they're mapped to compromised hosts of one type or the other.

example.com.  1M  IN A infected.pc.on.broadband
example.com.  1M  IN A cracked.linux.1u.pizzabox

[tech wise - You really need 1 minute instead of (say) 1 hour TTLs,
though?  Because that's not a very foolproof way of load balancing due to
the way say bind works ... you'd be advised to use something like a L2
load balancing switch, or perhaps http://w.ods.org/haproxy/ ..]

And when you analyze email that gets reported as spam, for URLs that have
such attributes, you are likely to pick up dearaol.com along with 300 or
400 randomly created spammer domains every day.  So, anybody doing that
sort of thing probably has a review process, and removes false positives
as and when they crop up (false positives defined as catching legit sites
that get reported in spam, as opposed to what you really want to catch,
zombie hosted spammer domains)

 > AOL appears to have taken this as a sure-fire indication of a
 > spamming site, and instantly banned *every email that mentions this URL*
 > from entering the AOL system.

Well, I understand the way their thought processes works .. and I've seen
hundreds of sites matching that pattern crop up every day, AND is a URL
that shows up in email that gets reported as spam by your users, along
with thousands of such spam reports a day.

 > working days. EFF has received reports of these kind of URL bans before.
 > Bennett Hasselton, of the free speech group PeaceFire, has documented
 > many innocent groups who find all mails discussing their URLs removed 
from
 > AOLspace.

One way to go - plug that URL (or at least the parent URL in cases like a
free webhosting domain) into http://groups.google.com along with the word
"spam". See what you get.  Its not unknown that a free webhosting site can
have a problem with spammers signing up thousands of accounts on their
site, and then setting up all those accounts to redirect to the
"mothership" spam site - typically child porn or warez, in previous cases
I've seeen, so does generate a higher than usual volume of complaints.

When that happens, its quite feasible that a provider may elect to block
all email containing the spammed free webhost (as faster than individually
blocking hundreds of spammer created free account URLs on that host, and
as a motivator for that host to clean up its act, fast).

At least, that explains the example Bennet gave me when he emailed me in
response to my politech post.

 > or put out a press release, www.dearaol.com would still be banned from 20
 > million user's private communications, and would remain so until I made
 > that call.

AOL has something rather more than just 20 million mailboxes.

 > I'm more disturbed that Suresh had a similiar block, which he finally
 > deigned to remove because he believed us to have "legitimate" popularity.

dearaol.com turned up in email that was reported as spam.

Our filters picked it up

We have a manual review process that regularly reviews domains that are
snagged by our filters - at least once a day.  And any domains that stand
out as false positives get weeded out of our filters .. (again, that means
something that's not an obvious "bad spam" site .. anything that has the
potential to appear in "ham" / non spam email - say an astroturf activism
site - does get exempted, and fast).

We return a clear spamblock.outblaze.com URL that's tagged / unique for
every error, to make it easier for the sender, and for us, to find out
what's blocked, and for any false positives to be addressed faster. And
the postmaster staff - my team - replies ASAP, within a few hours or at
least within a day, to such emails.

 > Suresh's
 > company manages filters for over 40 million users. I'm happy that Suresh
 > likes me enough personally to let me escape his blacklists, but when

"Not that I disliked dearaol.com's methods less, but that I disliked spam
more", to paraphrase Brutus' eulogy of Julius Caesar.  [I always preferred
that to Mark Antony's rabble rousing speech that followed it .. ]

We try hard not to apply filters that block valid emails.  And we actively
remove any false positives, both where we notice them, and where they're
brought to our attention.

Oh, and I must again stress that we do appreciate reports of false
positives - preferably direct to our postmaster staff instead of third
hand from reporters fed a frantic story about censorship.

--srs




----- Original Message -----
From: "Danny O'Brien"
To: "Suresh Ramasubramanian"
Subject: Re: [IP] Why was Moveon.org blocked by AOL? Did recipients want 
the email messages? [sp]
Date: Fri, 14 Apr 2006 12:47:08 -0700


On Fri, Apr 14, 2006 at 04:39:34PM +0530, Suresh Ramasubramanian wrote:
> On Fri, April 14, 2006 15:26, David Farber wrote:
> >
> > From: "Danny O'Brien" 
> > I think I can answer these questions.
> >
> > No-one receives any mail from any dearaol.com address. I run a
> > Mailman list
On 4/14/06, Suresh Ramasubramanian  wrote:
> On Fri, April 14, 2006 15:26, David Farber wrote:
> >
> > From: "Danny O'Brien" 
> > I think I can answer these questions.
> >
> > No-one receives any mail from any dearaol.com address. I run a
> > Mailman list

[genuinely fascinating insights into filtering - thanks, Suresh]
>
> We return a clear spamblock.outblaze.com URL that's tagged / unique for
> every error, to make it easier for the sender, and for us, to find out
> what's blocked, and for any false positives to be addressed faster. And
> the postmaster staff - my team - replies ASAP, within a few hours or at
> least within a day, to such emails.

This is a classic example of why senders and receivers need to work together
on these issues, and why I worry that the revenue share aspect of AOL's deal
places them as contractual adversaries. One of the greatest collateral 
effects
of spam has been that bounces of any kind have been discredited (because of
joe-jobs and misdirected bounces), and mailing list software has 
traditionally
eaten such data without relaying it to mailmasters. I'm sure someone is
already considering this, and I'm always a little loathe to introduce new
ideas into an already intensely-debated feed, but perhaps a feedback tag in
DKIM would make everybody's life easier in providing these notifications --
especially on domain-level bans like this. Feedback loops seem to be 
something
that everyone would value.

> > Suresh's
> > company manages filters for over 40 million users. I'm happy that Suresh
> > likes me enough personally to let me escape his blacklists, but when
>
> "Not that I disliked dearaol.com's methods less, but that I disliked spam
> more", to paraphrase Brutus' eulogy of Julius Caesar.  [I always preferred
> that to Mark Antony's rabble rousing speech that followed it .. ]
>

I worry exactly who you're trying to assassinate here :)

d.
>
> --srs
>
>


-- suresh ramasubramanian suresh@private gpg # EDEDEFB9
manager, security & antispam operations, outblaze limited




-------- Original Message --------
Subject: Re: [IP] Why was Moveon.org blocked by AOL? Did recipients want 
the email messages? [sp]
Date: Sat, 15 Apr 2006 08:48:18 +0530
From: Suresh Ramasubramanian <suresh@private>
To: danny@private, "Suresh Ramasubramanian" <suresh@private>
CC: dave@private, suresh@private, declan@private

Hi

Just two points to add.  AOL pioneered the idea of feedback loops, and we
were probably the second ISP to put them into production on a large scale.

http://postmaster.info.aol.com/fbl/

We're (along with a bunch of other ISPs - aol, yahoo etc) working on ways
to make these feedback loops automated and machine parseable to some extent
by putting them into the standard ARF format (www.mipassoc.org/arf/). We
and AOL (as well as some other ISPs - roadrunner and earthlink, recently)
offer feedback loops that are ARFd, currently.

If you have block concerns a very good way to go would be to setup a
feedback loop, monitor complaint rates for yourself, and see if you cant
unsub complainers fast (or add them to a suppression list so that they cant
receive dearaol alerts, for example).  Spamtrap hits are of course a
special case that wouldnt really be covered by feedback loops and may lead
to blocks - but well, any practice at all that helps avoid mailing to
spamtraps is a good practice (and that translaes to switching everything to
confirmed optin, and putting some limits in place on the send to a friend
part of any sites you run .. oh, and some way to encourage responsible
publicity of ideas when someone else runs a mailing campaign referncing or
using any of your resources.

In any case - what happened at aol seems to have been a honest false
positive as opposed to any move to censor you

And as for email - why, that's the difference between filtering and (say)
assasination.  I or my guys here can turn on and off filters with a single
mouse click. That's a particularly significant power when its exercised
over a user base our size (and aol has more than triple the number of our
users).

So you typically dont find people who are stupid and power mad enough to 
think spam filtering is a mandate for them to block anything they want 
just because they dont like the content and want to censor it. There's 
an automatic tendency to be moderate and balanced, because we're finally 
answerable to our users. Several people from the EFF just dont seem to 
realize that, at least going by various eff deeplinks and press releases 
I've read in the past.

That is probably why you'll find several very dismissive emails and 
articles from me about EFF press releases that talk about spam. 
Describing everything you see in the spam filtering world as based on an 
inherent desire to censor is factually wrong.

regards
srs




-------- Original Message --------
Subject: Re: [IP] Why was Moveon.org blocked by AOL? Did recipients want 
the email messages? [sp]
Date: Fri, 14 Apr 2006 21:44:24 -0700
From: Danny O'Brien <danny@private>
Reply-To: danny@private
To: Suresh Ramasubramanian <suresh@private>
CC: Suresh Ramasubramanian <suresh@private>, dave@private, 
declan@private
References: <20060415031818.13757.qmail@private>

On Sat, Apr 15, 2006 at 08:48:18AM +0530, Suresh Ramasubramanian wrote:
 > Hi
 >
 > Just two points to add.  AOL pioneered the idea of feedback loops, and we
 > were probably the second ISP to put them into production on a large 
scale.
 >
 > http://postmaster.info.aol.com/fbl/
 >
 > We're (along with a bunch of other ISPs - aol, yahoo etc) working on ways
 > to make these feedback loops automated and machine parseable to some 
extent
 > by putting them into the standard ARF format (www.mipassoc.org/arf/). We
 > and AOL (as well as some other ISPs - roadrunner and earthlink, recently)
 > offer feedback loops that are ARFd, currently.
 >

I knew about ARF (and one of the first steps I performed when we saw the
bouncing was to sign up for an AOL feedback loop, something that we haven't
needed until now). The elaboration I was grappling for was providing a
feedback loop for domains, as opposed to IPs, to deal with URL blacklisting.
As I say, I bow to ongoing developments  in this area.

 > If you have block concerns a very good way to go would be to setup a
 > feedback loop, monitor complaint rates for yourself, and see if you cant
 > unsub complainers fast (or add them to a suppression list so that 
they cant
 > receive dearaol alerts, for example).  Spamtrap hits are of course a
 > special case that wouldnt really be covered by feedback loops and may 
lead
 > to blocks - but well, any practice at all that helps avoid mailing to
 > spamtraps is a good practice (and that translaes to switching 
everything to
 > confirmed optin, and putting some limits in place on the send to a friend
 > part of any sites you run .. oh, and some way to encourage responsible
 > publicity of ideas when someone else runs a mailing campaign 
referncing or
 > using any of your resources.
 >

And they say senders bear none of the burden of mail delivery...

 > In any case - what happened at aol seems to have been a honest false
 > positive as opposed to any move to censor you

I'm of the same opinion: but it's the collateral damage of false positives
that started this whole debate, and the worrying weight of who those false
positives fall upon that has caused us all this concern.

 >
 > And as for email - why, that's the difference between filtering and (say)
 > assasination.  I or my guys here can turn on and off filters with a 
single
 > mouse click. That's a particularly significant power when its exercised
 > over a user base our size (and aol has more than triple the number of our
 > users).
 >
 > So you typically dont find people who are stupid and power mad enough to
 > think spam filtering is a mandate for them to block anything they 
want just
 > because they dont like the content and want to censor it. There's an
 > automatic tendency to be moderate and balanced, because we're finally
 > answerable to our users. Several people from the EFF just dont seem to
 > realize that, at least going by various eff deeplinks and press releases
 > I've read in the past.
 >

I know your feeling Suresh, and I've tried my best to convey that that's not
the sentiment here. I think a lot of the problem arises from the fact that
everyone is trying to do a difficult job to the best of their ability. Our
role in this is to try and highlight unforeseen consequences, and most of
those revolve around pointing out issues that are well-known to people like
yourself, but less known elsewhere.

Most people are rather shocked by the idea that AOL or other ISPs could stop
discussion of a single URL with a click. You have good reasons for doing so,
but the fact remains that those with the power are often very poorly 
placed to
determine exactly how moderate they are being, or whether their choices are
wise for other groups. And, of course, the difference between you and 
Charles
and others willing to enter the debate, and others who aren't that 
interested
in these subtle ethical stances, is vast.

 > That is probably why you'll find several very dismissive emails and 
articles
 > from me about EFF press releases that talk about spam.  Describing
 > everything you see in the spam filtering world as based on an inherent
 > desire to censor is factually wrong.

No aspersion, but I don't think I've seen a censor yet that saw 
themselves as
that. It's all good intentions and unintended consequences.

This works both ways of course, which is why it's always good to speak with
you.

d.
 >





-------- Original Message --------
Subject: Re: [IP] Why was Moveon.org blocked by AOL? Did recipients want 
the email messages? [sp]
Date: Sat, 15 Apr 2006 10:48:53 +0530
From: Suresh Ramasubramanian <suresh@private>
To: danny@private, "Suresh Ramasubramanian" <suresh@private>
CC: Suresh Ramasubramanian <suresh@private>, dave@private, 
declan@private

 > The elaboration I was grappling for was providing a feedback loop
 > for domains, as opposed to IPs, to deal with URL blacklisting.

That's a long standing item on the to do list for this project.  Getting 
it stabilized and having it keyed off IPs - as is going on now - is just 
for starters.  But it takes time and spare cycles, and if you can 
contribute code and ideas, you'd be welcome.

 > And they say senders bear none of the burden of mail delivery...

Well, let's put it this way .. its high time senders started knowing 
what they're sending out, and to whom, and doing some due diligence on 
both.  Putting all the burden on receivers doesnt scale, makes their job 
lots more difficult.

Senders working together with receivers tends to produce far better results.

 > I'm of the same opinion: but it's the collateral damage of false 
positives

Yes, banner headlines that say AOL is censoring the Dearaol coalition 
certainly gave me a sense of that (!)

No filtering system is foolproof.  The point is that false positives 
have to be dealt with responsibly and if at all possible, proactively. 
Anybody who filters spam responsibly already understands that.

 > everyone is trying to do a difficult job to the best of their 
ability. Our
 > role in this is to try and highlight unforeseen consequences, and most of
 > those revolve around pointing out issues that are well-known to 
people like
 > yourself, but less known elsewhere.

Hardly "unforeseen", trust me.  We realize that mistakes can happen, and 
will happen.  We rely on people reporting these to us, and we rely on 
due diligence and precautions to minimize the occurance of false 
positives, and quick removal of any that are spotted.

Press releases that claim this is a deliberate attempt at censorship, 
and the use of astroturfing tactics of the sort that are more useful in 
a political campaign just aren't the way to go.

I recall giving you contact information for some senior AOL staff (who 
arent that hard to find, they're active on most of the antispam 
discussion lists), and  suggested that You or Brad contact them about it.

I dont know whether you did contact them, but the EFF press releases / 
deeplinks so far, and the dearaol campaign's guerilla tactics, are 
simply turning this whole thing into a PR circus rather than an 
opportunity for reasoned dialogue. But no, all that's being done is a 
series of hatchet jobs on AOL.

So, I wonder what the next EFF deeplink would be about - 
http://carlhutzler.com/blog/?p=18 say?

 > Most people are rather shocked by the idea that AOL or other ISPs could
 > stop discussion of a single URL with a click.

Those of us who have that power are quite well placed to determine 
exactly how moderate or not we are being. If we block a source of 
legitimate email, or a legitimate URL, we'll find out fast thanks to the 
complaints that come in.

We're answerable to our users and responsible for delivering email they 
ask for. And we're answerable to ourselves not to block valid email 
sources.  I for one eat my own dogfood, and my personal email is subject 
to just the same filters that I apply on our production servers.  Ditto 
for my team.

(the postmaster mailbox remains completely unfiltered though .. and 
thats where spam reports come in).

 > determine exactly how moderate they are being, or whether their 
choices are
 > wise for other groups. And, of course, the difference between you and 
Charles

You know, Danny, even the worst spam has at least some people - a 
fraction of one percent of the recipients probably - who want to buy the 
stuff that's being advertised ("body part enhancement" pills and such).

Badly managed activist mailing lists are a slightly grayer area.  But 
our spam filters are keyed to complaints, and subject to substantial 
oversight so that sites with nonspam potential are unblocked when we see 
them, even though in some cases we have to grit our teeth to unblock 
because of far higher complaint rates than I've seen moveon at their 
worst generate.

 > No aspersion, but I don't think I've seen a censor yet that saw 
themselves
 > as that. It's all good intentions and unintended consequences.

The difference is of course where a censor actively looks for those 
consequences and addresses their effects. As we do, and as I'm quite 
sure (from personal experience) that AOL does.

Intentions backed with action are always a far better thing than mere 
intentions.

-srs


_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Sat Apr 15 2006 - 08:21:52 PDT