Digital Island sponsors DoS attempt?

We've got commercial and e-mail nailed down enough for the lawyers.

Unsolicited? Umm..

47 USC 227 (which includes the "junk fax" law) says (47 USC 227(a)(3)):

    * (3) The term ''telephone solicitation'' means the initiation of
      a telephone call or message for the purpose of encouraging the
      purchase or rental of, or investment in, property, goods, or
      services, which is transmitted to any person, but such term does
      not include a call or message (A) to any person with that
      person's prior express invitation or permission, (B) to any
      person with whom the caller has an established business
      relationship, or (C) by a tax exempt nonprofit organization.

What exactly does "established business relationship" mean in the
context of (for example) the NANOG mailing list? (Note that once there
is a business relationship, there's no requirement that the solicitation
has to be related - I continually get calls from various financial
institutions plugging other services)

No, I don't know the answer here - but it would probably go along
with "membership in the same professional society" or "same country club"
or similar. However, I've seen enough user's groups and similar that
have "thou shalt not recruit/advertise/etc" rules that I have to
suspect such behavior is otherwise legal (although slimy and frowned upon).

/Valdis

Sadly I think we'll always be getting "spammed" by people we do
business with, and I don't think there's any way to write the rules
so this doesn't happen. While slightly more obvious in e-mail,
it's not much different than what happens in other mediums:

* You get a bill from someone, and in the same envelope they have
  flyers for some of their new products.

* You get a call from your credit card company offering travel
  insurance for all the purchases you make on the call.

* You call customer service for your new computer and while on hold
  hear ads about cut-rate internet service.

I think the legislative presumption needs to be that if you're
doing business with someone then they can contact you about pretty
much anything, and if you don't like their contacting you can end
the business relationship so they can't do it anymore. Writing
rules to eliminate such communications I think would very quickly
start to step on normal business practices, and even if everyone
on nanog wanted that the $$$'s that make business and politics go
around would never go for it.

While I am, and have been, a MAPS supporter for a very long time, the
truth is that this assertion is not nearly as true today as it was when
the RBL was first implemented, particularly in the realm of bradband
access. While I normally would not object to any ISP using MAPS or other
spam and/or content filters, the "get another provider if you object"
argument doesn't work nearly as well if there's only one DSL or cable
provider that serves the customer.

If Covad were to go under tomorrow, Verizon DSL would be my sole choice
for high-speed access to my home - I have no line of sight to either of
the satellite access providers, and the cable plant hasn't been upgraded to
support cable access yet. And I can't afford to bring in a T1,
unfortunately So if Verizon were to start filtering mail based on the
RBL list or any other list, or filter traffic based on legal/moral issues
(say, to block napster/gnutella clients), what other options are there,
other than going back to dialup?

-Chris

[...]

Not to sound too trite, but in general you *do* get what you pay for.
No one said that your choice of providers would all have equal costs.

If you are in a place where DSL works, you can most likely get a T1
to any provder you wish. Pick one that doesn't get placed on the
RBL.

[Think it's about time for a subject change.]

>
>>
>> [...] the "get another provider if you object"
>> argument doesn't work nearly as well if there's only one DSL or cable
>> provider that serves the customer.
>[...]
>
>Not to sound too trite, but in general you *do* get what you pay for.
>No one said that your choice of providers would all have equal costs.
>
>If you are in a place where DSL works, you can most likely get a T1
>to any provder you wish. Pick one that doesn't get placed on the
>RBL.

Personally, I agree with Christopher. Unfortunately, I do not see a way around it. If you do not filter spamers, how do you stop them? If you do filter spamers, how to do stop from occasionally hurting people in Christopher's situation? I dunno. Suggestions?

Just to be clear, I would not, do not, and cannot tell another network how to filter their e-mail, traffic, prefixes, etc. I have no right to do so. (But I certainly will make fun of some of them for the way they filter - which is a right I have.

In case it wasn't obvious from my first post, I'm talking about
residential access here. Aside from those who get their employer to pay
for it (and even /then/ there's rarely a choice of providers), how many
people have T1s coming into their homes?

-Chris

I'm not sure how you've managed to avoid this, but when using the various
blacklists in an ISP setting where I've worked, there certainly has been
"collateral damage" in unseen messages causing increased support load
(cost). Our customers will call up complaining "My aunt can't email me
anymore, but she can email everyone else in the family." or "Since
sometime last week I can't get email from business associate X, and this
has cost me thousands of dollars per day in sales."

There's always someone to complain. I think over time, as people have
seen more and more porn site or penis/breast enlargement spams, they've
gotten more understanding of "we can't accept mail from that ISP's mail
server because it's an open relay and was being used to broadcast spam".

>While I am, and have been, a MAPS supporter for a very long time, the
>truth is that this assertion is not nearly as true today as it was when
>the RBL was first implemented, particularly in the realm of bradband
>access. While I normally would not object to any ISP using MAPS or other
>spam and/or content filters, the "get another provider if you object"
>argument doesn't work nearly as well if there's only one DSL or cable
>provider that serves the customer.

The customer is under no obligation to use their access provider for their email. There are literally hundreds of options for your email provider, including dozens of free email providers, and many others who charge a very small amount per month/year. If having a choice about how email is filtered or not filtered is important to the customer, the options are practically endless.

>If Covad were to go under tomorrow, Verizon DSL would be my sole choice
>for high-speed access to my home - I have no line of sight to either of
>the satellite access providers, and the cable plant hasn't been upgraded to
>support cable access yet. And I can't afford to bring in a T1,
>unfortunately So if Verizon were to start filtering mail based on the
>RBL list or any other list, or filter traffic based on legal/moral issues
>(say, to block napster/gnutella clients), what other options are there,
>other than going back to dialup?

For email, see above. For traffic filtering based on port (rather than content), you have a completely different issue. We have employees who can't use the M$ VPN client to VPN to the exchange server because their high-speed Internet is via cable modem. The cable modem service uses the VPN system for communication between the cable modem box and the head end office, and so that system isn't available (is "blocked") to the customer. Our work-around is to setup an SSH tunnel instead. It's not as simple, but it gets the employee into our servers without passing data in the clear. If it's really really important for you to get to napster/gnutella, you will have to find a similar way past roadblocks, or, yes, go back to dial-up. There's no law that says that the broadband options available to any one end user have to meet that end user's desires. Supply and demand will create companies and services/products that are profitable and meet (most) customer demands, just as it does with other products like cars and trucks.

I'd REALLY like a truck with Dodge body styling, interior, and Cummins engine, with a Ford automatic transmission (Dodge is notorious for crappy automatic trannies) and those kewl extendo mirrors. (For towing that furrytractor

jc

As an infrastructure owner, the important thing is that if you're
going to announce reachability, it should be real. If you blackhole
stuff in the middle of a netblock and distribute it as an untainted
netblock in your BGP, you're depriving people of clean routes.

Other than that, exercise your policy to your heart's content.

... If you do not filter spamers, how do you stop them? If you do
filter spamers, how to do stop from occasionally hurting people in
Christopher's situation? I dunno. Suggestions?

That depends. If you want to filter abusive senders you have a different
problem than if you want to filter abusive traffic. Abusive senders have
ways of avoiding your filters; abusive traffic has other ways. Generally
a high volume receiver (such as a busy e-commerce web site) has no way to
differentiate an attack from a bump in traffic load. Whereas the number
of possible sources of abuse ("launch points") is finite. These sources
are not necessarily evil but from the reciever's point of view there's not
a lot of difference between evil and laziness on the part of a source-owner.

In the specific case of e-mail abuse ("spam"), has everybody checked out
Distributed Checksum Clearinghouses yet? There ARE ways to raise the bar on the
sender's pattern selections, at least for e-mail.

[thanks for the subject change Patrick]

Actually, it was obvious that you mean residential access. However,
it appears that you are trying to equivicate "residential" and "cheap."
It ain't necessarily so.

I still say, you get what you pay for. There are always alternatives,
but most people are unwilling to pay for them. There is not moral
good/bad value to that point - it simply *is*.

Sometimes the layer 2 choice will limit your choice of layer 3
providers - that is simply part of the price. This fact will
not change regardless of the number of people with <pick any specific
layer 2 connection> coming into their house (or business).

Back to the original point: only buy bandwidth from folks that provide
you with the value you seek. A cheap provider that isn't blocked by
the RBL is perfect if you don't need to talk with folks on networks
that subscribe to the RBL.

You might need to pay more to get to a provider that isn't blocked...

  John

Hi, Bob? This is Susan. I haven't received a reply from you regarding

the

email I sent yesterday, did you get it? You didn't? Hmmm. Let me try
resending it.

Hi Bob? This is Susan again. Did you get that second email
yet? No?! Maybe you should call your ISP to find out why! Yes, I
already called mine, they don't have any info, they say the mail server
logs show that both the messages were delivered to your ISP.

Hi, Mr. ISP support guy? This is Bob. It seems that I'm not getting all
of my email....
......................
Collateral damage IS a problem, but that's part of why it works to reduce

spam.

There are ways to get around this. I participated in a Brightmail beta
sponsored by @Home for two of my personal email accounts. All my "filtered
mail" was not deleted but moved to some other mailbox. I had the ability of
logging in periodically and seeing what mail was caught as spam. False
positives were easy to eradicate (a click or two), one mailing list I was on
was caught as spam and less than 24 hours after submission, mail was flowing
properly again. I post with my personal email address (without
modification) on Usenet so I get a fair share of spam (20-30 pieces or more
per day among a few of my email accounts). Brightmail was a godsend, I am
willing to live with a few false positives and not have to deal with
hitting delete 20 times.

I'm not sure I like the use of the word bulk. The reason is that it is
not precise. Is 10 bulk? 50? Is it only bulk if I use a "spam tool"?

Bulk is more than 1 copy. How do I know if something is bulk?
A simple test. Is this something that could have been sent to someone else
with either no modification, or a trivial "mailmerge" operation.
It then becomes up to the spammer to prove otherwise to his abuse desk, who
will probably have received multiple complaints anyway.

  I generally measure bulk in a more subjective but more useful way. If
someone composes ten pages of text and sends it to three people, I don't
consider that bulk. If someone sends one paragraph of text they composed to
fifty people, that's bulk. If someone ads 'look at this' to twenty pages they
stole from someone else and sends it to 10 people, that's bulk.

  The test is, is this person trying to spread a minimum amount of original
content to the maximum number of people? Or is the content specifically
targeted to each person by a human being? In other words, is this a rifle
being aimed or a machine gun being sprayed? Is a person trying to use email
as a publishing means?

  I have no objection if someone who honestly saw a message I wrote and
thought I'd be suitable for a particular job emails me asking if I'm
interested. However, the same email would be bulk if sent to everyone who
posts to NANOG, even if says, "I saw your post about "Re: Fwd: Re: Digital
Island sponsors DoS attempt" and thought you might be interested in buying
our premium fishing worms".

  DS

  I have no objection if someone who honestly saw a message I
wrote and
thought I'd be suitable for a particular job emails me asking if I'm
interested. However, the same email would be bulk if sent to everyone who
posts to NANOG, even if says, "I saw your post about "Re: Fwd:
Re: Digital
Island sponsors DoS attempt" and thought you might be interested
in buying
our premium fishing worms".

A corallary to this is the dreaded "I saw your resume on <insert job board

and so you must be interested in our offer of <insert job hunting

service here>." The spammer would argue they are in the right, in that as
part of posting a resume, one is expecting, and inviting responses.
However, I would argue that just because I post my resume, doesn't mean I'm
interested in anything other than serious job offers.

I dealt with a similar situation from the abuse desk end, in which a client
was doing searches of resumes on job boards for a given skill set, and then
mass mailing them with a specific job offer that centered around that skill
set. It was a tough issue to resolve, because on the one hand, from our
client's perspective, he was contacting people he thought would be genuinely
interested. And yet, from the recipients perspective, since it wasn't
directed straight to them, it could be considered UBE.

Moral of the story is, it came down to a very fine line of what does
"solicited" mean? We ended up comprimising that he would fully disclose
where he got his email addresses from, and why he was sending the email,
which all but competely eliminated complaints.

Scotty Allen

Some have some comments on this in Australia are at:

  http://www.caube.org.au/australia.htm

Basically the positions from the government and industry bodies over here
have been that commercial e-mail must be opt-in if there is no existing
business relationship, otherwise opt-out.

David.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The customer is under no obligation to use their access provider
for their email.

Oh yeah? ERS - Home Page  | Trend Micro Service Central

That avenue has also been closed off in the name of fighting spam. But
thank
you for playing.

- ---
"The avalanche has already begun. It is too late for the pebbles to vote" -
Kosh

There's a difference between using a different email provider and going
direct-to-MX.

There's also a difference between using the RBL (rbl.mail-abuse.org) and the DUL (dialups.mail-abuse.org)...

... but I won't get into that. -rt (I know, I know, the other list, 7 mailboxes down, on the right, secret word is "Spamford"...)

It took me a while to get back to this.

> Unsolicited Bulk E-mail.

I'm not sure I like the use of the word bulk. The reason is that
it is not precise. Is 10 bulk? 50? Is it only bulk if I use a
"spam tool"?

What's worse, "bulk" cannot be proved by a single victim (recipient), which
is how a lot of ISP "abuse desks" close tickets: "you were the only one who
complained, so it wasn't spam."

Unsolicited, Commercial, and E-mail all have precise definitions.
particularly if we're going to get something (eventually) into a
useful law I think we need to make sure it is entirely defined of
precise terms.

I've seen a fair amount of spam recently that had no commercial intent. It
doesn't stop being spam just because the desire is to get me to vote for some
candidate or support some government or even NGO program.

For a better standard than UBC/UCE, see ERS - Home Page  | Trend Micro Service Central.

It took me a while to get back to this.

While I normally would not object to any ISP using ... content filters,
the "get another provider if you object" argument doesn't work nearly as
well if there's only one DSL or cable provider that serves the customer.

Without that argument, there's a clear path to "since your customers have
no choice, you are not allowed to filter content." While this probably
applies to DSL since it's "like telco" and there's already legislation
about what telcos can't filter because of their old "natural monopoly"
status, I don't think it applies to Critial Path or MSN or AOL or any other
mail server operator -- there is choice, and thankfully, there is no hint
of legislation coming for "mail server content filtering policies."