sean@donelan.com (Sean Donelan) writes:
excerpt:
I. The Problem
MoveOn.org is a politically progressive organization that engages
in online activism. For the most part, its work consists of sending
out action alerts to its members via email lists. Often, these
alerts will ask subscribers to send letters to their
representatives about time-sensitive issues, or provide details
about upcoming political events. Although people on the MoveOn.org
email lists have specifically requested to receive these alerts,
many large ISPs regularly block them because they assume bulk email
is spam. [...]
i reject all mail from moveon.org here. not because i assume bulk e-mail
is spam, but because i still personally receive all mail sent to any address
at cix.net, and quite a few people who wish to subscribe from cox.net end
up typing cix.net by mistake. ("i" and "o" are adjacent in QWERTYland.)
i'm therefore in a position to prove that moveon.org does not verify the
ownership or permission status of new e-mail addresses before sending
political information. i tried complaining, but moveon.org's postmaster
function appeared to be understaffed or overworked or both.
further down in this otherwise excellent paper, we see:
II. The Solution (Or At Least A Start): Principles and Best Practices
[...]
2. All mailing-list email should be delivered to willing
subscribers. As a corollary, no one should be subscribed
to an email list without his or her knowledge and
consent, as evidenced by positive action.
...to which i must add my strongest possible agreement. if moveon.org
would just follow this principle or best practice, i would accept their
e-mail here. even though i found this EFF paper to be well written and
well researched in other ways, i wonder if the authors knew that moveon.org
does not verify permission or ownership of new subscribers, and if they
considered this as one of the possible reasons why a lot of e-mail admins
reject, as i do, all mail that comes from moveon.org. if not, then the
fundamental premise of this paper is flawed. if so, then they should have
mentioned this factor. either way, i'm not as impressed as i could've been.
I couldn't agree more. We have several users here who signed up for the
moveon.org mailings back when the group was a single-issue activism project
(getting the US to "move on" and stop wasting its time trying to impeach
Clinton). None of them expected to become permanent members of what soon
became a shrill, extremely partisan, and spam-spewing group. To the best of
my knowledge, no attempt to unsubscribe has been respected.
That said, I've long since stopped listening (or contributing) to the EFF
as I see their war on antispammers as counterproductive. John Gilmore runs
a well-known open relay at toad.com, and for some reason thinks that free,
anonymous speech is important enough to let spammers drown it out through
sheer volume. I prefer having usable email, so I no longer support the EFF.
While I continue to be saddened by this, I have to agree. The
EFF has done amazing, necessary work on so many issues, and I
thank them for that -- but they've been blaming the wrong people
regarding spam for many years.
Someone famous said something about paying a high price for free speech, I
think this perhaps would fall under that category.
Mr Gilmore spends quite a bit of time tending to his mail server to ensure
that spammers do not abuse it. Any spammer who spends time pumping mail
through his server is going to realize quite quickly that its not worth
their time. Its a very old slow machine on a T1 with other intentional
slowdowns added to the MTA, and some amount of spam filtering. I would say
it would have a hard time passing more than 1 message a minute.
I would think that most spammers would give up and go abuse an open proxy
somewhere, they're much more plentiful and less cluefully tended.
> John Gilmore runs a well-known open relay at toad.com, and for some
> reason thinks that free, anonymous speech is important enough to let
> spammers drown it out through sheer volume.Someone famous said something about paying a high price for free speech, I
think this perhaps would fall under that category.
I know - I too, pay a high price to maintain my own mail servers.
Mr Gilmore spends quite a bit of time tending to his mail server to ensure
that spammers do not abuse it.
Congrats. So do I.
Any spammer who spends time pumping mail through his server is going
to realize quite quickly that its not worth their time. Its a very old
slow machine on a T1 with other intentional slowdowns added to the
MTA, and some amount of spam filtering. I would say it would have a
hard time passing more than 1 message a minute.
Great. And this affects those of us with not-so-old, not-so-slow machines
how? The bottom line is that Gilmore, and the EFF, have taken a very soft
stance on spam, believing it to be less important than "free speech" or
"anonymous speech". Oh, well. I believe that the EFF already has all the
support it needs, and so I don't contribute to their efforts to make my
life more difficult.
I would think that most spammers would give up and go abuse an open proxy
somewhere, they're much more plentiful and less cluefully tended.
Oh, probably. Or one of the million-host proxy botnets. Or another open
proxy. Or another open relay. Or a hacked webmail server, etc. etc. etc.
The existence of other more preferable alternatives doesn't obviate the
fact that the EFF has not been tough enough on spam.
http://www.eff.org/Spam_cybersquatting_abuse/Spam/position_on_junk_email.php
Wow. So, no antispam measure with any possibility of blocking legitimate
mail should be adopted. In other words, we should just go back to 1993?
http://eff.org/wp/?f=SpamCollateralDamage.html
Wow. So, any collateral damage is unacceptable? Even when the source of
the so-called "legitimate" mail is a spammer, pure and simple, with bad
ideas about what constitutes mailing list management? Granted, they're
"working with others" to "define" things that most of us have known
about for years. Gee, thanks, guys. Why not spend some time using the
best practices already written up? Hell, does the EFF even do
subscription confirmations yet? Or do they assume that anyone capable of
filling out a Web form is incapable of lying or mistyping their email
address? RFC2505 is five years old and a BCP now. Its first admonition
is to put an end to unauthorized relaying. Second is to provide trace
information in Received: headers. Oops! Both essentially outlaw
anonymous speech via email.
In a nutshell, email requires accountability. The EFF apparently thinks
that is too high a price to ask for email.
And this affects those of us with not-so-old, not-so-slow machines how?
By the fact that there is no way in hell that he could relay a large
amount of spam...
The bottom line is that Gilmore, and the EFF, have taken a very soft
stance on spam, believing it to be less important than "free speech" or
"anonymous speech".
By definition, the EFF's main concern is free speech and privacy.
http://eff.org/wp/?f=SpamCollateralDamage.html
Wow. So, any collateral damage is unacceptable?
To me, and people who rely on email for reliable communication, yes
absolutely. Collateral damage is unacceptable, period.
Its even worse when administered punitively (like SPEWS/etc) because its
done with the intent of disrupting other people's lives. If you're going
to fight something, and you feel its worthwhile, fight it on the
high-road.
In a nutshell, email requires accountability. The EFF apparently thinks
that is too high a price to ask for email.
I think you're missing the point. Anonymous communication saves lives,
allows people to "blow the whistle", and in general it serves the greater
good to have it exist. Email already has an "audit trail" built into it,
and you can at least track it to some extent if you know what you're
doing. Does email need a DNA signature for the sender? In my mind no, you
can get that if you use PGP signatures and look how few people actually
use that.
I hate e-mail as much as the next guy, more probably, having spent real $$ and lots of time, hardware, effort, etc. in support of the cause. But even I have to say that 1 e-mail/minute is an OK price to let people send anonymous e-mail if it really will save lives. And this absolutely does.
If you come up with a better solution, I'm all ears.
> And this affects those of us with not-so-old, not-so-slow machines how?
By the fact that there is no way in hell that he could relay a large
amount of spam...
You seem to be confusing the single instance with the widespread
application of the policy. My problem is with the latter, which is
what the EFF is pledged to defend in the face of widespread damage
to the medium they hope to save thereby.
Put simply, I'm fine with a few well-known anonymizing mail servers.
I also reserve the right to reject mail from them.
I am not fine with an organization pledged to defend the principle
for /all mail servers and spam sources/ regardless of whether they
are under the control of spammers (and with no mind paid to the fact
that a great deal of spam is sent via compromised machines that are
unlikely to be used by freedom fighters or whistleblowers, etc.)
Come on - do you really think the Russian mafia is going to allow free
use of their botnets so that Chechnian freedom fighters can post
propaganda? I don't. Not even if they were paid for it.
> The bottom line is that Gilmore, and the EFF, have taken a very soft
> stance on spam, believing it to be less important than "free speech" or
> "anonymous speech".By definition, the EFF's main concern is free speech and privacy.
And I have supported them in the past for exactly their dedication to
that concern. However, they now confuse government censorship on the one
hand, with the abuses of a system by fraudsters and others (often in
league with the very same countries whose censoring governments the EFF
opposes) on the other.
Alan Ralsky hosts his servers in China. Do you really think that the
goal of protecting freedom is served by encouraging everyone not to
reject mail from those servers? Given that China's rDNS is so hosed or
nonexistent as to make local, automated judgements difficult to
impossible, it's far easier for those of us who don't want Ralsky's junk
to simply reject all mail from China. If China doesn't like it, they
should reconsider hosting Ralsky. The same goes for any country or ISP
hosting or enabling spammers. And yes, I know that's a broad brush, and
may not be appropriate for everyone. That's my whole point - that by
ceding the spam battle over a misguided idea of protecting free speech,
the EFF is actually encouraging others to paint with similarly broad
brushes in their own defense - and undermining their own intentions.
I didn't make the decision to allow 419/AFFers to post through Tiscali's
webmail servers - Tiscali did, and they continue to let the abuses occur.
Bigpond has largely fixed their 419/AFF problem, by disallowing use of
their webmail accounts to non-AU users (in the process, they also broke
their Received: header trace information, but hey). Got a problem with
their policy? I don't.
I had a user here who got upwards of 100/day - nearly all 419/AFF spam.
Much of that has disappeared, thanks to the implementation here of
policies that others were incapable of making, in order to deal with
/their/ abuse problem, not mine.
Privacy is a great goal. In my mind, it has its price. If I want to vote
to protect my privacy, I register. If I want to drive a car, I get a
license and get insured, and can prove it in case I run into someone else.
If you want to be on the Internet, I damn well better be able to contact
you (or someone who has taken responsibility for your presence here) in
the event that you run dictionary attacks against my mail server, or try
to send a million spam messages through your broadband channel, or run
a worthless and buggy OS without a firewall and thereby let yourself get
owned by anyone and become a vector for abuse.
Barring that, I'll just block you and anyone who looks like you, and
call it a day, and selectively unblock or whitelist once you've met my
policy criteria.
Those who prattle on about rights forget about their corresponding
responsibilities, and undermine their very case by appearing to lack
any sense of the price we pay for the former through the latter.
> http://eff.org/wp/?f=SpamCollateralDamage.html
>
> Wow. So, any collateral damage is unacceptable?To me, and people who rely on email for reliable communication, yes
absolutely. Collateral damage is unacceptable, period.
Then it would behoove you to support efforts to make email accountable
rather than decry such attempts as censorship. Lacking other solutions
to the spam problem, everyone tries their own. Which is more important?
That we can all get behind industry-wide proposals, or that we all
uniquely splinter useful protocols due to our own necessities, dictated
by the demands of real usage? I'd love to stop wasting time chasing the
rats out of my mail server. Until then, I am doing what I can to analyze
inbound spam and adjust my policies accordingly to keep it out.
Rather than fight for the rights of the vast majority of the suffering
masses just yearning to send email reliably, the EFF has chosen, de
facto, to defend the rights of the spammers, who benefit enormously from
the existence of unaccountable servers/proxies.
Its even worse when administered punitively (like SPEWS/etc) because
its done with the intent of disrupting other people's lives.
Sure - in order to get their attention (or their ISP's attention) and
presumably alert them to, and get them to fix, their abuse problems. I
don't use SPEWS here (for various reasons) but I don't have any problem
at all with someone else building a policy that includes the use of
SPEWS.
If you're going to fight something, and you feel its worthwhile, fight
it on the high-road.
That's what I'm doing. I am fighting the widespread lack of
accountability of email senders by implementing policies that demand
same; if I can't report abuse to a living person with some expectation
of a change in the behavior of their customers, I don't accept mail from
them. Sadly, this has meant that sometimes legitimate mail is rejected,
with an informative message saying why. The EFF, on the other hand,
wants email to remain an unaccountable medium for the sake of a
miniscule amount of potential messages whose content could well be
delivered in other ways.
> In a nutshell, email requires accountability. The EFF apparently thinks
> that is too high a price to ask for email.I think you're missing the point. Anonymous communication saves lives,
allows people to "blow the whistle", and in general it serves the greater
good to have it exist.
At what expense?
Email already has an "audit trail" built into it,
No, it does not. More accurately, the mail server /you control/ has a
minor amount of tracing information that it can insert into a message;
all else is untrustable - and the EFF wants to further undermine the
remainder in the case of relayed mail (by defending the principle of
anonymous relay transmissions). I already reject mail from servers whose
webmail implementations do not include useful tracing information (just
as I reject mail from those systems if the origin is a common source of
Nigerian 419/AFF junk). Don't like it, and you're a user/supporter of
said systems? Put pressure on the systems in question /to fix their
servers/ so that the fraudsters are kept out, or so that they can be
tracked and dealt with.
and you can at least track it to some extent if you know what you're
doing.
No, sorry, that's false, too. You can /make an effort/ to rely on
untrusted information, to posit a source beyond the last relay; that
is all.
Does email need a DNA signature for the sender? In my mind no, you
can get that if you use PGP signatures and look how few people actually
use that.
You undermine your own case here. Let the anonymous senders create and
post keys via public servers then encrypt their messages with those
keys. Authentication is not the same as encryption or identification,
nor do any of them necessarily compromise anonymity or demand
unaccountability in sending mail.
Anyway, the bottom line is that I no longer pay the EFF to fight on
the side of my enemies. All else boils down to "my network, my rules"
and "it'd be great if we all had the same rules and could talk to all
the other networks".
At a meeting a few weeks ago, a bunch of us made the claim that the NANOG
list could in most cases be self-policing. In that spirit, it seems worth
pointing out that this discussion of the Russian Mafia, Chechen freedom
fighters, the EFF, and China, seems to be heading in a direction that
would be a bit off-topic for the NANOG list.
-Steve
To me, and people who rely on email for reliable communication, yes absolutely
Email (that is: SMTP or ESMTP) was never been designed for reliable
communication. It's best-effort. No more.
(*Should* there be a new Internet mail protocol which provides reliable
communication? Maybe. Maybe not.)
However, if you wish email, as presently designed and implemented, to
be more reliable than it presently is, then you must make a total
committment to stopping spam: anything else is just wishful thinking.
To put it another way: if mail is less reliable in 2004 than in,
say, 1994, (and I certainly think it is) then the number one reason
why it is so, by a very wide margin, is spam (whether of the "traditional"
variety or that generated by viruses/worms).
Collateral damage is unacceptable, period.
Oh, I most certainly agree -- but then again, since nobody is being
"damaged" in any way (something the EFF clearly doesn't understand),
this is not a problem.
Note: all instance of "you" which follow are rhetorical and not intended
to apply to any individual.
If you call me, and I do not accept your call, have I "damaged" you?
No. I have merely declined to extend you a privilege.
If you send me a letter, and I choose not to accept delivery, have
I "damaged" you? No. I have merely declined to extend you a privilege.
If you send me an email message, and I choose to refuse it, have I
"damaged" you? No. I have merely declined to extend you a privilege.
"Global" connectivity (as in, access to OTHERS'
PRIVATELY OWNED equipment) is a COURTESY and PRIVILEGE
granted by the owners of that equipment. It is not a
birthright.
--- Bruce Gingery
Make nice -- and you will enjoy my generosity, as I will continue to
extend you these privileges. Don't make nice -- as in permit your
network to be a persistent source of spam and other forms of abuse --
and you can expect at some point that I will stop doing so, as I am not
required to tolerate your incompetence or active collaboration with
abusers (which are indistinguishable from my chair).
To put it another way: if it came from _your_ network on _your_ watch:
it's _your_ spam/abuse. Not Ralsky's. Not Richter's. Not some
pirate-software gang's. YOURS. Expect to be held accountable for it.
That may be an unpleasant prospect. If so, then let me suggest that
if we can see spam entering our networks, you can most certainly
see it leaving yours. Fix it. It's not hard. All it requires are
simple tools such as "root/enable passwords" and "wirecutters".
---Rsk
--- snip ---
> Collateral damage is unacceptable, period.
Oh, I most certainly agree -- but then again, since nobody is being
"damaged" in any way (something the EFF clearly doesn't understand),
this is not a problem.Note: all instance of "you" which follow are rhetorical and not intended
to apply to any individual.If you call me, and I do not accept your call, have I "damaged" you?
No. I have merely declined to extend you a privilege.If you send me a letter, and I choose not to accept delivery, have
I "damaged" you? No. I have merely declined to extend you a privilege.
if i were being sent a letter or a call and my post office/telephone company
decided to reject them because they were overworked and needed to filter to
reduce costs, i'd have a lot to say about that, as i'm sure would you.
with that said, this is quite possibly off-topic to nanog. i'd second the
request earlier in the thread to move it to somewhere more appropriate.
paul
Paul G wrote:
with that said, this is quite possibly off-topic to nanog. i'd second the
request earlier in the thread to move it to somewhere more appropriate.
politechbot for instance .. lovely place to discuss this sort of thing.