EFF speaks out against MAPS

Control-Z has brought our attention to the latest EFF newsletter which speaks out against MAPS ^? and ineffective spam legislation. According to the EFF: "The rights of users to send and receive email must not be compromised for quick and dirty ways to limit unsolicited bulk email. Neither misguided and ignorant legislation, nor collusive, high pressure protection schemes, have a legitimate function or place in our online future " The EFF is reminding us that freedom isn't always easy. I feel much worse for those who haven't figured out procmail yet though.

MAPS?

[BoyPlankton]

Correct me if I'm wrong, but don't you have to opt-in to use MAPS? I mean, at least with MAPS don't you have a choice? In my opinion that pretty responsible freedom-wise.

Re:MAPS?

[Evangelion]

The ISP opts-in, the user doesn't.

Furthermore, a user on an ISP that got listed on MAPS certainly doesn't.

Re:MAPS?

[posix4]

I have heard that many providers use MAPS without the knowledge of the customers.

Re:MAPS?

[JohnyDog]

The problem is that if it should be effective, it must be applied on servers and mailing list robots, which doesn't offer this opinion to end-users.

Re:MAPS?

[pjrc]

...don't you have to opt-in to use MAPS?

Not if your packets happen to travel through abovenet. Vixie, founder of MAPS, is the CTO at abovenet, and they regularily drop packets based on MAPS RBL.

Not much choice there for end users.

Re:MAPS?

[igjeff]

Not true...it is not difficult for an ISP to set up the use of things like MAPS RBL on a user by user basis.

Jeff

Re:MAPS?

[anothy]

MAPS is opt-in, but only on a mail-server level. for users who get mail from an IPS's mail server, they often have no say in the decision. what's more, MAPS (i believe) only works on site-level blocking, nothing with finer granularity. for example, on sites i run, i block mail from *opt-out*@*. MAPS is also somewhat heavy-handed about how they decide to add people, and what it takes to get off the list.
overall, though, i don't really see the argument for MAPS as a rights violation, the way EFF is talking. i choose not to go that route because i think i and my users want more fine grain controls over who we don't want to talk with.

Re:MAPS?

[LinuxHam]

Good point. My shell account provider uses something like MAPS to put an "X-Spam-Warning" in headers when email comes from a known open relay, but allows the mail to go through.

Could someone reply with the procmail recipe to drop those emails? I've been checking for some time, and I haven't been getting good emails from blacklisted hosts.

Thanks!

Re:MAPS?

[Evangelion]

Apparently, "[My] comment has too few words per line (currently 6.7037037037037)."


:0:
* ^X-Spam-Warning:.*
spam


or, if you like :


:0:
* ^X-Spam-Warning:.*
/dev/null

Re:MAPS?

Yes, but the only reason why your packets travel through AboveNet is because you're sending them to an AboveNet customer or they're coming to you from an AboveNet customer. In either case, the AboveNet customer in question is probably using their service because they want MAPS filtering. It's not like your packets are being dropped by the routers at MAE East or something.

Re:MAPS?

What do you mean users have no say in the decision? If you don't like the fact that your service provider uses MAPS, well then CHOOSE ANOTHER PROVIDER.

Re:MAPS?

[amuro98]

That's definitely NOT true.

My ISP used to be a customer of Above.net, yet I still got tons of spam from sites that were on the MAPS RBL.

Re:MAPS?

[innocent_white_lamb]

Depending on your location, "choose another provider" may not be an option.

Many areas, especially rural or smaller towns, are serviced by one ISP only.

Re:MAPS?

[c_g_hills]

Another example of fucking stupid dumbass moderators. Please mod this -1 troll.

The only place that a mail can be dropped is at the recipient's mail server, and NOT ANYWHERE in transit.

Re:MAPS?

[elseware]

Our department adds a Mime X-Header which flags that the mail failed MAPS, but leaves it to the user to choose to filter it or not.

Actually, not many people know how to filter based on mime headers so it no adds [SPAM?] to the subject to make it easy to filter/prioritise.

Re:MAPS?

[anothy]

further reason why folks might think MAPS is way to restrictive. the less options you have for not using MAPS, the more restrictive on you it becomes.

Re:MAPS?

[vectro]

Er, actually Abovenet *did* used to advertise null BGP routes for hosts on the RBL.

The important thing to consider is that the RBL is host-based, not address-based, and it's perfectly possible for a router en route to drop packets for a certain host.

Of course, this is fairly moot anyway, because, as anohter poster pointed out, Abovenet stopped this practice a while back.

chrisd?

chrisd, have you introduced yourself yet to the /. crowd?? I'll start: my name is Anonymous Coward, I like hiding with trolls. You?

Re:chrisd?

[chrisd]

Hi,

I'm chrisd. I also go by Chris DiBona and Gamara on IRC. You can find me online that way pretty easily. A lot more about me can be found on my Webpage. Feel free to check that out. I work for OSDN. I used to work on the VA side of the house since late 1998. I've worked with Linux International for about 3 years too, I was the president of SVLUG for about a year and VP for about 2. I've been around slashdot for a long time as a poster and story author. I've done reviews of science fiction for /. and have written for Linux Journal, Linux Magazine and a buncho f other publications, both online and off.

Chris

Re:chrisd?

Hi, Chris.

Welcome to the staff.

Let's be buddies. Butt buddies.

-- CmdrTaco

oh sure

when i said maps and rbl was just another form of censorship i got modded down...

now the EFF finally catches on and everyone flocks behind it sheep style...

The next DMCA/"Patriot " bill waiting to happen.

[dave-fu]

Everyone hates spam, everyone wants it to go away... unfortunately, no one has any really good answers as to how it should happen.
Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal.
Any legislation created will boil down to one thing: the Balkanization of the Internet.
I see a big market in e-mail wizards that will help guide you towards writing e-mail that's legal in every country in the world if anti-spam bills start getting passed.

I think that they are right

[einhverfr]

The whole point of fighting for freedom is that it is even the freedoms of those we don't like that we are preserving, or those we wished would have no freedom. Freedom is only as great as its lowest common denominator.

So yes, I think that this is reasonable and a laudable position to take. Censorship is especially a lowest common denominator freedom-- who decides the standards on which things are censored? How are false accusations handled? Can that censorship be turned on you or I?

Re:I think that they are right

[COAngler]

The whole point of fighting for freedom is that it is even the freedoms of those we don't like that we are preserving, or those we wished would have no freedom. Freedom is only as great as its lowest common denominator.

Whose freedom are we talking about here? Mine. Specifically, MY freedom to decide who is allowed to use MY SMTP server. I paid for the server. I decide who is allowed to send through it and who is allowed to receive through it. If somebody thinks I need to let him use it without my permission, then I trust that he'll understand when I spraypaint _my_ business's advertisements on his car's windshield.

So yes, I think that this is reasonable and a laudable position to take. Censorship is especially a lowest common denominator freedom-- who decides the standards on which things are censored? How are false accusations handled? Can that censorship be turned on you or I?

Censorship has nothing to do with this discussion. MAPS is publishing a list of IP addresses and representing that "These IP's have been implicated in spamming. We have tried to contact the owners of these IP's. Some of the owners could not be reached. Others have refused to take measures to prevent spamming from their services."

That's all they do: publish the list. I used to use it as a true blocklist. Other people I know have used it to insert an X-Spam header into incoming email. It's up to each individual admin to implement it and decide how it's to be used.

You might also take a look at the US Constitution. Show me the _EXACT_ wording that gives a right to send or receive email. It ain't there. Nobody has a right to send me email and have it received. No sensible ISP will make any guarantee that email will go through.

And if someone doesn't like a spamblocked ISP, then he has to remember that he doesn't own the ISP. He's a customer. Customers are worth listening to, but they don't own the machines. If they want to be in charge of a mail server, then they should buy their own. Sendmail is free and early Pentiums are damned cheap. And considering what volume of my incoming mail is spam, I doubt they want the increase in rates that I'd have to charge to pay for the larger pipes and larger hard drives.

I floated the question about two years ago, back when MAPS was the Great White Hope of the pro-property-rights people, and got better than 75% saying to go ahead and filter.

And when someone doesn't like MAPS, thinks they're unreliable or has false info, they can get rid of them easily enough, stop using the MAPS RBL in the filters. Contrary to a popular delusion among spammers, nobody holds a gun to anybody's head and forces them to use MAPS, SPEWS, ORBZ, or any of the other lists.

Re:I think that they are right

[jon787]

You might also take a look at the US Constitution. Show me the _EXACT_ wording that gives a right to send or receive email. It ain't there. Nobody has a right to send me email and have it received. No sensible ISP will make any guarantee that email will go through.

1st Amendment. Freedom of Speech, Freedom of the Press.
It would fall under the same rules that allow telemarkets to call you and allow spammers to send snail mail.

Of course I would prefer to palce email spam under jurisdiction of the junk fax law!

Re:I think that they are right

[COAngler]

1st Amendment. Freedom of Speech, Freedom of the Press.

Um, no. Read the Amendment again. "Congress shall make no law..." That means that the Amendment is a restriction on GOVERNMENT action.

Your argument has already been tried, though. Scamfraud Wallace's Cyberpromo sued Compuserve for routing Cyberpromo spam to /dev/null. The court hearing the case (a Fed district court in PA) held that the First Amendment did not confer a right to spam and did not stop Compuserve from filtering.

Of course I would prefer to palce email spam under jurisdiction of the junk fax law!

..which was also attacked on First Amendment grounds, in the Ninth Federal Circuit Court of Appeals. The junk fax law was upheld.

Procmail

[Kozz]

For the uninitiated, procmail is a fantastic tool. To learn more about it, check this link for how-tos, documentation, tutorials, and other spam-fighting tools.

Re:Procmail

[NineNine]

Procmail is not for the uninitiated. The uninitiated should just get a Yahoo Mail account which does an exceptional job of stopping spam.

Re:Procmail

From the Procmail FAQ:

Q: I want to use Procmail for spam filtering. A: Good luck. Have fun. Have you considered the following? It's really kind of late to stop the spam when it's already on your mail server. Better solutions would involve your mail administrator and IP-level blocks against spam sites (RBL et al.) as well as probably additional server-level filtering. Don't reinvent the wheel. There are good recipe packages out there which you cannot duplicate without serious effort. And it'd be a waste of time anyway. You'll find links to many Procmail spam filtering packages on the links page. Procmail is excellent for fine-tuning and for sorting already identified spam to a separate folder (some sites will just tag suspect messages, but still let them through) but on today's Internet, proper antispam measures belong in the mail server layer (if not in the political layer).

Basically it says Procmail shouldn't be used for this and to use RBL.

Re:Procmail

The mailfilter program will remove unwanted mail from the server before your pop client ever sees it. Pretty good!

Re:Procmail

[garrity]

There's a new procmail book just out: The Procmail Companion by Martin McArthy. He gave a talk at the Twin Cities LUG recently, he talked for to long but the books pretty good.

Re:Procmail

[G27+Radio]

Good luck. Have fun. Have you considered the following? It's really kind of late to stop the spam when it's already on your mail server. Better solutions would involve your mail administrator and IP-level blocks against spam sites (RBL et al.) as well as probably additional server-level filtering.

I agree with the last sentence that I quoted. But as of now, there is no way for the end user to filter it at that level. I think this is the key to stopping spam. I think it's as ridiculous to expect legislation to stop spam as it is to expect legislation to stop people from walking into my house if I don't lock the doors. The fact is that we need the tools to block spam from our e-mail boxes ourselves. Do we really want our goverments to pass a bunch of ineffective laws instead?

Back my original point, they say that it's too late to block spam when it's already on our mail server. But right now we can't as end users block it until we've already downloaded it to our own machines, so blocking between the server and our PC would be a vast improvement at this point.

Ultimately I'd like sendmail to be able to block based on a black/gray/white-list file/database on the server. Blacklist=never accept, whitelist=always accept, and greylist is an autoresponder that gives human-readable instructions requesting that the sender enter an arbitrary keyword to get on the whitelist.

You currently don't have access to this mailbox. This mailbox does not allow unsolicted commercial e-mail. If you agree to these terms please type 'accept' now to send your e-mail.

That's really just a rough outline. But the thing that would make it all possible would be for sendmail to allow the owner of the mailbox to be able to have their black/grey/whitelist's and a list of keywords that would determine which list to put undetermined senders on.

I posted this idea on Usenet six or seven years ago and got flamed for it, but I really believe that giving the mailservers the ability to filter based on address lists and keyword lists would empower e-mail client developers and users to truly combat spam.

Re:Procmail

[cymen]

Do we really need such disclaimers? If you read /. and have some nads you should be able to get procmail working. Jeeze...

Re:Procmail

[cymen]

Once you get past ignoring their little disclaimer go get JunkFilter - addon scripts for procmail that that help eat spam... Personally I send it to a Spam-JF IMAP folder just in case it gets something important. In the last 2+ years of using it only a couple emails have been misclassified (plus I'm even running an old version!). Time to go upgrade...

Re:Procmail

[rew]

Procmail is excellent for fine-tuning and for sorting already identified spam to a separate folder (some sites will just tag suspect messages,

As a mail administrator, I don't want to force my opinion on all others whose Email my server handles. So, filtering on the server is out of the question. My procmail will do the RBL check, and sort appropriately. Works great.

Roger.

Re:Procmail

[shario]

You can do exactly this by opening a mail account at Spamcop. It is not free, but doesn't cost too much either.

Re:Procmail

[Senior+Frac]

As a mail administrator, I don't want to force my opinion on all others whose Email my server handles. So, filtering on the server is out of the question. My procmail will do the RBL check, and sort appropriately. Works great.

You are one of the reasons the spam fight is going so slowly. People like you are the ones that I don't want to share a server with because I'm having to pay not only for the spam you read, but the spam you don't read.

Re:Procmail

[MrFredBloggs]

Hmmm. Maybe if they let you automatically dump the BulkMail shite, which is usually spoofed to look like its from a yahoo.com account anyway! Better off getting a hotmail account and setting it to max security - only accept mail from people in your address book!

Don't take away my MAPS!

[CmdrTaco+on]

How the hell will I be able to take vacations across country with out good maps? This is a conspiracy by the airline companies to increase sales of tickets since Sep. 11! Fucking bastards!

Re:Don't take away my MAPS!

OK.. dammit. I hate it when these slashdot kiddies just glance at the summary and don't actually read the linked article. Look, dude, notice when they say MAPS it's in capital letters? You wonder what that meant, maybe??

If you paid any attention, you would notice that this article is about MAPS, a b-grade anime available on two tapes from ADV films. I'm not quite sure why the EFF is protesting this, probably becuase it's mostly just a stitched-together series of cliches pulled from tenchi and EVA and to be honest just about every bad giant-robot-piloting sci-fi movie ever made

p.s. someone needs to add MAPS to animefu

How to stop spam :

[Gaijin42]

I highly reccommend all people go out and use sneakemail link.

This is a great utility for stopping spam while not interfereing with your normal email.

It gives you unlimited disposable email addresses to give out whenever you need an email for a website.

If you dont want email from that address anymore, you can turn it off.

On the other hand : Spam is meant to market a good or service. Therefore there must be some way to get in contact with the spammer, otherwise their spam would be ineffective. a task force needs to be created which smacks spammers upside the head with fines, or just plain shuts them down.

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

Re:How to stop spam :

[Green+Aardvark+House]

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

In reality, many spammers include a valid return addy or a remove link, even though it is required by law. There's a need for better enforcement of existing law.

The problem with your solution, is that spammers can use a similar service and spam from an obfuscated address.

Re:How to stop spam :

[elmegil]

That's a laugh. Even if it is a "valid" remove instruction, 9 times out of ten, they claim it's not SPAM because "I requested to be on the list". Since I NEVER request to be on such lists, such obvious misrepresentation of the facts should be actionable in and of itself. Of course no one who could actually do anything about it gives a damn.

Re:How to stop spam :

[Ceinwyn]

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

Why should people be allowed to fill my vitural mail box with garbage? I have to pay to download it, filter out/delete it. Internet connections in one way or another cost money. I don't appreciate spammers spending my money and my time without my approval. Spam (not Spam(tm)) should be illegal. Email should fall under the same protections as fax machines and other electronic equipment.

Re:How to stop spam :

[mmontour]

Another good service is, of course, spamcop.net.

There's a free tool to de-obfuscate the headers of Spam and send complaint letters to the appropriate abuse departments. They also have a paid filtering service that will hold any possible spam messages until you manually approve the sender (or report it as spam). Money well spent, IMHO.

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

As for the valid return address, I would say this is necessary (but not sufficient) for a Spam to be "legal" in any sense (along with "ADV:" in the subject line, other standard headers to identify it as spam, and a notification of how they got my email address so that I can badger / LART the upstream company to stop selling my info).

However, the "remove" method doesn't really work because these addresses are often just a way to verify that your address is still "live". One way to test this is to send a removal request using a newly-created address, then wait to start receiving spam on that address.

The only way for "opt-out" to actually work is to have a higher-level, trusted agency maintain the opt-out list (similar to "do-not-call" lists that exist for telemarketing agencies). However, given the nature of the Internet, it's hard to say what agencies should have jurisdiction here.

Of course, the best way to deal with spammers involves a jar of honey and an anthill...

Re:How to stop spam :

[harlows_monkeys]

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

The big problem with that Gaijin42, is that spam is very cheap to send, and mailing lists are easy to build and exchange.

Run some numbers...say, several thousand companies sending spam to 20 million people each, with a lot of overlap on the mailing lists. Some people would get thousands of emails. This would make email completely unusable for anything other than receiving spam, for many people.

As long as the sender does not pay the cost of email, spam has to be limited.

Re:How to stop spam :

[MaufTarkie]

Another method, and the one I personally use now, is to use Tagged Message Delivery Agent, or TMDA. It requires Python and qmail, though, so if you hate either one of those don't bother looking.

I turned it on at the beginning of July and I have yet to see one piece of spam since. I have it set up so that all my friends don't even know I'm running it.

Re:How to stop spam :

[Jay+L]

There are 22 million small businesses in the U.S. alone.

If one-tenth of one percent of them decided to send you one message this year, and if they coordinated to achieve load-balancing, you would still get over 200 pieces a DAY.

Opt-out doesn't scale.

Re:How to stop spam :

[faster]

I like Spam Gourmet better.

And I don't agree that spam should be legal, unless they're going to pay for my internet connection. The TV advertisers pay for everything except my TV (and cable or sattelite, but I don't mind paying for the additional services); if they'll pay for my connection, they can send me spam.

No, wait. If they pay for YOUR connection, they can send YOU spam. I don't want it, even if it's free.

Re:How to stop spam :

I have used SpamCop for over 3 years now, and while I think it's awesome (nothing better than getting letter's from sysadmins stating that Spammer X has been "dealt with" :)), the fact remains, the more they send, the more I pay! I just recieved over 40 emails from ONE source in 2 days (postmastergeneral.com) saying I had "opted-in" to their service, which is 10,000 tons of bull, since I don't use my spamcop account for anything other than reporting and nuking SPAM, but nonetheless, it cost me over 3MB of "fuel". Is someone at postmastergeneral.com going to pay for my fuel? NFL!!! I have an answer for SPAMMERS, send me your REAL street address, so I can come down there personally and show you how much SPAM can cost!

Re:How to stop spam :

[Technician]

I think the above poster does not have e-mail or is a newbie. The post does not mention anything regarding actually trying to fight spam. Anybody who has recieved it in large quanities knows otherwise. Maybe the above post is just a troll. Sure you can contact them. Call the Tarrot card reader phone number given in the spam and complain. That'll be $10.95 + $3 per minute billed to your phone number. thanks..

Fighting for freedom

[unformed]

"When they took away the Fourth Amendment, I said nothing. I didn't deal in drugs. When they took away the Sixth Amendment, I said nothing. I was innocent. When they took away the Second Amendment, I said nothing. I didn't own a gun. Now they've taken away the First Amendment, and I can say nothing." -author unknown

Re:Fighting for freedom

[benedict]

What is "insightful" about this? How does it contribute to anyone's understanding of spam, anti-spam measures, freedom of speech, and the interaction between these entities? Moderators, care to speak up? Anyone?

Sheesh!

Re:Fighting for freedom

What does this have to do with spam? Are you trying to somehow protect spammers under the freedom of speech umbrella?

And then they took away my right to spam, I said nothing, I didn't spam.

Err, wait a minute, right to spam?

EFF is misguided in this

[gorilla]

Your right to send mail stops at my mail server, I can refuse to accept mail based upon anything I feel like, including irrational reasons.

Re:EFF is misguided in this

[Reality+Master+101]

That's fine, but they are not saying that you are required to read all mail that comes into your server.

The question is, do you want your ISP and/or the government making the decision on what mail you can or can't receive -- without your knowledge?

Re:EFF is misguided in this

I agree. My dad had a favorite saying, "your right to swing your arm stopped at the end of my nose."

Re:EFF is misguided in this

[gorilla]

That's fine, but they are not saying that you are required to read all mail that comes into your server.

Yes they are. They're saying that all the filtering should happen at the end user end, when the spam has already cost money. To give a REAL example, I had someone sending mail to over 30,000 random names @domain in one night, all starting with the letter a, before I blocked them. These were names which had never existed in our system. If I adopted the EFF's position, then all of my users would have had a month of bad service, or I'd have to get a much bigger mail server.

Re:EFF is misguided in this

[keithmoore]

Yes, you can refuse your own mail for any reason you like. But if you provide a service to other
people you have no right to arbitrarily decide to discard their incoming mail.

And if you trust the blacklists you're seriously deluded. Not only are they notoriously incorrect,
they don't actually catch much spam. And they do
block a lot of legitimate mail.

Re:EFF is misguided in this

[Reality+Master+101]

They're saying that all the filtering should happen at the end user end, when the spam has already cost money.

I'm not arguing that spam isn't a problem in many cases, but I know that I DO NOT want a bunch of nannies telling me what mail I can or cannot recieve. If an ISP wants to offer blocking based on MAPS or any other system, then they should set up an opt-in for individual users, and the default should be opt-out.

Re:EFF is misguided in this

[gorilla]

Sure I do. They can decide they don't like the service and not use it.

I don't really care how inaccurate they are. As long as they stop at least 1 item of spam ever then they have paid for the effort putting them in (Not much at all).

Re:EFF is misguided in this

[gorilla]

An ISP can choose whatever policies it likes. If it thinks that it can get most customers by blocking everyone except users with the username 'banana' then they're allowed to do that. If you don't like that policy, then go to another ISP.

Re:EFF is misguided in this

[Reality+Master+101]

An ISP can choose whatever policies it likes.

At this time, it's a question of ethics. It is unethical to block mail for an individual user without that user's consent.

Quite frankly, however, I think it should probably be illegal to block someone's e-mail without their consent. It's a lot like interfering with postal mail, which is a federal offense.

Re:EFF is misguided in this

[gorilla]

I disagee. It's unethical to not operate a system in the best interests of the owners, who are not the users.

Re:EFF is misguided in this

[Reality+Master+101]

So if your apartment complex, who are the owners, decided to sort through your postal mail and decide what you would or wouldn't receive, and did it without your knowledge, you wouldn't have a problem with that? After all, they own the mail boxes, right?

Re:EFF is misguided in this

[sid+crimson]

So if your apartment complex, who are the owners, decided to sort through your postal mail and decide what you would or wouldn't receive, and did it without your knowledge, you wouldn't have a problem with that? After all, they own the mail boxes, right?

No, they don't. The Postal service owns the mailboxes.

-sid

Re:EFF is misguided in this

And if you trust the blacklists you're seriously deluded. Not only are they notoriously incorrect, they don't actually catch much spam. And they do block a lot of legitimate mail.

You're missing the point of MAPS. The idea isn't so much to block the spam itself, which is left to procmail and other filtering programs. The primary role of MAPS is to discourage providers from leaving SMTP relays open for spammers to exploit and/or from providing net access to known spammers. The war on spam is kind of like the war on terrorism. It's impossible to get to the spammers themselves, so instead we target the companies who harbor and support them.

Re:EFF is misguided in this

Perhaps you should think about reading your ISP's policies and possibly taking your business elsewhere. It's not like they're hiding anything from you.

Re:EFF is misguided in this

[Reality+Master+101]

No, they don't. The Postal service owns the mailboxes.

That's true in some cases, but not all cases. For example, if you had a large apartment building with its own mail sorting room, that would probably be owned by the building. Or we could just look at a large business building with its own mail sorting.

Re:EFF is misguided in this

At this time, it's a question of ethics. It is unethical to block mail for an individual user without that user's consent.

No, it's not a question of ethics at all. It's a question of service. ISPs who subscribe to MAPS are providing a service to their customers. Some ISPs use MAPS, others block pr0n, others prevent you from setting up servers, still others ban warez & movie trading. If you don't like your ISP's terms of service, you are free to use another. By choosing to be their customer, and by explicitly agreeing to their terms of service, you have given your consent.

Quite frankly, however, I think it should probably be illegal to block someone's e-mail without their consent. It's a lot like interfering with postal mail, which is a federal offense.

No, it's nothing at all like postal mail. One key difference is that there is an open market for internet service. You are free to choose your ISP, who is free to choose their services & policies. In contrast, you don't have a choice of post office.

Also, the laws against interfering with postal mail apply to non-partisans (individuals other than you and the USPS). The USPS is free to determine their delivery policies to a large extent (within reason), much like an ISP is free to determine theirs.

Re:EFF is misguided in this

It doesn't matter. The whole argument is irrelevant since the ISP is analagous to the USPS in this example, not analagous to the landlord.

Re:EFF is misguided in this

[harlows_monkeys]

If an ISP wants to offer blocking based on MAPS or any other system, then they should set up an opt-in for individual users, and the default should be opt-out

It is opt-in. When deciding what ISP to use, one of the things you should look at is how they deal with spam. If they use MAPS and you don't want to use MAPS, don't use that ISP.

Re:EFF is misguided in this

[keithmoore]

And you're missing the point of my comment - which is that the filtering criteria you recommend
(a) are ineffective and (b) cause a lot of legitmiate mail to fail to be delivered.

Re:EFF is misguided in this

[keithmoore]

why not just block all incoming traffic to port 25 then? it's even simpler than MAPS, and it's 100% effective at blocking spam.

of course, it's also 100% effective at blocking legitimate email. but you've already decided that you don't mind MAPS doing that for you.

Re:EFF is misguided in this

[Skapare]

I am the ISP. My customers complain about spam. They don't want it. So I do what I can to block it. There is some collateral damage, but it is very small compared to the spam that I'm now successfully blocking. If a customer wants spam, they can use another ISP, or run their own MX server, or pay me to run a parallel set of ublocked servers. They have the freedom to choose. The ISPs are not forcing anything on their customers if there is a choice there.

Re:EFF is misguided in this

[Skapare]

Yes, you can refuse your own mail for any reason you like. But if you provide a service to other people you have no right to arbitrarily decide to discard their incoming mail.

It is you who have no right to arbitrarily tell me what I can do or not do with my business. I'll make the decision that best reflects the way I want to do business. If you were my customer and didn't want to have your mail filtered the way I do it, you're free to move on to another ISP.

While I am concerned about some of the blacklist policies, I've found they are tremendously effective and have quite little collateral damage. What little I have found I can fix up myself. But I'd certainly like to have a better blacklist, but somehow I doubt you and I could work together to create one.

Re:EFF is misguided in this

[Skapare]

The default is you get no mail at all. That's not just how I think it should be, that is how it actually is before you get on the internet. Now how you do choose to get online is your choice. Want to go with an ISP that subscribes to every blacklist? Want to go with an ISP that subscribes to none? Want to run your own mail server? The choice is yours. Don't go whining because one of the choices happens to be something you would not want.

Re:EFF is misguided in this

[Skapare]

Oh, it's you again.

The user consents when they choose to use an ISP that opts to use blacklisting to satisfy most of their customers.

I'm not opening the mail to see what's inside. I just choose not to allow the mail to be coming from places known to be sources of problems. If the Post Office knew that mail coming from a certain place was costing them more than what they are paid to deliver it, you can be sure they will stop taking the mail from there. That's not interfering with the mail, because that's the post office doing it themselves. I'm sure these days if the package looks suspicious, they're going to check on it. They may not even deliver it right now. But that is not interfering with the Post Office because it is they who are doing it.

I deliver mail in my mail server the way I like, and I don't want interference from outsiders telling me what to do. If you are a potential customer, and prefer a different ISP, then certainly tell me why you don't want my service. If there are enough people like you to justify setting up the service you want, I'd probably do it.

Re:EFF is misguided in this

[Skapare]

If they are doing the sorting of the mail from big mailbags arriving from the postoffice, then I'd tell them I'd like to have the junk mail removed, and if anything else is removed, or junk added, I'll move. But if it is not their job to do that, of course I'd have a problem with it. I don't interfere with the IP packets going to the mail servers of customers who do their own. I only do the filtering of email in my own servers.

Re:EFF is misguided in this

He has? Only if he's chosen an ISP that does block all e-mail. And if you don't want e-mail, and can find one, you're free to do just that.

Re:EFF is misguided in this

[Skapare]

If the junk snail mail levels were anywhere like the levels in email, I think I would like to have them sort out the junk and toss it. It would save me a lot of time. The question is, how would they do that? The problem is, they don't get mail directly from different distinctive places which can be identified as sources of junk or not. But in email, this does happen, and it makes it very easy to filter fairly accurately. So I believe your scenario simply would not happen because there is no practical means to accomplish with snail mail that which is accomplished fairly effectively in the realm of email.

Re:EFF is misguided in this

Nope. The Postal Service still owns the mail boxes, no matter where they are. They just happen to be located on private property. Businesses are a different story, IIRC.

MAPS & ORBS aren't that painful

[fetta]

A few years ago, I came onboard at a small company just in time for their mail server (Exchange 5.0) to get blacklisted (by ORBS, I think). It sucked at the time, but if we hadn't gotten blacklisted the open relay would have remained open for a long time (the problem prompted our move to qmail). Once I closed the open relay and informed ORBS, we were quickly removed from the list.

In theory, I have no problem with the concept of these blacklists. The use of them is voluntary. From what I've heard, there may need to be some serious discussions about how they gather their data and their procedures for getting off their blacklists, but the concept seems to be both effective and practical. Also, mail providers should be up front about their use of these lists so that users can choose to use an "unprotected" mail server if they choose.

Re:MAPS & ORBS aren't that painful

[Rev.LoveJoy]

I bet you'd have a problem if you had to pay a $10 dollar "processing" fee to be removed from the list, wouldn't you?

Does anyone else out there not find this idea far fetched?

Cheers,
- RLJ

Re:MAPS & ORBS aren't that painful

[fetta]

I bet you'd have a problem if you had to pay a $10 dollar "processing" fee to be removed from the list, wouldn't you?

Yes. When I was blacklisted, there were no fees to be removed - you just had to fix the problem and inform the list maintainer. I haven't been in charge of a mail system in quite some time, so I'm not up to date on all the latest details of the controversy. Giving somebody a profit motive for "false positive" listings is disturbing and changes the nature of the list significantly (IMHO).

Re:MAPS & ORBS aren't that painful

[Rev.LoveJoy]

The fee idea is purely conjecture on my part. However, I can see it happening.

MAPS is a private company and, as so many people have said, they are opt-in.

I see their strong arm tactics now as a preclude to milking the list for all it's worth down the road. I know, color me paranoid...

Cheers,
- RLJ

Re:MAPS & ORBS aren't that painful

MAPS has been around for a long time and has never showed any intention of doing anything like that. MAPS was started for altruistic reasons, and for many years it was provided free to anybody who wanted to subscribe. I honestly can't see the people who run MAPS turning it into a scam like that. And if they did, they would lose their subscriber base really fast.

Re:MAPS & ORBS aren't that painful

[McSpew]

The problems with most of these blacklists (and there are lots of them) is that there are no globally-accepted standards for how open relays should get on or off the lists, how to notify owners of blacklisted IPs and how long entries should be blacklisted in the absence of other feedback.

I hate spam at least as much as the next guy, but I'm still cleaning up from an attack that happened two months ago through a server I thought had been configured to prevent relaying. Unfortunately, it had been rebuilt (and badly) since the last time I'd verified its configuration. The attack launched through the relay lasted no longer than 36 hours. I realize that's a helluvalong time in Internet time, but considering the attack began over a weekend, the fact that I caught it and stopped it on Sunday morning means I caught it 24 hours faster than I normally might have.

I fully expected to wind up on some blacklists because of the incident, but I didn't expect to be winding up on new blacklists 30 days after the fact.

Today, I got an email from a user who hasn't been able to contact somebody important for three weeks. The user on the other end was completely unaware that their ISP was blocking our email.

I'd like to see standards for notifications, for aging entries (and eventually dropping them), for active verification and automated retesting, and for subscribing ISPs to notify their users how many emails they blocked and from whom they were blocked.

But that's just me.

Re:MAPS & ORBS aren't that painful

[macdaddy]

Why should I tell you I'm blacklisting you? I list 10-30 spamming domains per day in my Sendmail access lists. Many are known spamming outfits like Alan Ralsky. Others are ISPs that I've reported mail abuse to and nothing was done about it or I got a reply saying "it's not our fault" or "we don't believe you". I get both of those often or nothing at all and the spam continues to flow. I see nothing wrong with not telling you that I'm not going to accept mail from you.

Re:MAPS & ORBS aren't that painful

[StenD]

Why should I tell you I'm blacklisting you? I list 10-30 spamming domains per day in my Sendmail access lists. [...] I see nothing wrong with not telling you that I'm not going to accept mail from you.

And this is the reality that the EFF is ignoring, and that MAPS and ORBS were created to address. Lacking the magically intelligent mail filter, individual ISPs create their own blacklists, and it is impossible to get off of all of the individual blacklists. Using a global blacklist is like democracy - it sucks, but it's better than anything else that's available.

Re:MAPS & ORBS aren't that painful

[Grue]

Just like CDDB would lose their subscriber base really fast? Sure, FreeDB is here now, but let's not forget history. CDDB was also started for altruistic reasons. There's that word again. Altruism. For a paranoid geek, it's a suspect word.

Josh

Re:MAPS & ORBS aren't that painful

[Rev.LoveJoy]

Josh,

It sounds like our respective roads to hell are paved with similar substances.

Cheers,
- RLJ

Re:MAPS & ORBS aren't that painful

[McSpew]

Why should I tell you I'm blacklisting you?

If you're a private citizen, you owe me nothing. If you're an ISP, you owe me at least a cursory attempt to have an automated program try to email me. Fer cripes sake, how hard would it be to write a perl script that parses the IPs, performs a reverse-DNS lookup, tries to email postmaster@ and then blacklists?

If I'm a real spammer or a moron with a cable modem, you won't get a valid or useful reverse-DNS. Fine. Don't notify those morons or scumbags directly. But for poor bastards who got caught with their shorts down, let's not go out of our way to make their lives hell after they've already fixed the problem.

The sites that have blacklisted me aren't private individuals. They're blacklist organizations that small ISPs and some corporations belong to. The SMTP service that acted as a relay for a day and a half has a valid RDNS name that is mx.mydomain.com. It shouldn't have been tough for somebody to figure out they could send an email to postmaster@mx.mydomain.com or abuse@mx.mydomain.com or even postmaster@mydomain.com.

I'm all for killing spammers and sterilizing their children. And I don't have a problem with blacklisting morons like myself. I do have a problem with making it impossible for me to redeem myself.

Re:MAPS & ORBS aren't that painful

[macdaddy]

I owe you something if I'm an ISP? Now just where the hell did you come up with that? I'm assuming (since you didn't say) that the "poor bastard" with their shorts down had an open relay that was used to spam me. I don't list open relays. I use the RSS for that. I report it and let MAPS test/notify. I blacklist spamming domains and very well-known pro-spam providers like Broadwing. I don't list some poor bastard because they made a config error. When I report the open relay I typically do research to find out who's machine it is (or at least the upstream) and CC them on the report. I blacklist hosts when they do nothing but spam us, Rumplestiltskin attacks, floods, etc... I also go out of my way to get their provider to do something about the, (typically it's a DSL/cable customer). It is however my hardware and my resources. I made no garuntees to my users that they would receive full, complete, and unfiltered email. I filter viruses too. They don't seem to mind that at all. I would love to find a way to let my users opt-out of our checks but there isn't such a way yet. Sendmail either accepts the message if it doesn't match, or rejects it if it does match. It doesn't give a damn who the message is going to. If there was a way to set an X-Spam tag for users that ask for non-filtered mail, I'd implement it. The only way of doing it now is with a LDA like procmail. By the time a message gets to procmail, you've already wasted your resources by fully accepting the message. All you can do then is send it back to MAILER-DAEMON@that-domain.tld. Your MTA can't reject it the way SMTP was meant to work. If someone came up with the program to do it, I'd love to do it for my users. Unfortunately it's not there yet. I would still filter all mail unless they explicitly asked for the other option (which would entail me still identifying the mail I'd reject as spam with a header tag and let the user's MUA filter it).

J

MAPS have many short comings

[rosewood]

Quite often, the resolution is not detailed enough in larger citys. However, the bigest problem is folding MAPS just SUCKS!

OT: Fake photos the press puts out, e.g. on Yahoo

[GringoGoiano]

Does this press-conference photo look fake to you? The background isn't quite right, I wonder why they feel the need to do this?

http://dailynews.yahoo.com/h/p/nm/20011018/ts/md f7 1099.html

MAPS is not the problem

[ethereal]

...lack of notification that your ISP uses MAPS is the problem. Any ISP that uses MAPS without saying so should be sued for fraud; since they're not providing the complete connectivity that they advertise. ISPs should just put their MAPS usage in their TOS, or even (if possible) allow the user to choose MAPS or not for their email accounts. Some ISPs could advertise that they use MAPS and are spam-safe; others could advertise that they don't use MAPS and are freedom-enabled (or something like that).

As long as there is sufficient notification and user choice, then there's nothing wrong with MAPS. It's only when their somewhat strong-arm tactics are combined with ISP coercion that the user really has a problem.

Re:MAPS is not the problem

[stilwebm]

Most ISPs have terms of serice which state that they have the right to a) determine what you can and cannot send and receive and b)terminate your service at any time.

Re:MAPS is not the problem

[freakinPsycho]

If MAPS is used in the best way possible, there is no way for the customer to "opt-out" of it filtering their account. Used best, routers for the ISP simply drop the packets. This saves any number of things expensive computation, is quick, and is very effective.

Re:MAPS is not the problem

[ethereal]

That makes sense and it wouldn't surprise me if that were the case universally; I threw out the idea of configuring it per-account off of the top of my head. I could see how doing such a calculation per-user would probably chew up as many resources as just handling all of the spam in the first spot.

OK, here's a good ISP idea: just add a header to the mail saying that the ISP tagged the email as being MAPS-blacklisted. X-ISP-MAPS-Found, or something like that. Then the user could very easily configure their client to drop mail with that header, or not.

Re:MAPS is not the problem

[ethereal]

Yeah, I guess you'd have to find an ISP which didn't, which was a lot more possible a few years back. Thank you, vast ISP monopolies...

Here's a great Ask Slashdot question, then: is it still profitable to run a small ISP that caters to the technical user, by providing complete connectivity, optional spam filtering, maybe some hosting, etc.? And, is it possible to run that ISP in such a manner that you won't get bought out by one of the big national ISPs that don't have all the nice perks?

Re:MAPS is not the problem

[Bishop]

Hmm, why not two mail hosts? user@isp.net and user@ns.isp.net or some such. Might be a bit of an admin nightmare though. I can see how to do it, but would it work for 10000 users?

Re:MAPS is not the problem

[_Sprocket_]

OK, here's a good ISP idea: just add a header to the mail saying that the ISP tagged the email as being MAPS-blacklisted. X-ISP-MAPS-Found, or something like that. Then the user could very easily configure their client to drop mail with that header, or not.

I've worked for a company that did this with their corporate mail environment. Works pretty good, if you know what to look for (and they did a good job to educate their people about the system).

However, that does nothing to protect the ISP and the user from the burdon of the email. They still take a hit when dealing with this undesired traffic. Even if it does allow a hook to automatically deal with it without human intervention.

Re:MAPS is not the problem

Yeah, I guess you'd have to find an ISP which didn't, which was a lot more possible a few years back.

Yeah, back when there were stupid ISPs who's TOS allowed them to be sued for fraud for administrative decisions.

I like the the technical user ISP idea - only problem is that your average know-it-all "technical user" is an MCSE who craps his pants everytime zone alarm beeps at a packet and warezes Windows 2000 'Advanced Server' without realizing that he's code red infected. Throw the unpatched RedHat crowd in with the MCSEs.

(oh the days of 1993 when your ISP was a couple guys with a T1 and an old Sun in their apartment...)

Re:MAPS is not the problem

"just add a header to the mail saying that the ISP tagged the email as being MAPS-blacklisted"

Doesn't do anything to reduce the cost of delivery. And face it, $$$ is the only reason most ISPs care about spam at all.

What's wrong with voluntary collective solutions?

[vees]

It's a shame to see MAPS and collective protection schemes dumped into this list of "bad things." Like most geeks, I don't like everything that MAPS does and I'll admit that I've even been on the wrong side of the ORBS cluestick in the past. However, I believe the concept of collective protection is a good one. If there's a problem with ISPs using systems like that to block legitimate mail, then customers who want to receive said mail won't be with them for long. There are natural market pressures at work to provide what the most important people (the end users like our friends and family) want.

Like most of you, I have a pretty potent procmail script, but I have to say I've probably invested an absurdly significant amount of time in my labor of love getting it just right. If I were less of a geek, I might tend towards finding a group of like-minded mail readers and collecting our resources together. If evantually our creation became a widely recognized and used method of mail filtering, great! Then that's the choice of every sysadmin and every participant (by the merits that they all pay his/her salary) to be behind that shield. Nobody else has the right to tell me I have to accept socket connections from them if I don't want to.

Blacklist implementation voluntary, too

[Erasmus+Darwin]

An issue the article fails to address is that the provider subscribing to a given blacklist may choose how to handle that information. Automatically rejecting emails is only one choice (and happens to be what we use where I work). Another option is to merely flag messages from blacklisted addresses, so that they can wind up in a lower priority "junk mail" folder that is still manually reviewed. Yet another option, the worst of the bunch and also the only one mentioned in the article, is for a server to silently discard all blocked mail with no error being returned.

Re:Blacklist implementation voluntary, too

[terrymr]

What if your isp uses MAPS to block email to your account - how is that voluntary ?? (true i could choose another ISP - but how many tell you up front if they use maps).

OT: Fake photos (corrected)

[GringoGoiano]

Does this photo look fake to you? I wonder why they feel the need to do this?
http://dailynews.yahoo.com/h/p/nm/20011018/ts/mdf7 1099.html

Right to send email?

[Rombuu]

Since when does anyone, anywhere have the right to send email? Since when does anyone have the right to have their data go over a network that they don't own? If someone wants to drop the letter 'P' from every packet that goes over their network, last time I checked, they still have that right. And if they don't want to carry your email, for whatever reason, last time I checked, they have that right.

And the EFF wants to get rid of your rights... sigh..

Re:Right to send email?

Fascinating. So if your ISP just decided to drop the letter P wherever it appeared in a packet, without telling you, you'd have no problem with that? You don't own their network, after all.

Re:Right to send email?

[Rombuu]

Fascinating. So if your ISP just decided to drop the letter P wherever it appeared in a packet, without telling you, you'd have no problem with that? You don't own their network, after all.

Its their right... I'd have a problem with it, sure. But the fact I have a problem with it doesn't mean they don't have the right to do it. I'd go get another ISP. Problem solved.

Contracts are good for avoiding this sort of thing as well, you know?

Re:Right to send email?

"I may not agree with what you have to say, but I will fight, to my death, for your right to say it."

Voltaire.

Re:Right to send email?

[pjrc]

Since when does anyone, anywhere have the right to send email? Since when does anyone have the right to have their data go over a network that they don't own?

Likewise...

• phone companies have the "right" to block calls, perhaps to areas
  
• postal service has the "right" to refuse delivery to certain places, such as bad neighborhoods
  
• utilities (power, water, gas) have the "right" to offer service to only those they like
  
• banks and insurance companies have the "right" to red-line (refuse services in low-income areas, even for otherwise good customers)
  

Re:Right to send email?

As for banks and insurance companies, I say yes they do. As for the rest, you are talking about monopolies, and abuse of monopoly power is much different from the choice of a non-monopoly ISP.

Re:Right to send email?

[dfenstrate]

All the industries and services you listed are heavily regulated.

E-mail is not, at least currently.

Bear that in mind.

Re:Right to send email?

[Reality+Master+101]

Its their right... I'd have a problem with it, sure. But the fact I have a problem with it doesn't mean they don't have the right to do it. I'd go get another ISP. Problem solved.

So if the apartment complex decided to start rooting through your mail and deciding what you can and can't receive (without your knowledge), that's no problem, right? You'll just find another apartment?

It's illegal to tamper with postal mail. I see no reason why e-mail shouldn't have the same protections.

Re:Right to send email?

Can't you make any argument besides your tenuous postal mail/email analogy? This is more like an apartment complex having a sign on the front door saying, "No solicitors", and enforcing it.

Re:Right to send email?

The apartment complex has no right to tamper with that mail because they have no legitimate control over any point in the delivery system. The mail is routed through workers employed by the people receiving the mail, and the terms of their service are that it will be delivered in an untampered state (I'm ignoring the public/private service distinction at the moment). If the apartment complex wanted to give themselves the right to tamper with delivery, they'd need to institute a policy that allowed them to tamper with materials coming onto their property which are designated for the recipient, and it would have to be an agreed upon clause in the rental contract. In which case yes, you'd find another apartment.

Of course your reference to 'without your knowledge', despite that his original point was that knowledge was what was required, shows how well you're comprehending this discussion in the first place.

Re:Right to send email?

[Reality+Master+101]

No, that's totally different. It's not illegal to control physical access to property. It is illegal to tamper with postal mail, including commercial mail.

Re:Right to send email?

Alright, the point about informed consent wasn't explicitly in this thread, my bad. He did mention contract, however, and that implies informed consent.

Re:Right to send email?

So? It's only illegal to tamper with postal mail because someone said it was. A law could just as easily exist making it illegal to tamper with a solicitor attempting to talk to someone at a complex, and you'd have no point.

And of course you can always opt out of commercial snail mail, and people can't lie about who they are to prevent your attempts to do so, etc.

Re:Right to send email?

I'll agree that email should enjoy the same protected speech provisions that any other speech does -- namely, that Congress can't pass any laws restricting what someone can say. There's nothing there though about requiring people to not lie about who they are (fraud is illegal for any kind of speech), or not allowing private groups that route this traffic to do whatever they want, under contract, to restrict what people say through their own system. The right to speak is not the same as the right to be heard or the right to lie.

Re:Right to send email?

[vrt3]

Fascinating. So if your IS just decided to dro the letter wherever it aeared in a acket, without telling you, you'd have no roblem with that? You don't own their network, after all.

Re:Right to send email?

Your hypothetical apartment building could make you sign a contract designating them as authorized mail delivery agents for you, and defining a "terms of mail delivery service" that allowed them to throw out any mail they wished.

Oh wait, now the analogy is back where started. ISPs do exactly that.

Gee RM101, I thought you were a good capitalist who believed in contract law. Guess you're just another whining hippie after all.

(anyway, I knew someone who lived in a 20 story condo building and the mailboxes were all standard Postmaster General owned types. So put the imaginary analogy to rest already.)

from a technical point of vieuw

[TheMMaster]

I think it's very hard to block spammers on the ISP site, the only thing that could help some is that (I forgot the name) list of open-relays. That would probably help.
I think that it is up to the user to deceide from what IP block it wants mail and from what not. It should just be easier for the user to set up these blocks, maybe client side maybe ISP side... with the current broadband internet connections some spam that is filtered local isn't too much of a problem. However it would suck for all ISDN and 56K people... it's still a waste

conclusion: give the user the tools to sort it out for himself... NOT getting mail you want is worse than getting some you DON'T want

Re:OT: Fake photos the press puts out, e.g. on Yah

Looks OK to me. The background is just a dark blue curtain. It probably looks unusual to you because in most photographs there is only a single light source, so people in the background look darker than the people in the foreground. Whereas in a press conference, there is always plenty of lighting so everybody is lighted equally.

I think you've been hanging around Slashdot too much -- the paranoia is getting to you. :)

spam vs. the rules of the internet

[MoNsTeR]

I'm not going to couch this discussion in terms of "freedom", because it has little to do with (it. Anti-spam laws are indeed an infringement on our freedoms, as I will show, but that's not the most productive way to think about the issue.)

The arguments against spam mainly consist in the fact that spammers are ostensibly using the resources of end users and ISP's without their permission. This is simply false.
When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements. If they agreed to have every e-mail with the word "sex" in it blocked, then you can go ahead and do that. But if the user agreement the both of you are bound by includes no specification of what types of mail are and are not acceptable, then you must relay EVERYTHING your customers send and receive.
Why?
Because this is how the internet works. *I* control who I hand my e-mail address to, and thus who can send to me. It is not my ISP's business to arbitrarily block inbound e-mails for me. Rather, it is my resonsibility to control the availability of my address, and to deal with any and all mail I receive, regardless of source or desirability.

Imagine the consequences if these rules were discarded wholesale. If intermediary mail relays blocked transmission based on arbitrary whim, the entire structure of e-mail communication could collapse. Remember also that "spam" is not an objective label. I get e-mail adverts that I don't really want, but occiasionally I find something very interesting in them. Here, I'm speaking of mails from vendors I've done business with who are sending my "specials" and whatnot evevn though I didn't ask for it. Fundamentally, these are every bit as much "unsolicited commercial e-mail" as those ridiculous offers for cheap toner! If one is outlawed, so is the other, and the two "perpetrators" would be subject to the same penalties.

If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you. Under the current system, however, any attempt to stem the flow of spam will harm the proper operation of internet communication more than it will help. You can't run a mail relay that's selective, that's not how it's supposed to work, and things will break down if that's not how things DO work. Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous. It would be like arresting people for driving on the road because the locals didn't like the paintjob on your car.

I hope I made some sense here.

MoNsTeR

Re:spam vs. the rules of the internet

[gorilla]

Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.

And our SLA states that email is not a gauranteed delivery service, and we can and will drop any message we feel like.

Re:spam vs. the rules of the internet

[dropdead]

"*I* control who I hand my e-mail address to, and thus who can send to me"

All the spam I get is not based on an address I handed out. You just need to look at the header file to see that the spammer is just hitting multiple combinations of my name or domain. So where is my control?

Re:spam vs. the rules of the internet

Because this is how the internet works. *I* control who I hand my e-mail address to, and thus who can send to me. It is not my ISP's business to arbitrarily block inbound e-mails for me. Rather, it is my resonsibility to control the availability of my address, and to deal with any and all mail I receive, regardless of source or desirability.

That's wrong. I can control who I give it to ...ie first parties (who have a legitimate need for it), but many companies sell your email address behind your back. And even if they didn't, many spammers "guess" you address anyway. If I could control exactly who had my email address, then I would not be getting spam.

Re:spam vs. the rules of the internet

[El+Kevbo]

Are you serious???

When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.

I'm waving the bullshit flag on this one. But your assertion is an unprovable one since you assert that the rules are "unwritten" and thus no amount of arguing will convince you otherwise.

It is not my ISP's business to arbitrarily block inbound e-mails for me.

I agree. But if your ISP blocks mail without telling you, then your problem is with your ISP and the idiots who made that decision, not with MAPS.

Rather, it is my resonsibility to control the availability of my address, and to deal with any and all mail I receive, regardless of source or desirability.

And some people choose to delegate this authority to their ISP who in turn delegate this to MAPS or ORBS(with the full knowledge, consent, and approval of their customers). Who the hell are you to tell these people that they can't delegate that authority???

If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.

And just how would new people get themselves added to your authorization list? Are you going to start posting your phone number next to your e-mail address so that people can call you to get added to your authorization list so that they can send you an e-mail? I understand where you're coming from here, but it's an inviable solution.

Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous. It would be like arresting people for driving on the road because the locals didn't like the paintjob on your car.

No, it's like the government telling you that you can't live in a gated community. After all, the roads and driveways in that community(paid for and maintained by your money) were built to be drived upon and you can't delegate the policing of those roads and driveways to another entity(the landlord of the gated community, the homeowner's association, etc). If you want your driveway policed and you don't want undesireable people to park there, then you'll just have to police it your own damn self.

Kevin

Re:spam vs. the rules of the internet

Here, I'm speaking of mails from vendors I've done business with who are sending my "specials" and whatnot evevn though I didn't ask for it. Fundamentally, these are every bit as much "unsolicited commercial e-mail" as those ridiculous offers for cheap toner!

No, they are not 'ever bit' so, they are clearly much more solicited, if not entirely solicited. But you're missing the main distinction...

If one is outlawed, so is the other, and the two "perpetrators" would be subject to the same penalties.

...which is that most of the in-place laws that deal with this stuff only outlaw faking headers and other stuff that is meant to deal with the free toner crap flingers and not companies that are doing upfront, legitimate business with their customers.

Re:spam vs. the rules of the internet

[zorrax]

Most gated commumities build their own roads, so they aren't public. The roads were paid for by the people living there.( which is why they are generally in good shape, too) .

Re:spam vs. the rules of the internet

[Phroggy]

Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous.

FAX machines are designed and implemented for the purpose of sending and receiving FAX transmissions. Cell phones are designed and implemented for the purpose of making and receiving telephone calls away from home. Guess what? In many states, businesses can not legally send you unsolicited commercial FAXes, and telemarketers cannot call cell phones. Why is that? And why are people thankful that these laws exist?

Re:spam vs. the rules of the internet

[eggboard]

I recently was blocked from sending email to a colleague because it contained a URL embedded in the email that had numbers in the URL (80211b.weblogger.com).

The bounced message pointed me to a Web page that was supposed to explain why it was bounced. It didn't. I emailed the sysadmin of the ISP who asked to see my email that I'd sent. I objected: why should I show him private email to a colleague with whom I'd previously corresponded?

The sysadmin relented, figured out the problem (he was bouncing email that had those 32-bit numeric URLs in them), and fixed it. But still...

I agree almost entirely with you, Monster: you've struck a perfectly reasonable balance. You're not arguing against limits, just against arbitrarily non-consensually non-contractually applied limits.

I might argue more broadly that spamming is a social problem, but the only way to solve it is through technological cooperation and user involvement in the decision making.

I subscribe to MAPS for my sendmail server because it's the best solution and I don't have real end users (we're a small group of folks sharing a server).

Re:spam vs. the rules of the internet

[infiniti99]

If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.

I have considered this. It would take a total overhaul of the current mail system, perhaps replacing it with something like Jabber (in fact, I think it's possible to replace SMTP and POP3 with Jabber if you made the right wrapper programs). Then you could simply ignore messages from people that don't have a subscription to you. Of course, if the spammers were persistant enough they would just send subscription requests to you first, which makes the argument moot.

You could take it further by saying that you don't allow direct subscription requests, meaning your contacts would have to ask you permission in person or on a messageboard. This might be a bit much. :)

-Justin

Re:spam vs. the rules of the internet

[mpe]

When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.

Note that an MX record, which indicates either the machine is the receiving party or a proxy for this party, is something different from a third party relay. Indeed it's not actually mandated anywhere that an MTA be even capable of acting as a third party relay in the first place.
The reason third party relays still exist is primarily to cater for software which requires them, in a chicken and egg situation.

Re:spam vs. the rules of the internet

[mckyj57]

I hope I made some sense here.

Nope.

If you had to preauthorize it, it wouldn't be email. It wouldn't be simple.

What is simple is this -- don't send email to someone unless either:

• It is agreed to beforehand, or...
• It can reasonably be expected to be of mutual benefit.

That is the simple position of MAPS, and I agree with it.

Personally, I favor a 5-penny charge for every email that is sent, with no bulk discount. People who didn't want to pay it could use ICQ; and it would stop spammers dead in their tracks.

Re:spam vs. the rules of the internet

[Trepidity]

No, it's like the government telling you that you can't live in a gated community. After all, the roads and driveways in that community(paid for and maintained by your money) were built to be drived upon and you can't delegate the policing of those roads and driveways to another entity(the landlord of the gated community, the homeowner's association, etc). If you want your driveway policed and you don't want undesireable people to park there, then you'll just have to police it your own damn self.

But the government does restrict this, through zoning ordinances. Despite owning my property, I cannot build a fence around it to keep out undesirables, as that would be illegal.

Re:spam vs. the rules of the internet

[_Sprocket_]

Most gated commumities build their own roads, so they aren't public. The roads were paid for by the people living there.( which is why they are generally in good shape, too) .

And oddly enough, most ISPs build their own networks and servers, and pay for traffic to/from their backbone provider. These services are paid for by the ISP's customers.

Re:spam vs. the rules of the internet

[sweet+reason]

*I* control who I hand my e-mail address to, and thus who can send to me.

if that were true, then spam would not be a problem. but that would require that you be able to control who those you hand your address to pass it on to. how do you propose to do that?

Re:spam vs. the rules of the internet

[UnknownSoldier]

> Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.

Good point, but bad example. ;-)
i.e. I have a version of ICQ (98a) that I can authorize anyone, even though they didn't give their authorization.

The real way to solve the unsolicited email problem, is to use something like PGP. i.e. Authenticate the sender before recieving something from them.

Re:spam vs. the rules of the internet

It would be like arresting people for driving on the road because the locals didn't like the paintjob on your car.

Trivia note: you won't be arrested, but your car will not pass it's anual inspection in Bermuda if it is painted in more than two colors. They also check for rust, but don't bother with things like brake inspections or smog tests.

That goes along with the laws that specify the 3 or 4 acceptable colors that you can paint your house, and the required type of roof. It is kind of like a home-owners association run amuck!

I agree

[SirSlud]

'blackbox' solutions are dangerous .... avergage users will never be able to infer what goes on behind the scenes. Far more useful would be a 98% successful (my guesstimate at what an acceptable fail rate should be) intelligent, learning filtering system on the client end .. where you can just scan-the-spam topics and make sure you're not missing anything important.

It would be much easier to tackle this problem if a 'pseudolution' (spam is, by its very nature, not 100% solvable) is rolled out with the next generation mail protocal. To this end, does anyone know if there are any current undertakings addressing a next generation email protocol capable of more interaction/configuration from a client?

One VERY nice feature I'd like to see is email addresses with embedded timeout values in them .. ie, you can provide email addresses that somehow 'hide' your real email address and some timeout value, such that only email servers on your end could decrypt the address and figure out if that communication priviledge has 'expired'. I think mail servers would have to know if a mailing was a 'bulk' or 'single' mailing .. single mailings could accept normal email addresses, but multiple mailings would require these encrypted addresses with built in time out values.

I havn't thought TOO deeply about it, as you can tell, and I'm not much of a privacy/encryption expert, but can anyone articulate a set of rules based on the above postulation that is technically feasible?

Re:I agree

[faster]

> One VERY nice feature I'd like to see is email
> addresses with embedded timeout values in them

That's what spamgourmet does.

www.spamgourmet.com

Re:I agree

[macdaddy]

By that time, it's already too late. The spam has already uses your resources in bandwidth coming in, processing time to parse it and write it to disk, drive space to store it, more processing to to extract that spam and form it up in packets for delivery to the client when he/she asks for it, bandwidth exiting your system, bandwidth for them to download it. Whereas thanks to the SMTP protocol we could have rejected in right away by IP or domain name before we gave our code 200 to accept the message. Much fewer resources wasted.

MAPS has been highly effective for us

[ehintz]

I implemented MAPS and Procmail Sanitizer at my employers corporate gateway about 6 months ago. As the EFF article mentions, there is a concern for legitimate mail being blocked. My solution for this is to include my direct phone line, and a request to contact me if the mail is legit, in the error message sent to mail denied by MAPS. In about 6 months of operation, at a company with about 120 users, we block on average 150 messages per day, with an all time high of 262 in one 24 hour period. I have yet to get a phone call from ANYONE, spammer or otherwise. Meanwhile, users who were getting 10-15 spams per day are now down to 1-2, sometimes none.

Frankly, I've found MAPS to be highly effective. I expected to occasionally toss out legit messages, which was why my direct line is included in every bounce, but MAPS has been considerably better than I could have hoped for. With proper setup and configuration it is quite easy to ensure that legitimate mail gets through with only a minimum of delay. MAPS has been a very worthwhile investment for our company, and our end users have consistently thanked us for implementing it. Likewise, Procmail Sanitizer has stopped all kinds of trojans and viruses cold at the gateway-even catching new ones before being publicized. Although we don't use Outlook, we still find it useful to stop the stuff, and I can't fathom anyone running an Outlook environment without Procmail Sanitizer. Good stuff.

Re:MAPS has been highly effective for us

We're going to spam your phone line dude.

Re:MAPS has been highly effective for us

[The+Larch]

You're unlikely to get any calls from most innocent senders whose emails end up as collateral damage because the average person is unable to parse a bounce message and extract the useful information. Most can't even tell between a delivery delay and a fatal error -- if they get a scary looking message full of words like "warning" or "error" or "delivery failure", they'll just assume that the recipient's email is broken.

I've been victimized by the RBL once that I know of (I had my outgoing email rejected by the recipient's ISP because my ISP had some clients who with open relays and MAPS had their entire address space blocked on the RBL), and I suspect it may have happened at other times, as mail to my account at my current ISP who also uses the RBL has been mysteriously disappearing, and I've had complaints from people that my email is "broken". In fact, I'm considering switching to a yahoo address as my primary email account.

Re:MAPS has been highly effective for us

Here's another trick to try if you have a web server and access to the logs - put a URL explaining the rejection in the bounce. I've been doing this for about 2 years, and I believe there have been 3 hits from outside my organization to those URLs.

Note that I have 1500 users and 75 hosts/domains blocked, and even then just THREE hits on that thing.

It proves the same thing as your phone number - spammers don't read bounces. They just spew.

Some "ICQ" features ...

[LoudMusic]

Errr ... I think I'm offtopic, but to hell with karma.

It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list. Your email client could auto delete email from people that aren't in your address book. I guess filters could be used to do this, but it's not obvious for the 'common users', like Grandma (:

There could/should also be a way for the email client to tell the mail server "hey, stop sending me mail from X@X.X". That way you cut it off at the source and it stops messing with your bandwidth. The server could also build a list of ignored email address and domains and stop responding to their requests all together for all users. This could become hurtful, putting control into the user's hands a bit, but somehow I think it would do more good than harm. It would need lots of revision, but I don't have the time or energy to care (:

~LoudMusic

Re:Some "ICQ" features ...

[GlassUser]

It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list. Your email client could auto delete email from people that aren't in your address book.

I know I'm going to get modded down for this, but you can do that with a single rule in outlook. I doubt it would be hard for any decent mail reader to do.

Re:Some "ICQ" features ...

[4of12]

One nice way for your email client to tell the mail server "hey, stop sending me mail like this" would be for it to

save your mail deletion history and use it to dynamically update your procmail recipes.

I could certainly use something like this.

Some people delete "good" mail that they read and find interesting, but I save all "good" mail, and actually only delete mail that I have absolutely no interest ever in seeing again and probably didn't want to see in the first place. All other email I save.

Under that model, it should be possible for my email client to concoct rules for a spam collection inbox that would be scheduled for automatic deletion, with an ability to see the subject titles and senders listed.

I know that procmail lets you do this already, but the key problem with procmail, as others have noted, is the level of individual effort required to constantly fine-tune the ~/.procmailrc file to "get rid of messages like this new one."

I would really prefer that ISPs don't do wholescale blocking in their crusade against spam, but, if they don't, then the current situation puts too much onus on the users to cull through things, even with procmail. I'd like to be able to (i) live in a free society and, (ii) have time to live a life of doing things besides edit ~/.procmailrc

Re:Some "ICQ" features ...

[Senior+Frac]

It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list.

It's called "whitelisting". "Blacklisting" is keeping a list from places that you don't want to receive information from.

By the time the email reaches your email a client, the spammer/thief has already cost you money. The fact that you punch Delete, or whether your filter punches Delete for you, is absolutely meaningless. You're paying for all that spam out there. Do you realize how _cheap_ net access could get if we weren't subsidizing these thieves' advertising?

You're both wrong.

This is not censorship, in any way, shape, or form.

Censorship is one party telling another party what they can or cannot say to a third party.

When I use MAPS (which I don't, btw), that's me saying "I don't want to receive spam." Which I have the right to say. (You telling me otherwise is censorship, btw)

Nobody has the "right" to send email to someone who doesn't want it.

As they say "Your right to swing your fist ends at the tip of my nose."

Re:You're both wrong.

[einhverfr]

In understand your argument. But MAPS is not about end-user choice. If you HAD the choice as a user to use MAPS or not, then I would not argue against it, but that is not how MAPS works.

You cannot opt into or out of MAPS as an end-user, so it IS a case of censorship.

Re:You're both wrong.

[Dredd13]

You cannot opt into or out of MAPS as an end-user,

Sure you can. Change to an ISP that doesn't use MAPS. Free market economy at work. No company HAS to do what you tell them to. Find one who behaves the way you want them to.

Re:You're both wrong.

[c_g_hills]

Wtf? I'm an end user - I simply run my own mail server and dont use the shitty account my isp provides. There is nothing to stop everyone doing this. That's like saying filtering news groups is censorship. They provide a free service, if they limit it, thats up to them.

procmail shmockmail

[jmu1]

Don't give your email to every moron that asks for it, dont' publish your email all over the place, get a seccond account... etc, etc. Come on guys, this isn't rocket science here. It is the same with snail-mail... don't sign up for a bunch of porn or catalogs and you won't get a bunch of junk mail and phone calls from answering machines during dinner.

Re:procmail shmockmail

[fmaxwell]

How do you think that women in the workplace feel when they get "Cum slurping coeds hot for you!" e-mail just because they answer the mail for sales@companyname.com -- which is posted on the company web page? Users can't participate in newsgroups without some kind of painful REMOVETHISBEFOREREPLYINGTOME crap tossed into the middle of their e-mail address. You can't participate in list servers. You can't put your e-mail address on a for-sale web site. All you have to do is become some kind of reclusive hermit, carefully hiding your e-mail address, just to the spammers don't harass you to the point of insanity.

Oh, by the way, you also can't use your initials since spammers have taken to programs that "guess" your e-mail address if it is one or two letters long. I know. I run a mail server.

Re:procmail shmockmail

[jmu1]

I always have a secondary email address just for that purpose. I have a professional email that I give out and then I have a personal email that I give only to those that I want to. Also, I have learned the fine art of filtering(right). I do see your point, but the whole 200-300 emails per day bit is over the top I think. Basically, what I'm trying to say is that end-users and moderate-heavy users of email shouldn't have to worry about setting up a system that they have to manage just to get rid of the spam. I do recognize that in some instances, there is just no way of getting around it, however it is quite simple to just look over the absolutly obvious ie: "Cum slurping coeds hot for you!" and just get on with work. BTW, the email guessing proggies I would imagine are for finding emails of people you know personally or at least know their name, not for spamming... but harassing.

Re:procmail shmockmail

[fmaxwell]

Also, I have learned the fine art of filtering(right).

I have a good e-mail filtering system in place and I rarely see more than one or two spams per day while it filters probably 30 in the same time frame. But I also send complaints to get the spammers shut down. That takes time, but it's necessary if we don't want e-mail to become as worthless as Usenet newsgroups.

however it is quite simple to just look over the absolutly obvious ie: "Cum slurping coeds hot for you!" and just get on with work.

Isn't that always the argument for spam? "Just hit delete" say the pro-spam advocates -- ignoring the hidden costs that we all pay in higher ISP fees. That may be a fine answer for you, but wait until some devoutly religious woman complains to personnel because she gets 10 porn spams per day at the sale@ e-mail address that she answers.

Re:procmail shmockmail

[Velex]

Well, first of all, I'm an mtf transsexual and I think that naturally born women are a bunch of pampered whiners who really need learn a few lessons in toughness. But that's not my point in writing this.

Actually, I find spam amusing, so I set up an account just for recieving spam. If there is a site that won't let me in, or if I'm not sure about the party I'm giving my email to, I give them my spam account, and so far it's worked wonderfully. Only to people whom I have met in real life do I give my real email to. Besides, if it weren't for spam, we wouldn't know how to get those extra 3" on our dicks and increase our bust size two cups, ne?

Re:procmail shmockmail

[prizog]

How do you think that women in the workplace feel when they get "Cum slurping coeds hot for you!" e-mail just because they answer the mail for sales@companyname.com

And you think men feel any better? Nobody likes porn spam.

Re:procmail shmockmail

How do you think that women in the workplace feel when they get "Cum slurping coeds hot for you!" e-mail just because they answer the mail for sales@companyname.com

Goddamn.

Aren't women lucky they have you to protect their delicate eyes and ears against "cum slurping coeds".

I mean, just think women are so brittle and fragile that a stupid piece of spam will make them feel all "icky" inside.

Now a powerful male like you will simply laugh it off, because you are a powerful mail.

But women are fragile. And the more they try to be equal to idiots like you, the more fragile they get.

How does it feel to be a self-righteous cluefuck?

Re:procmail shmockmail

[fmaxwell]

Hey fuckhead, if you had ever managed to so much as speak to a woman, you'd know that normal women are put off by porn that demeans them. But the closest that you've ever gotten to a woman is probably drawing lips on your hand with mommy's lipstick prior to one of your jerk-off sessions.

Are you really such a clueless dick that you think men and women react to porn the same? Are you really that stupid? I'm betting that you are given your writing.

Re:procmail shmockmail

[NewtonsLaw]

There are a lot of alternatives to disclosing your *real* email address on the web or in usenet postings.

Here's one.

Re:procmail shmockmail

You are a rude little moron, aren't you? Women are way more likely to be offended by explicit porn than men are. That's why they make so much more porn for men than for women. How many men file sexual harassment lawsuits at work? Lots more women do because women don't view sex the same way men do. You think it's flirting and she's uncomfortable. So, the original poster was right. You are wrong. End of story. Now apologize.

Just block port 25...

[fmaxwell]

90% of the spam could be eliminated by blocking port 25 access for individual (read "non-business") accounts. If users were forced to go through their ISP's SMTP server, the ISPs would be able to quickly detect and shut down spammers. The spam-spew programs would not work as they would not be able to directly connect to their victims' SMTP servers.

Even though I run my own mail server, I relay through my ISP's SMTP server and it's just not a big problem -- and I'm one of the most vocal opponents of needless port blocking (e.g., "We blocked your port 80 because someone else has Code Red...").

SMTP is a protocol from a more innocent time. No one envisioned anyone being so unethical as to steal other people's bandwidth to advertise porn, get rich quick schemes, and online gambling. But since we are stuck with SMTP, we need to employ technical means to make up for its deficiencies.

Re:Just block port 25...

[kindbud]

90% of the spam could be eliminated by blocking port 25 access for individual (read "non-business") accounts.

90% of IIS worm incidents could be eliminated by blocking port 80 access for non-business accounts. You objected later in your post to the port 80 blocking. Why is port 25 any different?

If users were forced to go through their ISP's SMTP server, the ISPs would be able to quickly detect and shut down spammers. The spam-spew programs would not work as they would not be able to directly connect to their victims' SMTP servers.

They'd just use an open SSL proxy to tunnel through. CONNECT victim.host.com:25 HTTP/1.1. Boom, you're in. And the spam didn't even come from your ISP's netblock.

Re:Just block port 25...

[fmaxwell]

90% of IIS worm incidents could be eliminated by blocking port 80 access for non-business accounts. You objected later in your post to the port 80 blocking. Why is port 25 any different?

Because blocking outgoing port 25 does not deprive me of the ability to send mail or even to run a mail server. Blocking incoming port 80 deprives me of the ability to run a web server. In other words, port 25 is painless and port 80 hurts -- a lot.

They'd just use an open SSL proxy to tunnel through. CONNECT victim.host.com:25 HTTP/1.1. Boom, you're in. And the spam didn't even come from your ISP's netblock.

1. There aren't that many open SSL proxies with that kind of bandwidth that will happily talk to port 25 of someone else's mail server.
2. The spam-spew programs are not configured to use SSL proxies -- they talk directly to port 25.
3. Because the SSL server is not one being run by the spammer, the activity is much more likely to be detected and shut down.

ORBS is very nice...

[rmezzari]

I once had just started in this new company, and the mail server has an open relay. If the nice folks at ORBS didn't drop me a line, it probably would have remain open for a long time (more importnt things to check). And as soon as I corrected the problem (with a nice sendmail upgrade) they removed me from the list.
I must say I really like their way of work.

There is a hidden context here.

[Doktor+Memory]

The EFF's anti-MAPS stance has little to do with careful consideration of the legal and ethical issues involved, and a great deal to do with the fact that EFF honcho John Gilmore has landed himself on multiple spam blacklists, and been booted off at least one ISP (Verio) for intentionally running a wide-open relay.

Gilmore's stance is pretty straightforward: running an open relay was a good thing in 1987, so of course it must still be best practice in 2001.

Best Current Practice

[hibachi]

My opinion diverges from the EFF's on this point. I would argue that using reputable services that maintain a list of open and abused mail relays to filter incoming mail is a responsible decision. The combined benefits of reduced volume of incoming spam, and the enforcement of responsible mail server configuration benefits not only local users, but the Internet as a whole.

Out of the box, most modern mail servers configure themselves to prevent the relaying of mail. What we are fighting by using services such as MAPS are legacy systems and new servers that come online and are misconfigured. It is simply negligence to be operating an open relay in today's Internet. That negligence needs to be challenged. We can ultimately get the upper hand on the abuse of open relays this way, and I would support Internet wide adoption of the use of such services as a Best Current Practice.

With regards to my users not receiving mail, it is our company policy to individually handle each complaint related to our mail filtering to benefit our customers. We will almost always explicitly permit mail from servers that we know are legitimately trying to reach our users. We will also send a courtesy email to the administrators of the open relay to inform them of the situation. This isn't about maliciously blocking every relay out there, to the detriment of our users, this is about encouraging a trend of improved mail server administration. Responsible implementation of these kinds of controls on unsolicited email benefit everyone.
Cheers

I still don't see the problem

[cs668]

If you want to use it do if you do not then don't.

If we are talking about ISP users who do not do their own sendmail setup that might be a diferent matter, but the ISP could simply offer each user a choice when they sign them up:

1) We will try to filter spam from your email

2) We leave your email compleatly unfiltered

As long as people have a choice what is the problem. And if ISPs don't give the choice then the problem is with the ISP not MAPS and friends.

Re:I still don't see the problem

[kramit]

It is pretty easy to set up sendmail to use maps on a per user basis as well (in recent versions of sendmail).

You could add: FEATURE(`delay_checks', `haters') to your sendmail.mc so that it only checks for MAPS/ORBS/ThinksInYourAccessFile after it knows the intended recipient.

Then for people who want to have MAPS/ORBS/Etc working for them, you just add them to your access file as:

To:JoeHatesSpam@example.com SPAMHATER

This way you can give your users a choice. Only the users listed will have MAPS/ORBS filters working for them.

I recently had to enable a simular setup as I started hosting mail for a new business, and potentially blocking email from valid customers would be a big no no, and my own private RBLish list contains some pretty harsh filters (Sorry to the many isp's/countries who have sent nothing but 100% spam in the past and now find themselves on my private block list).

I am hoping for (or will end up trying to write) more granular configuration options where I can chose which filters to use on a per user bases (Use ORBS but not MAPS for my email).

What I would really like to see (or write) is a combination Spamcop/Maps where multiple submissions of the same email automaticly adds a block to a DNS based list. This way only a few quick folks have to get any particular spam before it gets blocked for other users of the service.

-----Kermit

The Internet is a free-market information service

[isdnip]

EFF has it wrong this time. They make the statement that e-mail is "protected speech". That's a legal issue in the USA, which means that the government doesn't have the right to block it. But private parties are also not required to pay to relay it.

The Internet is not regulated as a telecom service. The FCC doesn't regulate ISPs, just the telecom services they buy. Nobody regulates mail servers. It's a free market, and it works. Now in a free market, you have competition. If your ISP uses MAPS and you don't like it, then you're free to go elsewhere. If your ISP is RBL'd, you're free to go elsewhere. There are lots of free e-mail services out there. See for instance http://www.emailaddresses.com/ . Now I wish my own "primary" e-mail provider, the one I ping many times a day, used one of these services, because I'm spammed to death and sick of it! If somebody couldn't get through, they almost certainly would find another way to reach me. Like I have a phone too, not to mention other e-mail addresses.

So given the fact that there is no anti-spam legislation, and negligible likelihood of effective anti-spam legislation within the next few years, then the free market approach (you know, the one the spammers cite to block anti-spam legislation) is to allow anti-spam filters at the ISPs. The ISPs will install them if it's good for business, and block spammers if being blackholed is bad for business.

Indeed one of the reasons that the Internet is not regulated as a "telecommunications service" is that it does not offer to provide transport of information "without change in form or content" -- an ISP may change things, of which blocking spam is one example. It would be quite a different story if a telecomm provider attempted to do the same thing -- their mission is to pass the bits unchanged, down there below layer 3.

And please don't tell me how easy it is to build an anti-spam filter on your private mail server. 99.9% of end users do no not run mail servers; ISPs, who have full-time bandwidth, run them for us.

MAPS DUL

[Chase]

My step-mother called me frantically the other day because all email to her was being bounced. I did some checking and found that my subnet had been added the the MAPS Dial Up User List . The addition of DUL to the MAPS database means I am treated the same as a spammer even though I am not doing anything wrong.

I reconfigured exim to use my ISPs SMTP server as a smart host and all was well. Until I receive the following message which basically says that my server is an open relay.... Its not... Now my step-mother thinks I am a mail abuser... I can only guess what she think of that...

From: Abuse Investigation Team [mailto:abuse@adelphia.net]
Sent: Friday, October 05, 2001 1:59 PM
To: *
Subject: RE: email problems

Thank you for forwarding this information to us. However, the bounced
message you received indicates that the sender is being blocked due to the
originating IP address being listed in MAPS database. MAPS is a database of
domains and IP addresses that have been found to have either open mail relay
servers or are spam friendly. Adelphia, like many other ISPs, has
instituted MAPS as a means of filtering spam to lower the amount of
unsolicited email that reaches our customers.

Adelphia is unable to unblock the sender of the email. The domain
responsible for the IP address being blocked will need to follow the link in
the bounced message and take the appropriate steps as outlined by MAPS to
have their domain and/or IP address unblocked. For more information
regarding MAPS, please see their website at http://www.mail-abuse.org

Sincerely,

Abuse Investigation Team
Adelphia Communications
1-814-260-3961
abuse@adelphia.net
http://powerlink.adelphia.net/policies.html
http://powerlink.adelphia.net/policies/security_ fa q.html

Sender : *
Date : 10/5/2001 5:48 AM
---

because of MAPS my email began bouncing.

* *

-----Original Message-----
From: Mail Delivery System [mailto:Mailer-Daemon@chase.org]
Sent: Thursday, October 04, 2001 8:13 AM
To: *
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. The following address(es) failed:

*:
(generated from *):
SMTP error from remote mailer after MAIL FROM::
host mx5.dc2.adelphia.net [24.48.57.12]:
553 5.3.0 Open relay - see http://www.mail-abuse.org/

------ This is a copy of the message, including all the headers. ------

Return-path: *
Received: from smtprelay.abs.adelphia.net ([64.8.20.11]
helo=smtprelay3.abs.adelphia.net)
by loki with esmtp (Exim 3.12 #1 (Debian))
id 15p7NF-0001tp-00
for ; Thu, 04 Oct 2001 08:13:09 -0400
Received: from * ([*]) by
smtprelay3.abs.adelphia.net (Netscape Messaging Server 4.15)
with SMTP id GKOJBX02.Q4L for ; Thu, 4 Oct 2001
07:45:33 -0400
From: *
To: *
Subject: test
Date: Thu, 4 Oct 2001 07:44:08 -0400
Message-ID:
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal

test

* *
*

Re:MAPS DUL

That's what they call in the military, collateral damage.

Re:MAPS DUL

Ah, but here's a question: Have you checked to see if your mail server has ended up in the RSS? If it has, close your open relay and let them know.

Re:MAPS DUL

[Chase]

Its not in the RSS. Thats the first thing I checked. The response came back with something like, you're not in the RSS but your subnet is listed in another database, ie DUL.

Re:MAPS DUL

APS is a database of
domains and IP addresses that have been found to have either open mail relay
servers or are spam friendly

And if you don't think dialup hosts aren't spam friendly, you are on a different Internet than I.

A solution

[SirSlud]

So here's my idea:

Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)

So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)

Now, here's the kicker: /included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout .. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.

So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this .. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."

Am I on crack? I think its a good idea.

Re:A solution

[SirSlud]

Also, this would force companies to be honest about the frequency of their communication with you .. they have no way of verifying or 'filtering' valid communication policies with you, so they would have to be honest if they actually wanted to, and expected to be able to reach you in 6 months. They cant verify that you are actually giving them a 6 month time out, so the responsibility of enabling communication falls into the hands of whom it should be in: you.

Re:A solution

[SirSlud]

One more nice thing: your web page would always be a one day timeout value (most sites that get trawled by email collecting robots are dynamic content anyways?)

So anyone who trawls your site would only have a way of reaching you within the next, say, six hours .. or 2 days .. or whatever you like! If you approve of the communication, you'd have your regular email (or maybe you prefer a 30 day permission, its up to you :) in your reply field on your mail client.

Re:A solution

[MikeBabcock]

This has already been done, but better.

http://madhaus.utcs.utoronto.ca/qmail/spam-filte r is one example that simply creates outgoing addresses that are either only good for a small amount of time or for a specific sender.

http://www.xns.org/xns/whitepapers/filtering/ describes XNS for white-list instead of black-list filtering.

There's always this one: http://software.libertine.org/tmda/ the Tagged Mail delivery agent, my personal favorite.

Re:A solution

[SirSlud]

tdma looks yummy .. any reasons why its not enforced at the mail server level (ie, not in an RFC?) .. I am just thinking that it would awesome if mail servers themselves supported knowing whether a 'username' an email is addressed to that was delivered to it was a timeout-able version of a legal local user name? I mean, does this sort of thinking stand a chance of getting into some future generation mail protocal?

I dont like white-list filtering, because email is used far too often to instigate legitimate communication from a source you were previously unaware of. (Musicians, artists, freelancers .. basically, anyone selling services who cannot hire someone to filter 'incoming mail') :) And the confirmation processes, especially when time is of the essense, its an awkward, unweildly, and hopefully ultimately unnessesary processes if you can come up with a good tagged address system.

Man, spam fighting sure is subjective tho. I am aware of the level of subjectivity when trying to formalize a suitably universal process by which to cut down noise-to-signal reatios when dealing with public means of contact info.

Anyhow, I'm still interested in knowing how much work is being done to put some of these facilities lower down in the trenches of the technology that drives mail across the net.

Re:A solution

[MikeBabcock]

There's no reason that 'held for confirmation' mail couldn't be left in a different folder (Maildir / IMAP / mbox) and still be visible to the user if they were bored and wanted to check.

Re:A solution

[SirSlud]

this is a solution for idiots who don't want to even have to think about whats 'confirmed' and 'not confirmed' .. including me. I don't even want to 'confirm' mails; nevermind that client side, non standardized filtering systems will result in at least some people/systems not following up on a confirmation who have an opportunity (or information of value) where you're the only one who has much to lose by the sender not following up .. I want to implicitly trust the first delivery if the email address is gathered from a place I publish it, all the while blocking the mail at the /mailserver/ level.

Most people don't have access to anything other than POP, so holding it server side until confirmation isn't a particularly viable solution for the masses, IMHO. (Unless my assuption that most pop clients do not support scanning your mail server-side before you actually apply filter logic to the message isn't true?) It also doesn't help if the person who has your email address rotates their from address just to prevent you from relying on the solution of whitelisting. You'd just be spammed with 'confirmation' mails.)

I mean, if you really wanna tackle this in a large way, your method has to be fool-proof, totally controllable by most simple POP clients, and easy to understand. By embedding timeouts in addresses, and enabling the server to understand this, the user can publish an email address and just forget about it, instead of having to manage a 'valid sender' list. I think the idea of you specifying privs for senders most breaks the idea that email is a convient single-step process to contact someone. Of course, maybe I'm just drunk what I perceive to be an elegant simple solution to a complex problem, but I still maintain that having this sort of logic on the mail server would help lots of people out there who just want to apply 'trust' to a sender (be it a robot that trips of their page) only within the scope of a worst case scenario (ie, the timeout prevents unlimited abuse) ... :)

I guess the general idea is that if the rules are written in stone, then it removes any power from people who collect/need your email address to leverage whatever they have against you based on your method of filtering?

I think there is always exists a simple solution that cuts down on 90% of the noise; a solution that doesn't require anymore work than you need now (which is essentially one of the priniciples of the adoption of technology by a society at large). In this case, you may want to memorize your 'one day' and 'one week' addresses for when you are in a bar, or away from a client capable of generating your timeout addresses, a negligable increase in responsibility that has to be assumed by the user of the technology.

Re:A solution

[SirSlud]

Acutally, TMDA's whitelist confirmation method just resulted in my mailbox being 'spammed' twice. Obviously, its not really spam because in entering communication with the email address I sent to, I was consenting to 2 way communication, but its still two more messages in my mailbox that are empty of actual content. Not optimal, in my opinion. New technologies and processes are very rarely accepted by the masses if they contain more steps than the process they are meant to replace or provide a level of percieved social value that overcomes these additional steps.

Re:A solution

[_ph1ux_]

I said something very similar in another /. thread:

Ihave a thought on the email aspect of this in regards to spam. is it now possible - or some sourceforge project should be made that creates a series of "PO Boxes" within your email...

basically you should have certain boxes that are designated "PICs only" and you give out this addy for pics to be emailed to you. It should parse the attachments and allow .jpg .gif etc attachments only to that box. plus you should be able to manually add rejection rules which will parse the body of the message for keywords like: "sex,make tons of money fast, your advice etc"

and you should be able to setup "disposable" addresses for certain vendors for a certain amount of time - like "fotomat@pics.myemail.com" and fotomat can send you the pics for a period of a week or something before that po box is closed.

basically the addy wouldnt necessarily be encrypted - but you would have time-out capable, vendor specific boxes. maybe your primary addy could be encrypted ao that they could not figure out the address - and the sub-addresses would be receive only. and the servers would be able to determine the difference between a sub address or po-box - and a primary encrypted addy. then it would auto drop any mail sent *from* a timeout/sub mail box.

another option would be an easy way to setup a vendor specific email addy that you could give out to a vendor. the email address would be formatted as such: x10@mydomain.com - so that this would be the email that you give to X10. any mail sent to this address would have to be from the domain @x10.com - otherwise it would auto bounce. then they would not be able to sell the addy to other co's as it would be useless from their domain - and you would have to enable this addy in your mail client before it was valid.

thoughts?

Re:A solution

[SirSlud]

well, the thing is, I am thinking purely from a 'I dont even want to think about the responsibility of maintaining multiple email addresses' .. thats where the encryption comes in, from both sides. You don't have to set anything up, server side ... the 'rules' are already in the email address. if you want an email address to time out, send them the encrypted-with-the-timeout address your mail client generates for you (by talking to the mail server)

the problem with the x10 example assumes you own the domain, and if we want to defeat spam (ie, the desire to send it), we have to make rules and processes that work for EVERYBODY .. ie, down to the lowest common denominator of 'the moron user who is using the uncaring provider with the free mail client'. Otherwise, spammers will accept that they cant reach the geeks .. which is okay with the geeks anyhow, cause we dont reply to spam. Stupid people do, so you need a stupid solution. My solution proposes that your mail client simply asks your mail server: "Give me my address, but with a timeout of 2 weeks." The time you choose will depend on how much you trust who you're givin your email address to. You can never truly defeat spam (cause one mans spam is another mans treasure, etc, etc), so you what you really need is a technology that allows you to specifify the worst case. Ie, at the most, this person should not be able to contact me after X days, months, years. I subscribe to alotta porn .. I'm not worried bout x10, cause they have to honour their agreements to remain in business (they are visible enough, dontcha think?), but rather the unscrupulous advertisers. The problem is /collection/ .. any place, be it a web page, or a return address on USENET .. when your email is collected and sold, it has to time out. So, for these sorts of points of presents .. like a web page, or a USENET post, its about making sure no one can contact you 10 weeks (or whatever length of time you want) after you post or show your email address.

All I want, is the ability to give my email address with what I judge is a worst case scenerio .. I'm sure I'm getting email from spammers who robot'd my email addy from my webpage 3 years ago. I just want to specifify the 'scope' of the use of my address for each medium in which I provide/publish it. I truly believe it is the best compromise between letting unknown sources contact you, and trying to stop your email from circulating via sales. Obviously, it has to be encrypted because you dont want the sender to be able to adjust that timeout value in your email, and if you make it well-formed, then you dont have to manage those timeout 'accounts' with your server, and your server doesn't have to store multple 'accounts' for you, since it just de-encrypts against a local private key and checks whether that mail is still valid.

Really tho, there are tons of client side saavy ways to deal with spam, but the problem is those who are too newbie, or, in my case, too lazy to deal with actually specifying the various contact touch points. I want a well-formed way of specifying my timeout in an address that isn't tamperable by the sender, and doesn't require me to spend more time than I do now just scanning and deleting spam.

Re:A solution

[MikeBabcock]

You contradict your first statement with your second, so why didn't you just delete it?

And what's the "twice"? The whitelist sends you one confirmation, once. It then adds you to their list, assuming they didn't give you a sender-specific address in the first place.

Re:A solution

[SirSlud]

the twice is just that, buddy :) I got a second mail after sending the authorization one, saying that my first mail was properly delivered .. ie, a 'thanks for authorizing' message.

Really, I did. I dunno, visit the TMDA page yourself, and try the whitelist message, and then 'authorize' the communication. You should get a second.

Please, I'm not baiting you, man .. I've taken courses that deal with the relation between technology and social behviour. I was in electrical engineering. But I've alwats been a programmer at heart, and now I do that. Tthe whole deal, C++/C/whatever/CORBA on freeBSD. I'm no genius, but I'm still lightyears ahead of 99% of the population when it comes to computers. You learn where the make-and-break points are with technology, as relating to social adoption. I was just saying that it was too much of a pain to know that I had to go through some sort of confirmation process to initiate communication. Don't argue for your own values .. defeating spam is a universal problem that requires that you to cater to the lowest common denomiator. Windows wouldn't have such a dominant position in the market if it wernt for the sad fact that to penerate your market (as standards must), your interface must cater to the lowest common demoninator, mostly effort-wise, while not undermining the status-quo economically.

Really tho, TMDA provides exactly what I want, only at a level that only a few of us can use (unless those in a position of power take it upon themselves to offer the functionality to clients ... which would require accepting additional responsibilities at a time that no service provider would even dream of). I want to see that as part of the general social perception of what email is. Only then does it truly become 'deployed' on a scale that is meaningful.

Anyhow, I wasn't dumping on the links you provided .. they were exactly what I wanted to see. Some push towards embedding the policy of your communication in the very contact information itself. That, in my opinion, is the holy grail of a form of communication that must, by design, exist within a logical set of well-formed rules. I think that sort of approach would lead to the best restriction of paths of communication. We wouldn't even need to rely on the government to strong-arm companies to comply. (And a fat chance of that, these days, in this plutocracy.)

Re:A solution

[_ph1ux_]

agreed.

one point about spammers who robot'd your email off your web page 3 years ago:

its not just the spammers that are a core part of the problem - its companies and services like hotmail. Example:

I went travelling for 5 months through south east asia, and as I was backpacking through the region email was the best way to get in contact with me - but since I was going to ahve no permanent computer - any attachments taht were sent would have to wait till I got home for me to be able to d-load them and view them. but since I was still getting them - I needed a place to store them.

so I opened up a hotmail account just to forward my crap to so my primary box didnt fill up. I *NEVER* gave this address out to *anyone* - I just used it as a temporary dumping ground...

apparently M$ made my addy available to everyone - and shortly after opening the account it was filling with about 50 spam messages a DAY.

so - the problem isnt just with spammers who can get your email from your website - but service companies doing nothing to protect your privacy from spammers. so much for ms' anti-spam initiative :P

Blacklisted laity

[ch-chuck]

I just got out of a battle of wits with one of our sales guys who couldn't receive mail from a potential client - the guy on the other end kept insisting that it was because *our* isp didn't have "anti spam" software, whereas the email headers clearly indicated that they were being rejected because the OTHER guy was blacklisted, he even admitted to them having a problem with their server being used for spam "a year ago", yet they were still failing relay tests as of early this month. I just told our sales guy there was nothing *I* could do, he'd have to get a hotmail acct or something that will take mail from anybody.

It's like another case of IIS users who get wormed and don't know or care what to do about it - and they /sure/ aren't going to get away with blaming it on me!!

imagine the customer-service...

[poemofatic]

Clueless-Rep: Hello, My name is "Jane" and I'll be your satisfaction-fullfilment specialist today. How may I help you?

client: Uh, my internet wont work. I can't get email from my friend in Australia.

C-R: I'm very, very sorry to hear that, sir. Would you like to sign up for our new DSL-BIZ-PRO package? It's only..

client: No, I just want to get email.

C-R: Can you hold, please?..

[SNIP]

C-R: Well, it seems that your friend is "blocked". We can unblock that account for only $9.99 per month. Let me transfer you to our Blocking-Fullfilment Specialist in Bombay. By the way, when was the last time we billed you?

Collective solutions are bad?!?

[Col.+Klink+(retired)]

If it's bad to share a list of open relays, wouldn't sharing a procmail script be just as bad?

If I tell you how to automatically delete email with subjects like "MAKE MONEY FAST", how am I different from someone telling you that some ISP has an open relay? After all, if I publish a list of subjects that spammers are likely to use, am I not denying their right to send me email just as if I didn't accept email from their domain?

And BTW, I use spambouncer (a set of procmail recipes) to block spam. It's trapped 190 email messages since October 1. I think 3 have slipped past.

Re:Collective solutions are bad?!?

[MikeBabcock]

Toss me an E-mail with a ".vbs" file attached for our default bounce message ;-).

It can be empty ...

Re:Collective solutions are bad?!?

Isn't the solution to spam to make it illegal to trade email addresses? If you couldn't buy or sell a mailing list then compiling your own list of email addresses would become too expensive for the "get rich quick" type spammers at least.

Amount of SPAM question...

[Java+Pimp]

I try to keep up on topics like this but unfortunately, I don't always have the time. :-(

My question is, has anyone ever done a study on how much more SPAM there would be without things like MAPS & ORBS? Are they really that effective? I still get an insane amount of spam from *insert random chars here*@msn.com. But then they are not really geared to block that kind of SPAM. Or are they?

Re:Amount of SPAM question...

[Todd+Knarr]

I don't know how authoritative this is, but my old ISP (XMission in Salt Lake City) had a page listing attempts blocked by the MAPS rules. They were blocking somewhere about 10-20 thousand attempts per day on average, with regular spikes into the 40 thousand range and occasional spikes into the 70-80 thousand attempt neighborhood.

As a sanity check, they only flagged messages listed on ORBS and, for a while, only flagged messages listed on MAPS (until the spamload got too high). In 6 years, I got precisely one piece of mail that was ORBS-flagged that wasn't spam, and no non-spam with a MAPS-flag while MAPS flagging was in effect. Since ORBS is more aggresive in listing sites than MAPS is, this is sufficient evidence to me that at the very least the amount of non-spam incorrectly flagged by MAPS and/or ORBS was a small fraction of the amount of spam they were catching.

Re:Amount of SPAM question...

[Todd+Knarr]

Having checked, I have to update this. The average is now about 20-40 thousand attempts from MAPS-listed sites blocked per day, with occasional dips down to 15 thousand or so. This out of an average volume of 200 thousand pieces of mail per day.

Points.

[bruns]

Point 1. MAPS is optional. If an ISP wants to run it, fine great. If they dont want to run it, thats their choice. Last time I checked, Vixie didn't hold a gun to the heads of every major provider.

Point 2. People bitch and moan about spam. So someone has tried to do something about it. But yet people bitch and moan even more because its not perfect. Nothing is perfect. Either stop complaining or deal with what you are given.

Point 3. I run the SBL (Summit Blocking List @ www.2mbit.com). Its my choice to block spam and who can contact my server. Its the choice of the ISP where I work to block spam, so I used my existing service as part of the mail systems there. The spam we get into our network gets blocked much quicker now, and others can benefit from our lists. Last time I checked, you aren't forced to buy services from me, or use the SBL.

This reminds me of good ol' Internet Frontier (www.internet-frontier.net). They absolutely love to attack me at this point. Hell, I'm proud to be double Skulled. I care enough about my network, my bandwidth, and my systems to want to do something.

Protection of freedom

[Reality+Master+101]

Should it be illegal for an ISP to use MAPS without an individual user's consent? It occurs to me that it should be illegal. Right now, it is a federal crime to interfere with regular mail delivery. Why should e-mail be any different?

If an ISP wants to offer me a service -- that I opt-in to -- to limit the amount of junk mail I receive, then that's fine. But it seems highly arrogant of an ISP to decide what should or should not go in my mailbox.

The more I think about this issue, the more I think it should be a federal crime to interfere with the delivery of e-mail.

Email is uni/multi cast NOT broadcast

[nyjx]

Whilst I agree that many of the legislative approaches are overblown (and dangerous), expecting all users to block their own spam is (which is what the EFF is clearly advocating) is seriously unrealistic. How many people here have a hotmail, yahoo, lycos.. account - what would that account look like if those companies didn't block spam for you? I'm sure that the average user would see this as a service offered by the ISP. As long as he/she can receive mail from granny it's fine. Most average users just want "email", they don't want the hassle of configuring 1001 spam filters. It similar to virus protection - they will just install Dr. Solomons for SPAM - or use whatever comes in the next version of XP and have Bill limit who sends them email.

The free speech argument isn't invalid its just impractical for most end users. Secondly it is being applied in the following way by the EFF:

- "ANYBODY has the right to say anything to YOU"

and not in what most people consider free speech, which is:

- "ANYBODY has the right to say anything in a public forum."

These are NOT the same thing. You get into the whole "I'm paying time and money becuase idiots keep sending me spam". Email is personal communication (uni or multi cast) it is not broadcast. If people wish to broadcast they should do so in public forums - er, like this one!

It's still an issue if an ISP blocks somebody you do want to hear from - but this is somewhat akin to the fact that millions of people around the world don't even have access to email, a telephone or even a decent postal service to even contact me in any way whatsoever.

Being black listed at least forces those areas that are to try and regulate their users. Of course Eventually this is likely to break down to requiring pretty intelligent software to determine what to block based on message content rather than sender behaviour - and even then people will still pay third parties (ISPs,M$) to perform this for them - how many pieces of software out there still use the default passwords...

Re:Email is uni/multi cast NOT broadcast

I disagree with your free speech definition.

--"ANYBODY has the right to say anything in a public forum."

When it should read something more like this:

--"ANYBODY has the right to say anything in a public forum.... as long as the forum is held on public property, the permits have been secured, the speech does not threaten bodily harm to any individual or organization, the speech isn't slanderous to any person or organization, the speech does not call for the upheaval of the government, you don't tell people how to defeat CSS, etc..."

Your real problem is that you want it both ways. You want your speech to be protected when you use email, but you also want to restrict speech for email you find disapproving. The sender won't know whether or not his email meets your criteria unless he sends you the email for your approval.

Can email be a public forum? Yes it most certainly can -- in the form of mailing lists. So a spammer uses a mailing list, and it becomes completely legal. Why? He's communicating to a large number of people using a publicly financed network. If that doesn't sound like a public forum, I don't know what does.

Re:Email is uni/multi cast NOT broadcast

[nyjx]

Your real problem is that you want it both ways. You want your speech to be protected when you use email, but you also want to restrict speech for email you find disapproving. The sender won't know whether or not his email meets your criteria unless he sends you the email for your approval. This is not what I said. I simply stated that I don't feel people have the right to send me email. Just like they don't have the right to camp outside my house and shout abuse at me every day.

Can email be a public forum? Yes it most certainly can -- in the form of mailing lists. So a spammer uses a mailing list, and it becomes completely legal. Why? He's communicating to a large number of people using a publicly financed network. If that doesn't sound like a public forum, I don't know what does. I agree with the mailing list argument - in this case I willingly subscribe to a public forum. The vast majority of spam I receive is however not from any lists I'm a member of (the moderators take care of it - If there were not some control on those lists I prob wouldn't use them). I don't know if you mean that email itself is publicly financed, if you do this is erroneous - a good many people pay for connection time by the Mb. Downloading rubbish costs time and money.

Re:What's wrong with voluntary collective solution

[Reality+Master+101]

What's wrong with voluntary collective solutions?

The problem is that they are NOT typically voluntary by the people to whom it matters -- the email recipients. If an ISP wants to offer a service to block spammers, then then it should up to the individual to opt-in to the blocking.

Right now it's a federal crime to interfere with the delivery of regular postal mail. Why should e-mail be any different? How would you like it if your apartment complex decided to root through your mail and arbitrarily decided what you could or couldn't receive?

Mailfilter

[ronmon]

is my weapon of choice when it comes to dealing with spam. About 80 per cent gets caught by the "not addressed to me" filter and all the trash gets deleted from the server prior to download.

From a small isp perspective..

[johngaunt]

I work for a small ISP, and we tried very hard to keep our mail relay as open as possible so our users could set up mail at work, at the office and other places where they may have a different connection to the net. We did and still do run filters on our mail server, to try and stop spam and virii, yet we were placed on ORDB and on ORBZ . The whole we were placed on these lists was not due to anyone complaining about spam originating or being relayed from our server, but just because it had an open relay. In the end we closed the relay, which caused us to lose customers who could no longer send mail through us from their work or other places, but we were also losing customers when we were on these lists because people could not send mail to their friends and business contacts.
Most of these Blackhole lists do send a message back to the person trying to send the mail, and they often portray admins who run open relays as evil spammers or complete morons. Neither of these is true. We were trying to provide a service to our customers, and we work CONSTANTLY to keep the spam out.
Blocking or denigrating the ISP or admin of a mail server which happens to have an open relay that may get used for spamming is like blaming Boeing for the recent trade center attacks. They built the plane but they did not do the deed. We ran a mail server, but we did not spam people. Go after the spammers, and their backbone providers, and their corporate backers, not the little guys who get hurt by this the most.

Re:From a small isp perspective..

[Todd+Knarr]

SMTP AUTH maybe? Relaying allowed for authorized users, nobody else. End of open-relay problem.

Re:From a small isp perspective..

[sigwinch]

The whole we were placed on these lists was not due to anyone complaining about spam originating or being relayed from our server, but just because it had an open relay.

Shoulda used POP before SMTP: only allow SMTP access to IP addresses that have successfully authenticated with POP in the last few minutes. Since most email programs automatically check for new messages the moment they start, and repeatedly check every few minutes thereafter, legitimate users don't even know you are filtering. To the best of my knowledge, lots of ISPs have good success with this technique.

Don't blame the MAPS/ORBS because you can't deploy a trivial and obvious technical solution that thousands of other people use.

Most of these Blackhole lists do send a message back to the person trying to send the mail, and they often portray admins who run open relays as evil spammers or complete morons. Neither of these is true.

Anyone who operates a high-gain publicly-accessible network data amplifier *IS* either evil or a moron. Smurf amplifier, 0WN3D unix box, open mail relay, who cares. LART 'em till they glow then shoot 'em in the dark.

(Not that I'm not sympathetic to the difficulties of being a small ISP: I just don't think there's any excuse for operating an abusable data amplifier.)

Re:From a small isp perspective..

[sounds]

You raise some good issues, but it still seems like you're only commenting from your point of view.
Don't blame OR{DB,BZ} for the content of the bounce messages you received. At the site I administer, RBL-listed senders get a blunt slap, but ORBS-listed senders don't hear a word because I redirect the incoming mail to a "suspect" folder rather than rejecting it. When ORBS-listed sites do get a message from my site, it is very polite and (hopefully) informative, as in: "did you know that..."
To use your analogy, it would be as if Boeing didn't have latches on the cabin doors, and the cockpit and bathrooms had no doors at all! It certainly would be expected that Boeing would hear some complaints if this was the way they decided to build planes, and a few complaints might not be worded so nicely, depending upon the person speaking.

Re:From a small isp perspective..

small ISP or large ISP, it takes ten minutes to goto a search engine and type "smtp relay" then pick an appropriate page and read it, I did it and we had no problems with the MAPS/ORBS.

look for poprelayd for sendmail/qpopper or use qmail/vpopmail which has this functionality built in.

pm

Boycotting Spammers

[rnturn]

``In addition, Netizens should express their dismay at spam by boycotting products advertised with spam.''

Dismay?! More like anger. Boycotting doesn't work. The fact that I haven't purchased any ``100% Legal Temple Kiff'' hasn't stopped the fscking emails from coming.

Re:OT: Fake photos (corrected)

[recursiv]

Ha ha. The way they're posing makes it look like they're a bunch of pro wrestlers or something. That guy in the background on the left... classic! And the guy pointing at the camera? woohoo. They're going to lay the legislative smack down on y'all!

I seem to remember...

[trilucid]

From this part of the executive summary in the page:

"And anti-spam blacklists, such as the MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List, the most popular), result in a large number of Internet service providers (ISPs) surrepticiously blocking large amounts of non-spam from innocent people [emphasis added by me]. This is because they block all email from entire IP address blocks--even from entire nations. This is done with no notice to the users, who do not even know that their mail is not being delivered."

I seem to recall some cases (can't put my finger on them at the moment) involving ISPs and hosting companies attempting to blackhole the address blocks of their competitors. Needless to say, a very nasty practice indeed. This is part of the reason I've never used the black hole lists.

I know mail filters aren't perfect, but I've always found good ones that worked sufficiently for my purposes. Yes, I know this doesn't reduce the technology threat posed to the infrastructure of the Net by mass spammers, nor does of it reduce the massive losses in bandwidth taken by companies dealing with major spammers on their and connected networks.

Does anyone have any specific case examples of MAPS abuse? I'd be interested to review these myself, if only to be sure I never associate myself (or my company, for that matter) with such orgs in the future. Are there any watchdog groups out there that keep tabs on this sort of thing?

Re:I seem to remember...

[taustin]

Does anyone have any specific case examples of MAPS abuse?

I've been spammed (by the definition on MAPS' web page - it wasn't commercial, but 'content doesn't matter' - it was not "mutually consentual," and the asshole refused to stop when he was told to point blank) by a MAPS employee, using the MAPS mail server, during work hours. Still got the archives to prove it. Had to threaten legal action to get them to stop him, in fact. At which point he starting using his home machine to do the same, until his DSL provider's abuse desk talked to him. And so on.

This from an outfit whose mottos seems to be "all email should be mutuall consensual." Yeah, I trust their motives.

Re:I seem to remember...

[Tikiman]

Does anyone have any specific case examples of MAPS abuse?

See the www.media3.com case - they get RBL'ed for simply hosting sites that advertised spamming tools. http://slashdot.org/yro/00/12/13/1853237.shtm

Re:The next DMCA/"Patriot " bill waiting to happen

[sqlrob]

Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal

Not if done correctly. Just make false addresses/false routing information illegal on COMMERCIAL mail. Why does a company need to do something anonymously, especially one that wants me to buy something?

Correction:

[Green+Aardvark+House]

My first sentence should read:

In reality, many spammers do not include a valid return addy or a remove link, even though it is required by law.

I get those e-mails frequently starting with "You have received this e-mail since (e-mail deleted) has requested to be put on the list. It's an outright lie.

The problem is apathy. It seems that spam is an annoyance but just below the level for positive corrective action to be taken.

Out-of-hand solutions to an exaggerated problem

[keath_milligan]

Wow.. it's about time the EFF finally put up the forefinger of logic and said "hey, wait a sec" in regard to the anti-spam movement. This has to be one of the most often grossly exagerrated problems anyone ever cites -- receive a few unsolicited emails and your inbox is "filled" with spam. And so off you go to champion hamstringing the the email system, banning ISPs, etc, etc. I am as annoyed by spam as the next guy. But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly. There are a number of methods an individual can use to reduce the amount of spam received that are quite effective. These days I get more annoying crap from friends, co-workers and other associates than spam. I'm amazed at how some people can overlook all of the chain letters, images, flash movies and other crap that truly does chew up their resources and then go ballistic when they receive one piece of email that can technically be classified as spam.

Re:Out-of-hand solutions to an exaggerated problem

[Vainglorious+Coward]

I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer
I'm sure there are hundreds of people who have their own stories to prove that the above statement is simply false. Many spam operations build lists of all potential [user]@domain.com addresses; addresses for which the spam doesn't bounce are then added to the "valid address" file (which is typically then sold on to others as being a list of "people who have indicated that they wish to receive email" about whatever they're selling). And this is the point really - this is not about "free speech" or the "rights" of spammers. It's about a bunch of shysters using deceptive business practices to try and turn a dollar, and doing it *at others' expense*.

Re:Out-of-hand solutions to an exaggerated problem

[bruns]

I guess that means that the 78 spam messages in my main mailbox this morning is 'just a few'. Comeon, the spamming problem is getting worse and worse.

Re:Out-of-hand solutions to an exaggerated problem

[Misch]

But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

File this one under "P" for "Parody"

I know... it's such a pity. Every time I walk out into the street, I am in the sights of a sniper rifle. I wish that when I walked into the street I wouldn't have to wear a bullet proof vest and face shield, but that's the sad reality of living in this crazy world today. I'm just glad that my company was smart enough to put up thick concrete walls wigh don't allow most bullets to pass through them between me and my parking lot.

Re:Out-of-hand solutions to an exaggerated problem

[Mike+Van+Pelt]

How many people are there on this planet? About six billion, right?

How many of those people have something to sell? One one hundredth of one percent?

OK, if the "just delete it" folks carry the day, that one one hundredth of one percent means that you are going to get six hundred thousand spam emails in your inbox.

Long before that point, email has been utterly destroyed as a useful means of communication.

I like email! I do not want to see its usefulness destroyed.

That's why I want the spammers stopped.

By any means necessary.

Re:Out-of-hand solutions to an exaggerated problem

[Jay+L]

This has to be one of the most often grossly exagerrated problems anyone ever cites

30-50% of the messages going to the world's largest mail system are spam.

So obviously, "grossly" must mean less than 3x...

Jay, the ex AOL mail guy

Re:Out-of-hand solutions to an exaggerated problem

[prizog]

But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

No, some spammers will try brute force attacks, going after common names, or just trying every string under N characters.

Re:Out-of-hand solutions to an exaggerated problem

[kindbud]

But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer ...

Oh boy, you caught shit for that. Nevertheless, you're right. I have two email addresses, one I want to use, and one that I do use. The one I want to use was ruined years ago by posting to Usenet with it, before there was a spam problem. Thanks to Google, that email address is permanently findable on the web, and may never be useable again.

However, my other email address gets no spam at all. I do not use it to post to Usenet. I do not use it to sign up for anything. I do not subscribe to public mailing lists with it, especially if there is an archive for that mailing list that is web-accessible. Friends get to know it, family gets to know it, and many other correspondents get to know it.

The second address gets no spam.

Only popular domains that everyone KNOWS host millions of email accounts, get probed with a dictionary list. Only giant mail domains are worth probing this way. The solution to dictionary spam, then, is LOTS OF DOMAINS, preferably several for each person. Do you hear me ICANN? (no, but.. whatever)

Re:Out-of-hand solutions to an exaggerated problem

[Jay+L]

Only popular domains that everyone KNOWS host millions of email accounts, get probed with a dictionary list.

Very much not true. There are only a handful of million-account domains. But "jim", "bob", etc. are valid e-mail addresses at nearly EVERY domain. Most of the dictionary attacks I've heard about happened at small business or personal domains.

Re:Out-of-hand solutions to an exaggerated problem

Only popular domains that everyone KNOWS host millions of email accounts, get probed with a dictionary list. Only giant mail domains are worth probing this way.

I wish that were true. These scumbags are both actively probing and verifying against little K12 school districts. I'm a habitual log tailer, so I've done something about it, but most districts demonstrate no cluefulness in this arena. Their users are in for a deluge.

Re:Out-of-hand solutions to an exaggerated problem

[sounds]

Only popular domains that everyone KNOWS host millions of email accounts, get probed with a dictionary list. Only giant mail domains are worth probing this way. The solution to dictionary spam, then, is LOTS OF DOMAINS, preferably several for each person.

This simply isn't true. The problem with your logic is that it is ALWAYS "worth" probing if probing is free, which it is! All a spammer needs to do is feed all existing e-mail addresses in their list to a program which probes each host, and voila! Instant expanded list! I do like your proposed solution. It would work, but only if I could afford to buy another domain just to prevent spam.

Re:Out-of-hand solutions to an exaggerated problem

[sounds]

This has to be one of the most often grossly exagerrated problems anyone ever cites -- receive a few unsolicited emails and your inbox is "filled" with spam. [snip] I am as annoyed by spam as the next guy. But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

I (almost) hate to say this, but if you only get a few unsolicited emails in your inbox, then you're a "nobody" on the Internet. Many of us who complain are not exaggerating in the least. Having been on the Internet for over two decades, and running a legitimate business at an email address which must remain constant to support early customers, I can say that you haven't had a chance to be as annoyed as I am. Try 14.3MB of spam on for size!

Re:Out-of-hand solutions to an exaggerated problem

[radja]

> But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

is it? did you really supply your email address?

I know I have used some email adresses of people I didn't like with the intent of them getting spammed..

//rdj

And what makes commercial mail?

[dave-fu]

The answer, unfortunately, isn't so cut and dry as one would imagine.
Certainly product advertisement and suchly, but couldn't website links be construed as such? And if pushed through a mailing list or something else that purposefully obfuscates the sender's address?
Anonymous remailers would become a (n even more) dangerous service to run.

Re:And what makes commercial mail?

[sqlrob]

If the website offers anything for sale (or anything it directly links to does), consider it commercial.

Of course, in that case, you have somebody running the site, so it would be (relatively) easy to find them. The main issue IMHO, is people sending things out in the names of others (say, I do a UCE for Microsoft to everyone on /.) Of course, this probably already happens as a limited form of DDOS against a website.

Rights vs. privileges

[M_Talon]

Here's where the whole thing gets messy. Yes, it's expected that email that is sent should be received. But the Internet isn't regulated like that, so it's not really a right. I had a big long spiel about this and the Usenet Blackhole list a while back.

The point is that if your ISP is blacklisted, there's usually a good reason for it. It's because they don't control spam like they should, and thus they degrade email service for many many people. The blackhole list is designed to be a wake up call, and it usually isn't used until repeated requests to fix the problem have been ignored. If you find your ISP on the blacklist, complain to them to fix the problem that got them there. Either that, or switch to an ISP that isn't on the list. It's not your right to send email that's curtailed, it's the privilege to send it through that ISP that's restricted. Complaining about the lists themselves won't accomplish anything.

ISPs who have contracts that don't allow them to block email don't use the RBLs, but many ISPs specifically retain the right to block email if they need or want to. As companies, it's in their interests to protect their bottom line, and spam email is a bandwidth and storage killer. We won't see those lists go away until a better way of stopping spam comes along.

Re:What's wrong with voluntary collective solution

[Dredd13]

The problem is that they are NOT typically voluntary by the people to whom it matters -- the email recipients. If an ISP wants to offer a service to block spammers, then then it should up to the individual to opt-in to the blocking.

It IS voluntary... the customer continues to pay the ISP each month for service.

If an ISP decides that "the cost of accepting mail from $ROGUE_SENDER_NETWORK is too high for me to accept", that's the ISP's decision, not the end user's. If you want "unfiltered" mail, you should be prepared to pay MORE for that service, because it costs your ISP more, in terms of bandwidth, disk space, etc.

Re:The next DMCA/"Patriot " bill waiting to happen

why not just toss everything that is not encrypted with your public key?

Re:The Internet is a free-market information servi

[terrymr]

Huh ?? so it's only censorship if the government does it eh ? I don't think argument really stands up.

Imagine this - your employer tells you that you will be fired because you own a gun (at home) would you not consider a lawsuit claiming your employer was violating your constitutional right ?

Wrong idea about MAPS

[siegesama]

They've got FUD buzzwords spread all about. Virally, restrictive, conform. Bad things. Agree with us!
People seem to have the wrong idea about MAPS sometimes. They see the effects, and they jump to conclusions about the reasoning.

I'm probably out on a horn here (what a stupid saying), but can't you get off of the MAPS list if you've proven you've closed your open relay? And call me really crazy, but isn't the actual point to pressure the open relays to close themselves? This isn't just about finding a possible source of spam and black-hole-ing it forever and ever, it's about FIXING the problem. And unfortunately the only way to do that is to MAKE the mail admins pay attention to the problem, which this most certainly does.

Anti-spam blacklisting groups, such as MAPS and ORBs, put heavy pressure on ISPs to conform to a set of restrictive anti-spam policies and to virally pressure other ISPs to adopt the same policies.

Isn't ORBs defunct now?

Restrictive anti-spam policies? What, such as not providing an open relay for anybody in the world to send mass mailings off of? An unsecured open relay doesn't do anyone good, and the less there are the better off the end users are.

I will agree that the legislature is ridiculous, but I believe that MAPS, etc is the right way to solve this problem.

Changes that might make things a bit easier for everyone include a grace period (wherin a warning is sent to the admin say, 24 hours before black-hole-ing), and a quicker responce time on fix-calls (eg: it's fixed, let me send mail NOW). Also perhaps filtering shouldn't be simply black-holed, perhaps it should just throw some sort of error such that the sending side will try again after 24 hours.


-siege

Re:Windows

[BadDoggie]

Does anyone know of an E-Mail server that works under Windows?

Mailtraq. Good software. It has no trouble handling offices with 1,000 boxes and can hook up to any provider using SMTP or POP. Good rules sets, accounts, fairly easy to set up, blah blah blah. A search on Google will bring back a lot of third-party info on the software, its configuration and more.

woof.

Re:What's wrong with voluntary collective solution

Well argued, on both sides.

I think that the best solution is, as one poster said, is for providers to let people know UP FRONT if a system like MAPS RBL is used. If they don't like it, they don't have to use that provider for e-mail. If that provider is the only ISP in town, big deal-- there are plenty of other mail providers with some great features (Hushmail's paid accounts are really nice, for example). If there is another provider without MAPS RBL, well, that provider will get the business, then, won't it?

I'm not saying that the free market will be perfect, but if an ISP wishes to make use of the MAPS RBL-- well, that's THEIR prerogative.

I would appreciate this more...

[devphil]

...except I can already hear nothing (because your message is lost in the thousands of spam emails in my mailbox) and say nothing (because the line is clogged with traffic).

When we're trying to hold a useful meeting, and everybody's yelling and screaming to try and make themselves heard, the guy at the front pounding the gavel isn't trying to deprive me of the First. He's trying to insure that I still have the right to speak and not be drowned out. He's asking for silence to restore order, so that we can resume speaking.

The mailing lists hosted by the FSF don't use any spam filters. At all. Now, go look at this month's archives of the binutils bug-reporting list and wonder how they manage to get any work done. (I have to hope the individual developers use filters.)

It's not that straightforward

The article implies that the loss of freedom comes from MAPS listing mail servers. But isn't the problem really with the ISPs? They are the ones who are implementing the filtering, without the explicit consent of either the sender or receiver.

There's a simple solution. Each ISP should provide users with three radio buttons - Block Detected Spam, Deliver Detected Spam to a Bulk Folder, and Pass All Messages. Then the freedom to choose is back in the hands of the user.

I'm not so sure that this would satisfy the EFF and Dan Gilmore, though. It seems that he is peeved that anyone should object that he operates an open relay. (Can't find the link - www.toad.com is creaking under the weight)

The fulcrum to the EFF argument is 'Any measure for stopping spam should have as its first goal "Allow and assist every non-spam message to reach its recipients."' To that should be added, "unless otherwise desired by the recipient."

Re:What's wrong with voluntary collective solution

[Reality+Master+101]

Then like I said... if an apartment complex decided that "the cost of accepting mail from J.C. Penney catalogs is too high for me to accept", should they have the right to just dump the catalogs into the trash and not give them to the recipients? Without even their knowledge? Just find another place to live, right?

Right now federal law says no -- you do not have the right to interfere with the delivery of postal mail. I see no reason why e-mail shouldn't be afforded the same protections.

Re:What's wrong with voluntary collective solution

[Evangelion]

What's wrong with voluntary collective solutions?

They're generally referred to as "mob justice".

John Gilmore (-1 Flamebait)

[Vainglorious+Coward]

I support the EFF (inc. with money) but I can't help suspect that John Gilmore's own personal desire to operate an open relay has significantly influenced the EFF into slamming MAPS and praising Brightmail. Has JG's machine just been added to MAPS or something?

I entirely agree that ISPs should not be filtering email without notice or consent and that "end-user" tools are the best solution, but I disagree vehemently that a spammer's right to "free speech" overrides my right to accept or deny data arriving at the edge of my network, for whatever reason I decide, including irrational reasons. I can and will use any tools at my disposal to control what enters (and leaves) my systems. The problem with end-user solutions that live in the mail client is that by the time spam is deleted, the resource cost has already occured. I much prefer to simply drop connections that I don't want; it still costs me a little bandwidth but I don't waste the disk space and processing cycles that I would if I accepted the spam.

Free speech for everyone is all very well, but the galling thing is that most spam is *deceptive*, using falsified return information or deliberately implicating other innocent third parties. I would settle for allowing all mail to come in iff I can puruse claims for fraud against those who won't play nice. Since this is unlikely to happen any time soon, I'll keep my blocking techniques, thank you very much, and I won't be shedding any tears over the "free speech" rights of spammers - I simply don't recognise any innate "right" to practice deception, especially when it's at my own expense.

Re:John Gilmore (-1 Flamebait)

[MikeBabcock]

I'm going to ignore most of your message because the first paragraph shows a lack of understanding so deep that your message can't be useful to me.

Read how those filtering systems work. Using the time-based or sender-based hashes means the user's E-mail doesn't have to be verified before getting through. Leaving your E-mail lying around for people to pick up and having a 3 month hash on it will prevent the spam that comes a year from now from long-term collection bots ... read how the tools work.

Re:John Gilmore (-1 Flamebait)

[Vainglorious+Coward]

I'll stand corrected if you're telling me that Gilmore *doesn't* want to run an open server. Please do go ahead and explain my deep lack of understanding.

Unfortunately, his home page isn't accessible at the moment (coincidence?), but as I recall, his version of the spat with the ISP in question boiled down to "I *founded* this ISP. I can do what I like. The rules for civilised behaviour that everyone else follows don't apply to me. I refuse to accept that the internet is different now than it was in the 80s", with a few layers of bogus arguments about free speech. I have a great deal of respect for John Gilmore, but I think he's wrong on this one.

I'm glad you ignored my post to the point where you responded, but I don't quite see how the stuff you write about hashes fits in - which part of my post is that a response to? I thought this thread was about blacklists of the MAPS and ORBS kind?

Re:John Gilmore (-1 Flamebait)

[MikeBabcock]

I agree that Gilmore is wrong on the issues, but I agree with the EFF on freedom of speech vs. spam. I don't think that spam is protected speech, but I do think that MAPS blocks E-mail and E-communications too arbitrarily to not be abusing peoples' free speech.

I was responding to your post about whitelists as I remember it now and my comments on hashes were w.r.t. that.

Silly EFF

[seebs]

Freedom means the government can't tell you to shut up; it doesn't mean I have to listen to you.

Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.

That's not free speech. Free speech is the right to say things that people don't like - not the right to say things at no cost to yourself, to people who don't want to subsidize you, in their private space.

Enforcement, not prevention.

[blair1q]

Trying to prevent spam is like trying to prevent the diffusion of flatulence through the air.

You can't.

But, human beings have the ability to reason and match patterns in history to pattern in planning. And if they see masses of spammers being investigated and tried and sentenced and punished, that's a pattern that will be strong in their history.

Spam is not a violent crime. The inability to intercept it is not a detriment to public safety. But our apathy has led to the feeling among spammers that they can get away with it. By showing them they can't, they will for the most part stop trying.

And it's very easy to enforce. Every spam necessarily includes directions on how to contact those who would profit from your participation. And they need to stay there in order to collect your request. So every spam is a notice to the authorities to go to this place and arrest these people. Their trial will sort out whether they are guilty or not.

--Blair

Re:Enforcement, not prevention.

[Jay+L]

And it's very easy to enforce

Unfortunately, this turns out not to be the case in practice. Spam rarely includes real-world contact information these days. In fact, even the URLs are usually highly obfuscated through IE bugs. Once you find the real IP address, finding out who operates it is another bunch of legwork. And even then, tracing the money through off-shore accounts, foreign shell corporations, and the mob is a big job.

With the very low barrier to entry that spam presents, there's no way The Authorities could ever prosecute even a small percentage of spammers.

Legal solutions are important, because of the social mores and definitions they provide, and because they at least raise the spectre of punishment. But technology solutions must go hand-in-hand.

Jay, the ex AOL mail guy

Re:Enforcement, not prevention.

[blair1q]

If nobody can get through to the spammer, nobody can provide him profit for his spam.

He's self-defusing.

Such problems are over the moment they start.

> With the very low barrier to entry that spam presents, there's no way The Authorities could ever prosecute even a small percentage of spammers.

Almost all crime has a low barrier to entry. Militant tolerance of it creates the problem.

High-profile prosecution of the ones you can catch goes a long way toward discouraging the naff attempts. But when was the last time you saw anyone pilloried on the nightly news for UCE?

--Blair

An absurdly significant amount of time?

[devphil]

Huh. Most of my procmail-using friends started their antispam recipes by downloading one of the fifty or so publicly available ones, recommended for such a purpose. Then they tweaked as necessary -- I think some of them never needed to tweak. The resource collection you speak of already exists.

(I had to start from scratch, because I started using procmail way early.)

ISP's only need to provide connectivity

[jesterzog]

If ISP's were owned and operated by governments for the purpose of delivering email, I'd agree with you. But because they're commercial entities who have an independent agreement with a user, I don't personally have a problem with blocking email.

ISP's provide Internet connectivity. If and when they provide a pop3 server (or something else) to relay people's mail, it's an added bonus.

I don't know if MAPS is the way to go or not, but IMHO anything criminal should come from the ISP breaking an agreement with the user - not just automatic determined by a government. There are lots of reasons why an ISP might not want to agree to deliver all email in the first place, and governments shouldn't require them to because of their business category. If there's an arrangement with users that says the ISP should deliver a person's email, and they don't carry that out, then there's a problem.

Hopefully that's a normal part of most ISP agreements, but I don't know for sure. I don't like it that lots of ISP's use MAPS without properly informing their users what's going on so people can decide.

sneakmail works

[lupine]

I recently bought some stuff from performancebike.com. Like many ebusinesses they require an email address when you make a purchase. I dont mind order shipment notices, but I hate opt-out marketing crap so I used a sneakemail address.

A couple of weeks after I recieved my order I started getting forged address spam being send through the performancebike address. I emailed CustomerService@performanceinc.com (go go spamharvester) about it and they said they would remove me from their marketing lists(even though it was clear they had already sold my address). But they didnt appologize for selling my address. Anyway I ended up deleting the performance bike address so I wont be bothered by their spammers and I will never buy anything from them again.

hmmmm... performancebikesucks.org is available though it seems performancebikesucks.com is owned by performancebike.... they must know they suck.

Re:The Internet is a free-market information servi

[Detritus]

No, because they can legally fire you for almost anything except the protected categories of race, religion, gender etc. It's called "at will" employment.

Re:What's wrong with voluntary collective solution

[Dredd13]

if an apartment complex decided that "the cost of accepting mail from J.C. Penney catalogs is too high for me to accept

Since an apartment complex doesn't bear any of the burden for US Postal Service delivery, you're using a bogus argument.

Re:What's wrong with voluntary collective solution

[vees]

They're generally referred to as "mob justice".

They're also known as communes. Heck, voluntary cooperation manifests itself in lots of aspects of any human society; corporations, credit unions, militias, (dare I say it?) governments, churches, universities . . . the list goes on for a while.

You might not like MAPS,

[Bender+Unit+22]

but it sure does keep a lot of junk away from my mail server. I have tried to disable it, but as soon as I did that, tons of junk mail got through. I don't really care if it should filter a few wrong mails, the alternative for me would be not to use email at all.

Re:You might not like MAPS,

[taustin]

If you're an end user, the EFF paper completely and totally supports your right to use whatever you want, including MAPS, to filter your own email.

If you're providing mail service to others, you are making that decision for them, probably without their knowledge or consent. That is what they take issue with.

Re:What's wrong with voluntary collective solution

[Misch]

But that's the exact problem. The cost of sending the mail isn't carried by the recipients, it's paid for by the sender. In the case of e-mail, the costs are paid in the largest part by the recipient, and the recipients' ISP.

You're comparing apples and oranges.

Re:OT: Fake photos (corrected)

[Tackhead]

> Ha ha. The way they're posing makes it look like they're a bunch of pro wrestlers or something. That guy in the background on the left... classic! And the guy pointing at the camera? woohoo. They're going to lay the legislative smack down on y'all!

Geez, that photo's so fake I looked for "Tourist Guy" in it!

To: ask@eff.org Subject: RBLs

[benedict]

In my opinion as a systems administrator (and, incidentally, contributor to EFF), you guys have lost the plot when it comes to spam.

RBLs, databases of open relays in particular, are excellent tools for preventing spam. They are content-neutral and are designed only to penalize systems that misconfigure their mail servers. I have seen numerous instances where customers or employees of organizations with misconfigured systems have successfully applied pressure to management to get the mail systems configured correctly.

Remember, there are often business pressures to maintain an open relay. Management doesn't understand the issue, so they're reluctant to expend resources on it. Customers balk at use of SMTP AUTH or POP-before-SMTP. The pressures, in short, point to a tragedy-of-the-commons type of situation.

Open relay databases change the balance of pressures. They enable victims of spam to provide feedback to the organizations that maintain open relays, telling them: if you don't stop enabling others to consume my resources without permission, then your ability to communicate with others will be negatively affected. They enable victims of spam to act as a bloc.

Example.com, my employer, enables our customers to use or not use MAPS' "RSS" open relay database at their discretion. Example.net, a site for which I volunteer, uses the ORDB open relay database for all users, for many reasons; but only after determining that the consensus of the users was for such a measure. [Domain names were changed here because I felt like it. They were real in the email I sent.]

Your suggestion of a boycott of spamvertised products is quite naive. The cost of advertising through spam is so low that it takes very few sales to recoup.

Your suggestion that the Constitution of the USA is relevant to RBLs also seems weak to me. Private entities are not generally bound by restrictions on the behavior of governments. As an owner and operator of network equipment, I have the right to deny others the ability to use that equipment to send advertisements at my expense. I'll refrain from quoting the hackneyed line about freedom, fists and noses, but you get the idea.

well,

"I feel much worse for those who haven't figured out procmail yet though." I feel pretty bad for those who haven't figured out basic grammar.

Re:The Internet is a free-market information servi

[benedict]

I wouldn't, because I know I'd lose. If you work in the U.S.A., you might be well-served by reading up on employment law a little bit.

Corporations violating constitutional rights

[scarhill]

IALAL, but my understanding is that you could file a lawsuit, but you'd lose because gun owners aren't a "protected class". Employers can't discriminate based on legally protected categories like race, ethnicity, sex, disability and, in some states, sexual orientation.

On the other hand, if they want to discriminate based on gun ownership, how many piercings you have or what brand of car you drive, they're free to do that.

above net on the brink

[Indy1]

from what i've heard, above net is about die anyways financially...may not matter much longer

How sad...

Spam is sad. Spam is also a topic that is talked about every show on this weekly internet radio show, all about humour in technology. To go along with the topic of spam, there's always the weekly Microsoft rant, among many other things which spark a good laugh.

DHBiT, Have YOU had your weekly dosage?

Re:How sad...

brillent place. downloaded all the show... damn funny M$ bashers, and linux gurus

Spam should be Illegal...

In fact it may already be. As I recall the theft of computer system resources is illegal under some federal act. As to the solution - we need not to leave it up to the government. In Michigan we have a law against unsolicited faxes unless there is an "existing business relationship" to the sender. Unfortunately the secretary of state has seen fit to define an "existing business relationship" to include merely inquiring about a companies product. So if I ask a company to send me a fax about their product I have then opened myself up to span faxes. Moreover if I complain to the Attorney General about the unsolicited faxes the reply I get is "Have you asked them to stop?". Lets face it folks if I had to ask all of the people that send me spam to stop I would do nothing else all day long. I believe that the solution lies in being able to charge the sender for spam - say $500 per message. It would not be long before we could use the abundance of lawyers in our country to sue the pant off of spamers and drive them broke. It solves two problems it keeps the government out of the spam regulation arena and would let me get some money for my trouble.

Re:The Internet is a free-market information servi

[dillon_rinker]

Imagine this - your employer tells you that you will be fired because you said "GET LOST!" to your boss. (freedom of speech)

Imagine this - your employer tells you that you will be fired because you said "YA MORON!" to a customer. (freedom of speech)

Imagine this - your employer tells you that you will be fired because they searched your desk and found cocaine. (freedom from unlawful search or seizure)

Imagine this - your employer tells you that you will be fired and you are not able to appeal the decision to anyone. (due process)

Imagine this - your employer tells you that because someone else says you stole from the company but won't tell you who. (freedom to confront witnesses against you)

Imagine this - the government says that your employer, a private citizen, can't fire you. (freedom of association).

Governments are more restrained than private citizens.

MOD PARENT UP Re:John Gilmore (-1 Flamebait)

Geeze. Please mod the parent up as high as possible. This is ridiculous. Why can't he just use something like pop-before-smtp? I run a similar server for roving friends, and that's what we do. Having an open relay in this day and age is irresponsible and idiotic, and there's no excuse for upstream carriers *not* blackholing you for it. I'm sorry Gilmore misses the old internet, but the predators are here now, and they need to be rejected before *they* destroy the internet.

Procmail doesn't fully solve the problem

Sure, the end user (you) won't see the mail, but the bandwidth is already wasted at that point.
This doesn't solve the problem that ISP's face
when they have huge amounts of bandwidth and CPU time consumed by SPAM. ugh.

Re:To: ask@eff.org Subject: RBLs

[taustin]

Your suggestion that the Constitution of the USA is relevant to RBLs also seems weak to me. Private entities are not generally bound by restrictions on the behavior of governments.

Federal case law on the anti-fax spam statute says otherwise. When it was challenged constitutionally in Destination Ventures vs. FCC under the 1st Amendment, it was ruled constitutional because it limited only unsolicited commercial faxes. Based on Supreme Court case law, the court felt it would be unconstitutional to limit any other form of fax-based speech, unsolicited or not.

So, while the anti-spam types say "content doesn't matter," the law says otherwise.

Re:What's wrong with voluntary collective solution

[Reality+Master+101]

Not true. Many large apartment buildings have their own mail rooms that distribute the mail.

Re:The next DMCA/"Patriot " bill waiting to happen

Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal.

No. Saying "don't lie about your return address" does not equal "you must disclose your return address". "I don't want to tell you" is not fraud. And all it requires technically is something like an anonymous remailer (which even still allows for replies).

It's perfectly possible for someone to get unsolicited mail from someone, ask them to not mail them again, and get compliance for that request, while never revealing to the recipient who the sender is.

Re:What's wrong with voluntary collective solution

It's not like ISPs are being secretive about this. Go read their terms of service, or just call or email them about it.

Re:To: ask@eff.org Subject: RBLs

[benedict]

Assuming you have your facts straight, the court felt it would be unconstitutional for *the government* to limit non-commercial speech in that context. RBLs are a measure taken entirely by private entities. The government is not involved. Therefore, the First Amendment is unlikely to be applicable.

MAPS is good for *sorting* not for *rejecting*

[ClarkEvans]

Exim allows MAPS and other DNS based black lists to be used to mark e-mails. Then procmail can be used to filter those e-mails. This I have found to be very useful.

Further, legslation should be in place that unsolicited e-mail gets an extra header "unsolicited: yes" or something like that so that I can filter better. Those that don't fill in this header should be liable for damages. Also, a flag for sexual content would be good as well.

Clark

Re:What's wrong with voluntary collective solution

[Dredd13]

Where? I've yet to live anywhere in the US where the USPS would allow anyone but themselves to come between the mail and the recipient. (in fact, it's a law that they can only deliver to the recipient, which would seem to rule out delivering to an apartment complex mailroom.. the only exception I can think of from experience is mail delivery to APO/FPO addresses, but that gets handed off to "a different Federal agency", the military. ;-) ).

Even when I've lived in high-rise apartments or private gated apartment complexes, the guy or gal who got my mail to me wore the USPS uniform.

Future Shop

[shepd]

>9 times out of ten, they claim it's not SPAM because "I requested to be on the list".

Same crap from FutureShop. They think its a good idea to shut down sites saying less than praise about them with their lawyers, and they think that people will be happy to get crap in their email about buying TVs.

I sent an email back telling them that I'll never do business with them again.

And I haven't. Yeah, there's been times I wish I could, but my morals are stronger than that.

Anyways, since they ignored my mail for weeks on end this is a permanent boycott. I will never, ever for the rest of my life do Online shopping with FutureShop again, wether they keep wasting their time sending me their "Future Flash" or not. (Here's a flash for you, FS: Three ads in a row trying to hawk TVs to the same people are totally ineffective).

Just angry because the bastards there didn't even take me off their list after I threatened billed proofreading of their SPAM. They won't even delete my account upon request [Is that legal? -- I'd love to have firm legal ground to tell them to screw off!].

Email is not free speech

I do not agree with the the assessment that email is protected under free speech as asserted in the EFF aritcle because the delivery of it intrudes onto my machine and my property.

I agree that free speech should protect web-sites, people should be able to say whatever they want on their own computers. However, saying they can put files containing anything they want on my computer is like saying anyone has the right to walk into my house and start preaching about what they want. This is just not so!!

A cool experiment

[Cardhore]

A cool experiment would be to set up an e-mail address and try and see how much spam it can get.

Re:What's wrong with voluntary collective solution

Enough with the bogus comparisons already. In the snail mail world, the USPS fills the same role that the ISP does in the email world. The apartment complex in question is not providing a delivery service like the ISP is. The apartment complex who throws away your mail is like a malicious user sitting at your computer deleting messages. The USPS has already delivered the snail mail before it is discarded, and the ISP has already delivered the email before it is deleted. Federal law says that your mail delivery is between you and the USPS, and no third party should interfere with it. Similarly, your email delivery is between you and the ISP, and no third party should interfere with it.

It also should be noted that the USPS imposes a lot of restrictions on what they will deliver and how, and your ISP is free to impose restrictions on email delivery in their terms of service. At least you can chose another ISP to deliver your email if you don't like their policies, unlike the USPS who you're stuck with whether you like them or not.

EFF has it wrong

[Burdell]

The EFF says: And anti-spam blacklists, such as the MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List, the most popular), result in a large number of Internet service providers (ISPs) surrepticiously blocking large amounts of non-spam from innocent people. This is because they block all email from entire IP address blocks--even from entire nations. This is done with no notice to the users, who do not even know that their mail is not being delivered. Inaccuracies:

1. "surrepticiously blocking": I have not run across an ISP that won't tell you they use MAPS
2. "entire IP address blocks": The MAPS RBL and RSS lists list the IPs of individual servers, not large blocks. The only MAPS list that lists large blocks is the DUL (Dial-Up List), which lists IP blocks of dial-up users (voluntarily contributed by ISPs to help block direct-to-MX spam).
3. "even from entire nations": IP blocks are only somewhat assigned according to international boundaries (and see previous entry about large IP blocks).
4. "no notice to the users": Most ISPs will announce that they use MAPS and other anti-spam methods to their users because it shows that the ISP is trying to do something about the spam their users hate.
5. "who do not even know that their mail is not being delivered": The typical use of the MAPS lists causes messages to be rejected, so the sender is notified that their message was not delivered. Also, some server admins configure their mail servers to tag messages instead of rejecting them (so they are still delivered, but users can filter on the tag in their mail client).

And that is just the second paragraph.

Email is not protected speech, anymore than snail mail is. Senders don't have the right to force recipients to read their mail. The owner of the recipient's mail box (the US Government in the case of US snail mail) has the right to decline to deliver some types of mail. There are quite a few things that the US Post Office won't deliver (including "suspicious" packages). A package may be suspicious because it has no return address and white powder leaking out, or it may be suspicious because of where it originated (be it a post office in New Jersey or a mail server at a particular IP address).

Another comparison can be made to the telephone system. I recently added a feature on my telephone service that blocks "unknown callers" (people, usually telemarketers, that don't allow their caller-ID information to be sent). Those calls are blocked at the carrier. The US Post Office and the telephone companies are "common carriers" and have to carry most communication, but they are allowed to block some. ISPs are not common carriers; they can refuse to carry whatever they don't like.

The MAPS RBL also rarely (if ever) blocks "legitimate" mail. The servers on the RBL are the servers for large spam houses that are repeat offenders and refuse to do anything about it. The RSS list does hit some legitimate email, but not much. These are lists of irresponsible mail servers. Just as it is irresponsible to yell "fire" in a crowded theater, it is irresponsible to run a mail server that allows third party relay.

There are some other DNS based blacklists that do get more "collateral damage" (sometimes intentionally). Guess what: they are not nearly as widely used as the MAPS lists. ISPs want to deliver legitimate email, because not doing so will cause unhappy customers (or no customers). However, at the same time, customers are screaming at ISPs to get rid of the spam, so each ISP has to make up its own mind as to what steps it will follow to answer the demands of customers.

Re:EFF has it wrong

The MAPS RBL also rarely (if ever) blocks "legitimate" mail.

That's because it hardly blocks ANY mail.

The servers on the RBL are the servers for large spam houses that are repeat offenders and refuse to do anything about it.

I challenge that assertion. I believe most of the large spam houses are NOT on the RBL at all. Before they started enforcing subscription access (which seems to be the step that will solve the MAPS "problem" by making all its users go elsewhere), the RBL blocked no more than 5-10 messages per week at my incoming relays. The RSS, on the other hand, blocked 3-4 thousand per week. I (and my users) are suffering under a torrent of previously refused spam.

However, though we are willing to pay for a subscription, we cannot agree to the terms of the RSS service agreement. We will NOT agree to fund MAPS defense if someone sues them because of our use of the RSS. No other vendor has ever had the audacity to try and slip terms like that into any contract we've been a party to, not even Microsoft. No legitmate business can justify those kind of terms.

Ok, so the EFF isn't always right

[jmorris42]

They botched this call bigtime, but I'm still proud to have sent them bux and will continue to do so.

Sending Email is everyone's right. But I will decide what mail actually gets delivered into the mailboxes I control by any means acceptable to the folks who cut my paycheck. It is as much a part of responsible system administration as making backups and applying security fixes.

Your right to speak does NOT imply a duty on me to listen. This isn't the US Postal Service either, and attempts to apply rules and customs from that environment just don't apply. The USPO is a government run monopoly so allowing them to filter out things they deem 'junk mail' would be horrible. In a free market for mail services it is a whole different ballgame.

The Quote you're looking for...

[TFloore]

Snagged from a google cache...

===
Remember what Pastor Martin Niemöller said about silence:
"When they arrested the communists,
I said nothing because I wasn't a communist.

They came for the socialists
and I said nothing because I wasn't a socialist.

They came for the union leaders
and I said nothing because I wasn't a union leader.

They came for the Jews
and I said nothing because I wasn't a Jew.

Then they came for me.
And there was nobody left to say anything."
===

Not that I really see what your point is here. But it's nice to have the proper quote.

Re:The Quote you're looking for...

[frost22]

That quote is wrong, too.

f.

Re:The Quote you're looking for...

[frost22]

Digged it out:

When Hitler attacked the Jews I was not a Jew, therefore, I was not concerned. And when Hitler attacked the Catholics, I was not a Catholic, and therefore, I was not concerned. And when Hitler attacked the unions and the industrialists, I was not a member of the unions and I was not concerned. Then, Hitler attacked me and the Protestant church--and there was nobody left to be concerned.
In Congressional Record 14 October (1968), p. 31636 (often quoted in the form 'In Germany they came first for the Communists, and I didn't speak up because I wasn't a Communist...' and so on)

The Oxford Dictionary of Quotations, © Oxford University Press 1999

f.

Re:The Quote you're looking for...

"When they came for the criminals,
I said nothing because I thought they deserved it."

"When they came for the guns,
I said... woohoo, finally the US government has woken up and done something for the country instead of getting screwed up by the NRA and constant abuse of the amendments."

"When they arrested the communists,
I said... hang on, what the fuck's going on here? Now you're starting to make political persuasions illegal. That's a slippery slope. So much for freedom."

"When they started quoting this verse,
I said... man, you deserved them coming for you. You let them take the communists, the socialists, the union leaders, the Jews... have you no sense of societal responsibility, no interest in justice if it doesn't concern you? Selfish bastard."

Spam is one of the most complex issues

[btempleton]

It sits at the intersection of property rights, free speech and communications rights and privacy rights.

Amazingly, because of this, many of the people writing here with opposite positions may both be right.

I've written extensively on this and have a collection of essays on my web site, though they are not all endorsed by fellow EFF people. As you might expect, with such new and contentious issues, no group, not slashdotters and certainly not the EFF, finds itself of a single mind.

Those who have written that the first amendment applies only to government action are correct. However, the principles of free speech apply universally, if you defend them. Private actors do have their right to block speech, but this does not make such actions immune from criticism by free speech advocates.

Instead, I look to define good principles by which we private actors might govern ourselves. There are many good lessons in the free speech principles to which we have held governments.

Amongst the principles (not just in free speech) is the protection of the innocent. That you don't punish the bystanders to get at the guilty. Private actors usually have the right to do that, but it need not be lauded.

Unfortunately, and I think this sits at the soul of problems with MAPS, blacklists tend to operate that way. I know many are aware of this, but have dedided that blacklists are the only way, and so a few innocents must be punished to stop spam.

This is of particular concern when the area is communication.

People do have the right not to listen to any communication, but this is a very simple statement about a complex issue. There is much to be said about how they should exercise that right.

Re:Spam is one of the most complex issues

[Todd+Knarr]

You're right, but there's one problem. You have a hard time blocking just the spammers from an ISP, and if you limit it to the spammers then the ISP has no motivation to do anything. The spammers keep paying them for new usernames and such, and the ISP doesn't suffer if it ignores the complaints since they're all coming from people who don't pay them any money. The only way to goad the ISPs into taking action against the spammers is if their paying customers start suffering and complaining because of the spammers, to the point where the spammers are costing the ISP more than they're paying the ISP.

That's where MAPS and ORBL and such come in. They list ISPs who don't police their own userbase. They make it easy for other ISPs to refuse to do business with offending ISPs until the offenders do police their own users. Call it a mass boycott of companies who won't play by certain rules.

I think users should have the right to know which blocking lists, if any, their ISP uses. I disagree with the EFF that blocking lists are a problem, though. Blocking lists are, like boycotts, the solution to the problem. The problem is ISPs who tolerate customers who abuse the rest of us.

Re:Spam is one of the most complex issues

[btempleton]

Indeed, I know why blacklisting is done. The question is a moral one, decided by where you stand on punishing innocents to protect your own mailbox.

Some people do that knowingly, some without much thought. We do feel that when mail is blocked, it should be done publicly, and that there should be a duty (moral if not legal) for those who block ordinary non-spam mail in the cause of fighting spam to inform those whose mail is blocked.

It is though always tough question of ends and means.

Should ISPs act to stop bulk email abuse by their users? Indeed they should. Should Joe Innocent user at an ISP that doesn't do this sufficiently find himself unable to send mail? His only sin was signing up for an ISP without knowing about, to him, a fairly obscure aspect of its email policies.

This is a tough thing. Some feel that there is no other way. However "no other way" is a pretty bold claim. They really mean "no other easy way."

I think there are ways to deal with spam, and even rogue ISPs, that don't block the mail of the innocent. Note that those can even include "blacklists" or "whitelists" that slow mail volumes so that single mails get through but bulk mail is throttled.

I outline such a system on my spam site, thogh I need to give that site some updating.

The EFF has mostly come out against two nmain things. One is SECRET blocking, and the other is the idea that punishing the innocent to get at the guilty is the right approach.

Our system of justice is actually built on the principle that you let 10 murderers go free rather than jail one innocent man. Should we have a stricter standard for spammers?

Re:Spam is one of the most complex issues

[Todd+Knarr]

Well, I don't like having to block all mail from a domain just to get the spammers. But what other pressure can be put on the rogue ISPs to take action against spammers on their networks? If following up a complaint would cost you money and ignoring it wouldn't adversely affect your company at all, if the only standard your board of directors looks at is your financial bottom line which course would you take?

I liken it to another course: if a car dealer is being used to fence cars because he refuses to do any checks on the provenance of the cars he takes in, should people buying cars who know about him only avoid the stolen cars he's selling or should they start avoiding his lot entirely?

Re:Spam is one of the most complex issues

[Erik+Fish]

When I see the words "innocent victims" in your message I can't help but read it as "ignorant victims". These people don't need the EFF "protecting" them so that they can remain ignorant, they need to learn what an RBL listing really means.

If you subscribe to an ISP that allows spam and is so intent on allowing spam that it cannot work with the RBL to avoid a listing you are choosing to pay money to a company that doesn't care about keeping your business. Your ISP is essentially saying to you "Fuck off, we only care about keeping the contracts we have with spammers."

Do you continue to do business with other companies that tell you to fuck off on no uncertain terms? Does anyone?

Spammers are terrorists

[mckyj57]

I am afraid I have to disagree with the latest EFF position paper. So
much so that my future contributions to the EFF will come under review.

Spammers are like terrorists. They prevent me from using email like I
want to, steal my time, and interfere with legitimate traffic. By
distracting me with misleading subject lines and addresses, they
interfere with my livelihood, as my work requires intense periods of
concentration.

IP blocks that allow spam are like countries which sponsor turn a blind
eye to terrorism. If they refuse to stop their spammers, then their
citizens must suffer by not being able to send email.

For instance, no one sending from China can send me email. Why? Because
China lets spammers run amok. If I allowed email from China, I would
receive 100 more spam emails a week. I know; I have tried it.

Filtering is a non-issue. The best filters that run no significant
chance of blocking legitimate email are those of AOL, and we know how
ineffective those are.

Brightmail makes me jump through hoops -- I don't want to spend my time
every day with it.

Spammers are terrorists, and IP blocks that allow spam should be treated
like countries which harbor terrorists. Forcing an airport to accept
airplanes (or even snail mail nowadays) originating in Afghanistan is
sheer stupidity; why is email any different?

To the people who say "it only takes a couple of seconds to delete, it
is worth it" I say -- WHO ARE YOU TO TELL ME WHAT TO DO WITH MY TIME?

Let people sign up for AOL if they want all legitimate mail at the cost
of mindnumbingly time-wasting stupidity.

So say I.

Re:Spammers are terrorists

[kindbud]

Spammers are like terrorists.

Even Canter & Siegel declined to fly an airplane into a building to get attention.

Get a little perspective, please.

They prevent me from using email like I
want to, ...

The SMTP protocol prevents me from using email like I want to, for gods' sakes.

IP blocks that allow spam are like countries which sponsor turn a blind
eye to terrorism. If they refuse to stop their spammers, then their
citizens must suffer by not being able to send email.

Oh please. Grow up.

Re:Spammers are terrorists

[mckyj57]

IP blocks that allow spam are like countries which sponsor turn a blind eye to terrorism. If they refuse to stop their spammers, then their citizens must suffer by not being able to send email.

Oh please. Grow up.

Nothing but ad hominem I see from you.

-- Whey you fly planes into buildings, you get bombs dropped on you.

-- When you spam, you can't send email.

Seems like an appropriate measured response. All analogies vary in degree. We may at one point get to where you can invoke Godwin at the mention of terrorism, but we aren't there yet. 8-)

What doesn't differ is that terrorists do it against innocent people and then hide, with no other effective measures than shunning to be taken against them. So do spammers.

Perhaps having your concentration broken doesn't interfere with your livelihood -- judging from your response you seem to want to tear down rather than build. Tearing down takes little attention, building takes lots.

EFF is Wrong here

[bwt]

The EFF position is summarized by this statement: Specifically, any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

That statement is false. The right to speak does not include the right to have the attention of the listener. Would the EFF say that the mailroom at NBC that opens and filters Tom Brokaw's mail violates the right of the sender to reach Tom Brokaw? Hiring an ISP that uses blacklists is no different than having a mail room screen your snailmail.

The listener is free to delete an email without reading it that arrives at his box. He is free to automate this process. He is free to automate this process dynamically by using information from a blacklist or any other method he chooses including rolling dice, racial profiling, or astrology. He is free to choose an ISP that automates this process for him. He is free to choose an ISP that automates this process for him by using dynamic information from a blacklist. These freedoms are inherent in the first amendment's right to receive information. What is not OK is for the government to mandate a filtering process, since this violates the listener's right to receive speech as well as the right of the sender to communicate with a willing listener.

The right to free speech exercised by sending email is a right to attempt to attract the attention of the listener through that particular medium. It is not a right to obtain that attention (which would essentially be a right to involuntary servitude). The scenario that the EFF rightly fears is that the sender and recipient want the email to get through, but the ISP filters it in a way unknown to the recipient. The proper way to avoid this is to eliminate deceptive trade practices on the part of the ISP. All that is required is for the ISP to state it's filtering policy up front and adhere to it.

Constitutional responsibility and authority

Because the Constitution empowers Congress to establish the postal system. That is why interfering with the mail is a federal offense. No such amendment has been ratified extending federal authority to tcp traffic on port 25.

The other side of it

[staplin]

Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.

I agree with you, but at the same time, this is a very tricky issue that impacts someone negatively no matter what you do. For a counter example, my dad can't email me at my work from his work, because my company uses a blacklist, and his work's clueless company has an open relay.

In general, I support the idea of getting people to close their relays, but there just doesn't seem to be much of a "helpful" attitude to getting them closed. All my dad knew was that sending email to me at work was "broken"... the small note inserted in the headers didn't tell him anything meaningful, and they didn't tell him to refer the problem to the postmaster. It was only after he forwarded me a bounced message (at another provider) that I diagnosed his trouble and told him to see his admins.

It seems that this approach to preserving free speech for some is limiting speech for others, even when they aren't directly responsible for the behavior that is being blocked in the first place. Maybe the strongarm is what is needed to effect a change, but there seems to be little help offered to the offending parties before they get blacklisted.

Just my $0.02.

Re:The other side of it

[seebs]

The question is, who really deserves the blame? I don't blame the police for the sirens; I blame the people who make it necessary for the police to drive quickly.

Without blacklists, you might well lose a lot of this mail anyway - and other people would lose more. Is this solution ideal? No. However, the only ideal solutions to this problem involve killing spammers, and we can't do that.

Not listening != not getting the message.

[Penguinoflight]

You are being stupid to suggest that mail-abuse.org is actually helping things. Take my example...
I have exim running, I cannot email to afn.org. I also have a account on afn.org, I get spam very very often. Obviously the "solution" that mail-abuse.org is not only taking away the ability for people to email, it's also not working. First, they aren't working hard enough.

By banning against domains instead of ip addresses, the true spammers would also have a harder time. First they wouldn't be able to send from a static ip address (unless they have it on a domain name).

Second, the spammer, after dropping a load of emails, would have to get a new domain, and people would be able to, on their own, notice when he got a new one. The fact that domain names are mapped to people would make it more dangerous, and easier for law inforcement to stop.

In the current situation, MAPS providers don't block against an ip address, so a spammer can just get a static dialup account, drop a bunch of emails, switch providers, and so on.

Wether you are big into free speech, or if you really want to stop spam, you shouldn't be defending MAPS.

Re:What's wrong with voluntary collective solution

[Trepidity]

Well, my college at the very least has a mail-room that distributes mail - the postal service dumps it off in big bags, and student employees sort and put it in students' boxes. It's still illegal to interfere with the delivery of mail, despite the school bearing the cost to do it (through paying the students' salaries).

Re:What's wrong with voluntary collective solution

[Trepidity]

It's not voluntary if the ISP is a government-granted monopoly, like the cable company. And with the way things are going lately, most people only have a handful of ISP choices available to them; if they all have the same policies, there is no choice.

It's like saying AMD and Intel implementing some sort of filtering in their processors wouldn't be wrong, because hey, you can always make your own processor.

need to fine senders

[bob_jenkins]

Spam works because there's almost no cost for annoying people and large reward for the small percentage that fall for it.

To stop spam from being sent, it has to be made unprofitable. The EFF's recommendation, make it easier to delete it, doesn't change the cost model. It doesn't limit the amount of spam sent.

Can't we fine the senders of spam $10 or so per complaint? Or a similar proportional fine on the company being advertised? That would make it unprofitable to annoy more people than you please.

Re:The Internet is a free-market information servi

[Trepidity]

The ISP market is not nearly as free as you indicate, especially as dialup service fades away and is replaced by broadband. In any given area, there are generally a handful of internet providers, depending on infrastructure available. Especially in areas where there is no DSL available (a large percentage) essentially the only choices are DirecPC satellite service or cablemodem through a government-granted cable monopoly. It would be my opinion that cablemodem companies should not be allowed to use things like MAPS, as their status as a government-granted monopoly prevents them from being able to claim they are private businesses free to do as they please.

End-to-end argument

[oddityfds]

It's the old end-to-end argument again: Intelligence should be at the edges of a network, not in the nodes in between. The problem with MAPS is not that it blocks e-mail, but that it is the ISPs that do the blocking. Everyone should be free to use MAPS-style blocking, but it should be done in the users e-mail software, so everyone can turn it on and off at their on discretion and tweak it to fit certain needs.

The problem with that is that everyone needs to have a capable mail reader. That's why ordinary people should have system administrators for their home computers, not just their office computers. At least until someone creates a truly easy-to-use computer system.

Re:What's wrong with voluntary collective solution

[Doktor+Memory]

Right now it's a federal crime to interfere with the delivery of regular postal mail. Why should e-mail be any different?

Gee, I dunno, because postal mail is a federally protected monopoly, whereas email has multiple competing providers that you can pick and choose on the basis of the service they provide?

Nah, it couldn't possibly be that simple.

Second Gilmore in the same day

[BlowCat]

When I noticed the story about Secret Cyber Court my first though was: "Good that I didn't sent my tax relief to EFF, Mr. Gilmore is unsane". Then I realized that it's another Gilmore and thought - "well, maybe I should donate to EFF, they are good guys and will fight against cybercourts".

Now I'm in doubt again.

Re:The next DMCA/"Patriot " bill waiting to happen

[amuro98]

Oh, yeah, that'll be effective...

BTW it's already CA state law that all commercial communications must include "ADV" in the subject line, provide a working remove mechanism, and a real email and snail-mail address.

Over 99% of the spam I get fails to even use a real return address. What makes you think making this a law in the US will have any effect on the spammers in China?

not a useful approach

[jesser]

Executive Summary: Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

I'd much rather have my ISP _bounce_ the message, informing the sender that I did not receive the message, than have to set up filters to delete the message once it reaches my computer. I can't bounce the message myself, because that would inform the spammer that my address is active.

There is a fundamental free speech right to be able to send and receive messages, regardless of medium. Unless that right is being abused by a particular individual, that individual must not be restricted.

If you're using an ISP that has been blocked due to allowing spam (or not helping to find the individuals who spam using the service), you can switch to another ISP that hasn't been blocked. You cannot use a spam-friendly ISP and expect to be able to send messages to users at other ISPs.

Civil liberties???

[Jimithing+DMB]

I am hoping this is a joke and not for real. If this is supposed to be for real, then these people at the EFF need to be beaten severely with a clue-stick.

There is absolutely no guarantee that mail goes through. E-mail is not government regulated, period. I agree with them that there should not be stupid laws that try to limit SPAM and yet do something else. Currently, the best solution is something like MAPS.

What is so wrong about MAPS? The concept is sound. If you are connecting to my mail server (i.e. you are essentially treading on my property) then I have every legal right to tell you what you can and cannot do. I can also choose to not let you use my property. This is what MAPS does, it says, "Sorry, you can't use my server." With MAPS when you have fixed your server, you will be allowed to use mine again.

The argument that a system administrator cannot change her mail server is totally bogus. That is like MS saying they couldn't possibly remove IE from Windows. If the sysadmins like to be used as open relays, then I can let them know that they won't be allowed to send to my server. When they fix their server and notify MAPS then they will again be allowed to use my server. The same goes true for servers in the RBL. If your server sends a lot of SPAM and I don't want to incur costs to process it then I will simply deny everything from you until you fix your problem.

The statement that users get no notification of this is also FALSE. Assuming you can receive bounce messages (i.e. you don't have a problem with your mail configuration) then you will receive notice that the mail was rejected. Unless of course the mail server silently accepts the mail then tosses it, but that is not the point of MAPS.

The Internet is not government controlled, it's not entirely corporation controlled. It is a community network.

I don't understand how denying me the right to use MAPS is a good thing? I am supposed to accept mail from anyone regardless? Am I also supposed to let every jackass who walks onto my property and starts fishing in the bay do so? Can't I tell them that I own this property and you are not allowed to use it, so go somewhere else? Isn't this a fundamental right as well?

I especially love the other comments that we should replace SMTP with Jabber or ICQ because it is impossible to make SMTP SPAM-free. That's true if you still believe that every SMTP machine is supposed to relay everywhere. The reality of it is that an SMTP machine should 1) Accept mail destined locally. 2) Accept mail destined for a machine that it is a backup for, and 3) accept mail from a local user destined for anywhere. What MAPS is trying to do is get everyone to abide by these very simple rules. Those who run open relays get put in the MAPS RSS. Those who are connecting through dial-up connections get put in the MAPS DUL. Those who are themselves sending the SPAM or are allowing their customers to send SPAM are put into the MAPS RBL. What is so hard to grasp about this.

Oh, wait, didn't peacefire get blocked because their hosting company was allowing spammers to use machines in the same netblock. Tough shit. Go get a different hosting company, you aren't required to use them. Why not find one a bit less friendly to spammers. This is called free-market economy. Your e-mail getting blocked because your outgoing server allows relaying or is allowing spammers to use it regularly. Go find a different outgoing server. Anyone can sign up for a free hotmail account if it is just absolutely necessary to send a message that very second. Big deal, so you have been incovenienced. No one has taken away your rights though.. You have NO right to send e-mail to everyone you want to, that is the bottom line. You have a priviledge to do so. PERIOD.

EFF position on Junk Fax?

[Sodium+Attack]

I wonder if the EFF also believes that junk faxes should be legal--even though the anti-junk-fax law was upheld as constitutional when challenged on First Amendment grounds.

Doesn't make sense.

[Kasreyn]

When someone stuffs junkmail into my physical mailbox, is EFF saying that is their free speech right? When I avoid getting my phone # / address listed in certain places to avoid snail mail and telephone spam, I'm not curtailing others' first amendment freedoms.

If someone wants to put a message up on a bullettin board in a public place describing their pyramid scam on how to "$$$MAKE MONEY FAST$$$!!!!", then maybe that's their first-amendment protected speech. But that protection ends at MY borders. When someone is in my HOME, they do not have full 1st amendment rights. If I don't like what they are saying, I can tell them to get the fuck out. I see no difference between my home, my physical mailbox, and my email inbox. In neither case is it a public place. No stranger has the right to force his way into my inbox, fill it with spam, and then say "You HAVE to hear me out, the EFF says it's my 1st amendment right!" Unh-uh, buddy, it don't work that way. My private home and territory are private and *I* decide what speech occurs in them. And I include my inboxes in my territory.

The EFF has picked the wrong fight here. Please, folks, I respect the good work you're doing upholding the Bill of Rights. But this one stands too much chance of alienating the techies who are the EFF's main means of support. Please, lay off. Not to mention the ridiculousness of supporting spammers, none of whom care about 1st amendment rights, and most of whom are flybynight scammers anyway. Please, EFF, find an underdog to champion who doesn't actually DESERVE to be an underdog.

-Kasreyn

ORBZ and RBL

[rsimmons]

They should not categorize ORBZ and MAPS in the same way. I somewhat agree that a list like the ones maintained by MAPS, which are based on people's reports of where spam comes from, could be used poorly. ORBZ and such relay blockers are a different story. I understand that it is someone's right to send email. It is not their right to run an open relay. These two things are apples and oranges that happen to use the same type of software to block them. Getting off of ORBZ is easy. Fix your open relay and resubmit. This doesn't enter into another debate of whether the ORBZ automated testers are stealing resources, but I really haven't decided what I think about that yet.

Reductio ad absurdum

[kindbud]

If you're using an ISP that has been blocked due to allowing spam (or not helping to find the individuals who spam using the service), you can switch to another ISP that hasn't been blocked. You cannot use a spam-friendly ISP and expect to be able to send messages to users at other ISPs.

You cannot use a spam-friendly telephone company, and expect to be able to make phone calls to customers of other telephone companies.

You cannot use a spam-friendly bank, and expect to be able to wire money to customers of other banks.

You cannot use a spam-friendly legal firm, and expect to be able to sue clients of other legal firms.

Need I go on?

Re:Reductio ad absurdum

[jesser]

It's possible to opt out of telemarketing, and a telemarketer actually has to spend money to advertise, so phone companies don't try to prevent telemarketers from making calls. I don't understand what you mean by a "spam-friendly bank" or a "spam-friendly legal firm": you can't send spam through a bank or a legal firm, so it wouldn't make sense to bounce e-mail coming through one.

Re:Reductio ad absurdum

[kindbud]

I don't understand what you mean by a "spam-friendly bank" or a "spam-friendly legal firm": you can't send spam through a bank or a legal firm, so it wouldn't make sense to bounce e-mail coming through one.

I'm glad you asked that question, because in fact, mail server addresses belonging to people who have no connection with spam, are in the RBL. They were unlucky enough to be the credit card company picked by a spammer to handle online transactions. Or perhaps they rented office space to a spammer. You really ought to go look at the archives for the rbl-nominate mailing list, and see what is being discussed there. Many of the MAPS contributors are seeking to cause deliberate collateral damage to people who never sent any spam, but who happen to be a spammer's banker, or provide some other business service to a spammer.

Libertarian Analysis of the SPAM Situation

[dh003i]

Let me start out by defining what SPAM is: SPAM is any message sent out to a large group of recipients who did not specifically request such a message.

Now, let me define what freedom of speach is -- freedom of speach means that one person has the right to say anything he so desires AND that it is possible that others can listen to his speach. As a necessary correlary and clarification to this, a persons speach is NOT free unless ONLY each "end-listener" individual is the one deciding whether or not to receive that speach.

For example, if a person gets up on a park and begins making speaking. People may listen to him, or they may not, in every sense of the word: they may "hear" him but ignore him(tune him out); they may hear him and pay attention to him, thinking about what he's saying; they may hear his speach and decide they disagree with it so much that they must leave at once and listen to it no more; etc.

In such a situation, the person speaking has free speach: he has the freedom to choose whether or not to speak, he may say what he pleases, and people have the opportunity to listen to him. Furthermore, in such a situation, the "audience" -- the people actively listening, tuning him out, or leaving -- have another kind of freedom: the freedom to choose whether or not to listen. They have the right to freedom of listening. This right implies that they can choose to listen or not to listen, or anything in between.

Now, let us consider two alterations to this model: (1) In which the speaker is "prohibited" from speaking by some means; (2) In which the audience is prohibited from their freedom of choice to listen or not to listen. [To speak or not to speak, to listen or not to listen, that is the question!] I think it will be clear from considering each of these cases that the right to freedom of speach and the right to freadom of listening are dependant on one another: you cannot have one without the other. I think it will also be clear the the right to freedom of speach means not only the right to decide exactly what to say, but the right to decide if one wants to speak or not in the first place; as will it be clear that the right to freedom of listening means not only the right to decide whether or not to listen, but also the right to decide how to listen or how not to listen.

So, let us start with case (1): In which the speaker is somehow prohibited from speaking, or prevented from speaking meaningfully. Let us say that a (wo)man walks to the center of a park and starts speaking about how much (s)he hates the United States. Perhaps as a part of her speach, she takes a flag and rips it up, or burns it. Now, as the US government is a primarily filled with narrow minded self-righteous eccentrics, it is only natural that those in the government would notice and somehow stop her from speaking. The method is largely irrelevant in relation to freedom of speach(though some methods, such as physical beating, may violate the right to body as well as the right to freedom of speach). In such a case, that persons right to freedom of speach would clearly have been violated. But less clear a fact, is that the rights of the entire public to freedom of listening has also been violated. By oppressing the right of that person to speak, the government has thus oppressed the right of the entire applicable public to choose whether or not to listen.

This is a case in which a speaker was prevented from speaking. There are also possible cases in which the speaker would be prevented from choosing not to speak, thus his right to freedom of speach being violated(in such a case, it should be noted that forced testimony under oath at a court room violates the right to freedom of speach, as it prevents one from effectively choosing not to speak). There is yet another case in which an individuals right to freedom of speach is violated because he allowed to speak, but forced to "modify" his speach from what he would like to say: this is called censorship. In all such cases, not only is the speakers right to freedom of speach violated, but so is the everyone else's right to freedom of listening.

On to case (2): In which the audience is prevented from choosing whether or not to listen. Let us consider the same case, in which a (wo)man in a park walks to the center of the park and proceeds to give a speach critical of the US government. Now, in this case, instead of violating her right to freedom of speach, the audience's right to freedom of listening is violated. Perhaps the all memhers of the audience are draggedf away from the speaker; perhaps they're killed; perhaps a sound-proof booth is put around the speaker so that no one in the audience can hear him; etc. In any case, the audiences right to choose whether or not to listen has been violated. Or perhaps their right to choose *how* to listen or *how* not to listen has been violated. In either case, eliminating the audience's right to decide if/how to listen or not to listen, eliminates the speakers right to decide if/how to speak or not speak.

Now, I believe it is quite clear that the right to freedom of speach and the right to freedom of listening are in fact inseparable, and perhaps are in-and-of-themselves the same right. They may also be considered a subclass of the right to freedom of thought: after all, it is impossible to have freedom of thought if one does not have the freedom to choose if/how to expose or not expose him/her-self to free speach.

There is one sub-case where a speaker may use some means to force an audience to listen to him via some means. In such a case, the audience does not have freedom of listening, thus the speaker can not possibly have freedom of speach. If an audience does not have the effective option to decide whether or not to listen and how to or not to listen, how can a speaker have the right to freedom of speach? After all, freedom of speach requires that there be recipients who are free to decide whether or not to "receive" speach, and how to or how not to "receive" it. If some entity forces the audience to "receive" speach in a specific way, that speach has been robbed of its qualities of freedom of speach. A more clear case may be such as when the government brainwashes people into thinking that certain organizations messages are "evil": obviously, in such cases, the organizations rights to freedom of speach have been violated. Similarly, the same is true when a speaking entity forces the audience to listen: in such case, he robs himself of the true right to freedom of speach. Such is what government officials do by forcing people to listen to them on public TV when they interrupt common shows; such is what dictators do when they force people to attend party rallies; such is what judges do when they force people to listen to them at hearings; and such is what SPAMers do when they force people to listen to their advertisements.

Now, lets talk specifically about SPAMers. If they practiced business as they would prefer to -- which would include forcing people to read their messages and giving people no option or way to avoid getting their messages -- they would not have freedom of speach. What they would have would be power over the listeners: power over the listeners does not imply, and indeed cannot be coupled with, freedom of speach.

What about ths issue from the SPAMee's side, the person who is being SPAMed? Well, their right to freedom of listening has been violated, as they are receiving a message whether or not they want to receive it. Thus, the SPAMers right to freedom of speach has also been violated: in this case, as a direct result of the SPAMers actions and methods.

Now, what about the situation from the ISP's side of the issue? From an ISP's point of view, SPAM -- bulk messages sent out which many users do not want to receive nor have they solicited -- is a costly parasite on their infrastructure. Indeed, SPAMers can be said to be stealing bandwidth and storage space from the ISP. They are also indeed stealing bandwidth and storage space from the end-user(who must use much andwidth to download graphic SPAM). Thus, they are costing the ISP money, and indirectly costing the end-user money(the ISP partially or completely compensates for SPAM by simply charging its customers higher rates). Thus, in effect, SPAMers don't really "steal" from ISP's, but rather from their customers, who are being charged higher rates to compensate. Of course, SPAMers do in some ways violate the rights of ISP's, which I will not go into(i.e., undue negative impressions of ISP's by their customers). However, let us assume that for the most part, the cost of SPAM is entirely burdened by both the SPAMer and the SPAMee.

So, it is clear the the SPAM system is an odd kind of paradox, in that it is LESS THAN a zero sum game. Not only does SPAM cost the SPAMee, but also the SPAMer(as explained beforehand, it costs the SPAMer the right to freedom of speach by costing the SPAMee the right to freedom of listening).

So, what is the solution to SPAM? To identify the solution, I believe I must offer one further bit of clarification regarding the problem: By denying the SPAMee the right to freedom of listening, the SPAMer has denied himself the right to freedom of speach. In other words, true and meaningful choice has been taken out of both sides of the equation: taken away from the SPAMer and the SPAMee. The solution is obviosly to put CHOICE back on the both sides of the equation.

So, how do we put choice back on both sides of the equation? How do we give the SPAMer the right to freedom of speach, and the "SPAMee" freedom of listening? Let us start from the SPAMee's side.

The SPAMee needs to have the right to choose whether or not to listen to SPAMers' messages, and how to listen. This can be done by providing the SPAMee with end-user tools which allow him to screen, and by allowing the ISP to selectively reduce SPAM at its level at the request of customers(that is, the ISP would screen out SPAM at its level for customers who indicate they desire such, bu not for those who don't; this would save the ISP both space and bandwidth). In a simple case, the ISP could set up two server systems -- one for willing SPAM recipients, and one for those who don't want to receive it. In this way, the ISP would save bandwidht, space -- and thus money -- on the server system where they were allowed to filter. Of course, ISP's would have to develop filtering systems which would be maximally effective, and produce the least possible false positives on for SPAM identification. Customers would have to be informed of the efficiency and accuracy of the corporations system. As one last consideration from the SPAMees side, the SPAMee should also have the right to request individual SPAMers not to e-mail him, to globally make such a request. A central database listing the e-mails of all users who do not want SPAM could be set up, so SPAMers could avoid sending it to such users. Of course, enforcement of such a system would be difficult if not impossible, but some means to allow "voluntary" cooperation on the part of the SPAMer would be useful.

Now, lets consider it from the SPAMers side of things. The SPAMers needs to realize that saying something LOUDER does not mean it will be received any better, and that violating the audience's right to freedom of listening violates their right to freedom of speach. The SPAMers must be taught that few non-willing recipients of SPAM are influenced by it in any positive way that would make them agree with the SPAMers POV or likely to buy the SPAMers product. Of course, convincing the SPAMers to cooperate will not be possible based on a libertarian argument alone. SPAMers do not care about their "rights" so to speak: they care about trying to get people to do what they want -- in other words, power and the rewards(money) that come from it. So they must be taught by us that they do not convince people to buy their products by blasting them with tacky e-mails. The reason advertisement on TV works is because people have a choice about whether or not to listen to it. If TV contained nothing but advertisements, people would never watch it. In other words -- an essnetial feature of the success of TV adds is that people don't have to watch them, and that they're not the only thing on. People can change the channel, or turn the TV off, or "wait" them out. In other words, though TV ads are what support the TV system, they are not mandatory for the audience, nor do they take up many minutes. The SPAMing systme of advertisement in e-mail ignores all of these wise adages that were smartly developed in the TV industry. SPAMers try to in effect "take away the right to change the channel" and they send out so much SPAM that -- without filteriong -- 99% of an individuals e-mail would be SPAM and not meaningful communication.

Simply put, SPAMers have to be taught their current model for SPAM advertisement does not work -- or works very ineffectively. For one thing, SPAM takes a lot of work to read. Its not something a listener can passively absorb like a TV commercial. SPAM messages have to be read, and this is an active process, which reduces eliminates effectiveness of the add.

Of course, a large criticism of traditional advertising is that it "drones" ideas into the passive listeners mind. This is essentially correct of TV advertisements and any add: they're set up to subliminally "drone" an idea into a persons head, whether or not that person want to accept it. Of course, this is to some extend the aim of ALL communication -- to sway people over to your viewpoint. In this particlar point, the fault lies not with the speaker(i.e., politicians, or "TV ad"), but with the listener, for his or her passive acceptance. Listeners must be taught to be active listeners.

In conclusion, it should be noted that the right to freedom of speach and the right to freedom of listening are in inseparable, interdependant, undividable, and perhaps even one right. One cannot be intact unless the other is intact. These two dimerize rights may in their totality be a large part of what it takes to have freedom of thought(of course, one needs to have other things to have freedom of thought, such as the right to life: after all, how can one have freedom of thought, if one is dead?). That said, it is clear that SPAMers not only violate the rights of SPAMees by forcing them to receive e-mail, but also their own rights. It is also clear that ISP's which block SPAMers and by doing such inadvertantly block legitimate mail, not only violate the right of the SPAMer to freedom of speach, but also the rights of their customers to the freedom to listen. Finally, it is also clear that when a SPAMers sends an unsolicited e-mail to a person who does not want it, that that SPAMer is stealing money, time, and bandwidth from that end-user. The solution to this problem is to give all parties the freedom of choice, without giving them the power to deny the other parties(and thus themselves) the freedom of choice.

Re:The Internet is a free-market information servi

[aardvarkjoe]

essentially the only choices are DirecPC satellite service or cablemodem...

...or a dialup. I've seen no evidence that dialups are going to suddenly dissappear, even if they're becoming less important. Until the cable modem providers really do have a monopoly on internet access, they should be able to act as any other private business.

Choice Statistics

[_Sprocket_]

ISPs should just put their MAPS usage in their TOS, or even (if possible) allow the user to choose MAPS or not for their email accounts.

This touches on a point that occured to me while reading the EFF newsletter. It would be nice to have some enduser preference statistics.

Anti-spam activists are often portrayed as some kind of out-of-touch net-nazi brotherhood by SPAMers and their supporters. They apparently hate commercial use of the internet and are hell-bent on depriving normal internet users from valuable information that they really want. At least, that's the impression I've gotten from reading some SPAMer's writing on the issue.

Oddly enough, I haven't ran in to one customer, co-worker, or client thats said "I wish I got more valuable information about marketing oportunities and special offers in my inbox". They usually say "I hate spam. How do I stop it?"

It would be interesting to give endusers the choice between protected/shielded/MAPS'd/etc service and wide-open email. I suspect it would provide data contrary to the SPAMer's points.

Re:Choice Statistics

[Jay+L]

I don't have numbers, but here's some data:

- When I worked on the AOL mail system, any time I met someone new - whether socially, in business, at the gas station, whatever - the first and only question they'd ask was how to stop the spam.

- During periods where the spamblocks are less effective (because the spammers are ahead of the game), spam is by far THE NUMBER ONE COMPLAINT to Steve Case's mailbox and to Customer Service.

And this is *after* scores of millions of spams have already been blocked each day.

The strong libertarian/individualist/techie pull of Slashdot notwithstanding, the average American e-mail user just doesn't want their spam.

I agree wtih others who said that ISPs should publicize the existence of their spamblocks, and it must be part of the Terms of Service. But to say that even if users agree to filtering, it should be illegal? I don't get it.

Jay, the ex AOL mail guy

Re:The Internet is a free-market information servi

[Trepidity]

I disagree - the cable modem providers are still being given a government-granted monopoly on a certain method of internet access, which also happens to be superior to the dialup method. When the government grants such a competitive advantage, the company cannot consider itself a "normal" private company.

EFF fails to understand the concept of MAPS

[CaptainSuperBoy]

Systems administrators who will not adopt the suggested anti-spam policies find themselves unable to deliver their non-spamming users' mail to recipients who are on systems that participate in blacklisting.

The EFF, like many other groups, is incorrectly stating that MAPS is the organization doing the actual blocking of packets, not the ISPs. It is clear to me that if ISPs did not agree with MAPS' policies on what to block and with its history of questionable bans, then those ISPs wouldn't subscribe to MAPS. It is clear that ISPs see a benefit in using a blacklist, one that saves them money on bandwidth and support. Aside from the purely practical aspect, many feel very strongly about spam.

The EFF stated that they wouldn't support a blacklist if it blocked one legitimate piece of e-mail. Aside from the fact that this is impossible, they don't seem to understand the reason that MAPS works. It wouldn't work if spam-friendly ISPs were free to sign up spammers, without any fear of ALL their traffic being blackholed.. In order for a blackhole to work, you have to block ALL of their users' traffic. Yes, it sucks if you are that user.. however, it may teach you a lesson that it doesn't pay to have a spammer one IP over from you. If ISPs don't deal with their spam problems, they are free to watch all their users go away.

MAPS 'suggested anti-spam policies' are not overly demanding. They don't force ISPs to jump through hoops, they are reasonable requests to make. An ISP who subscribes to MAPS is saying, "I don't want to receive newsletters that are not confirmed opt-in. I don't want to receive mail from ISPs with open relays." Folks, that's not too much to ask for.

Yes it's a strong arm tactic, but it's one or the other - strong arm, or legislation. The EFF believes that filtering at the user's end is the right way to deal with spam. Bullshit. Filtering doesn't stop them from using up my bandwidth. Filtering doesn't stop them from spewing all over the net, wasting the time of support staff nationwide. Until every last AOL box is filtered from receiving a single piece of spam, there WILL be suckers responding to this shit, and the spammers WILL get paid. Filtering doesn't stop spam support services, spamvertised web sites, or spamware companies.

The EFF throws around that word, 'censorship,' like they don't know what it means. This worries me.. it is censorship if someone (correct me if I'm wrong, but censorship applies only to gov'ts) prevents you from voicing your opinion, or saying whatever you have to say. It is NOT censorship if I say to you, "I'm not going to listen to what you, or anyone from your ISP, has to say."

As for legislation, illegal censorship prevents speech based on CONTENT. Legal restraint of speech, such as junk fax laws, prevents speech based on the METHOD of the speech.

Re:EFF fails to understand the concept of MAPS

[kindbud]

The EFF, like many other groups, is incorrectly stating that MAPS is the organization doing the actual blocking of packets, not the ISPs. It is clear to me that if ISPs did not agree with MAPS' policies on what to block and with its history of questionable bans, then those ISPs wouldn't subscribe to MAPS.

That is not clear to me at all. Did you know that IP blocks that have been on the RBL in the past, but have been long removed, are still largely useless because of ISPs that once upon a time installed local blocking rules based on RBL information, and never bothered to keep those rules up to date. MAPS policies state that once a mail site has cleaned up its act, it is to be removed from the RBL. So much for agreeing with policies.

(correct me if I'm wrong, but censorship applies only to gov'ts)

You're wrong. Censorship is denying another person the right or ability to speak their mind, regardless of who does it. In any case, censorship by governments is practiced all over the world, and is legal to varying degrees in most places, including the USA. Official censorship is regarded with the highest degree of suspicion, and the US public is afforded the greatest degree of protection from it by the 1st Amendment to the US Constitution. However, the government can still legally censor speech of private citizens in certain circumstances, such as when national security requires it. Why? Because other parts of the Constitution are just as important as the 1st Amendment, and also have to be respected.

As for legislation, illegal censorship prevents speech based on CONTENT. Legal restraint of speech, such as junk fax laws, prevents speech based on the METHOD of the speech.

The only problem with this line of reasoning, is that you cannot determine if something is spam without examining the CONTENT, whatever the method of transmission, be it fax or email.

Junk fax laws are on their face, prior restraint of speech. The lawmakers knew this, and so did the supporters of those laws. That's not to say they are a bad idea, but only that they impose prior restraint on speech (if they didn't they wouldn't be very effective! ;). There's a balancing act that must be performed here, so that the 1st amendment is treaded upon as lightly as possible, while still addressing the problem. The legislators of anti-junk-fax laws decided that the costs of receiving the junk faxes was unfairly being borne mostly by the recipients, who have to pay for their paper and ink. But phone solicitation is not illegal because it uses no more resources than the recipient was already going to expend on having incoming phone service in the first place.

There's a similar significant difference between a junk fax and junk email, as there is betweeen junk faxes and phone solicitations. Most email users do not pay extra for incoming emails, especially in the US. They would pay the same amount for their internet service, whether they receive no spam, or thousands per month. This cost/benefit analysis MUST be part of any anti-spam legislation, just as it was for the anti-junk-fax legislation.

I believe the costs of prior restraint on email communications are much higher than the cost of leaving spam legal. The answer to this problem really has to be the oft-repeated "JUST HIT DELETE".

Re:EFF fails to understand the concept of MAPS

[Jay+L]

Most email users do not pay extra for incoming emails, especially in the US.

You mean "at least" in the US. Most Internet access in other countries IS metered by the minute.

And you're forgetting about the ISP. Spam filtering saves recipient ISPs millions of dollars a year in hardware and network costs. Spam really is paid for by the recipient ISP, not the spammer.

Re:EFF fails to understand the concept of MAPS

[kindbud]

Spam filtering saves recipient ISPs millions of dollars a year in hardware and network costs.

Reference, please? Sounds reasonable, but that is not enough. Do you know of a study that has been done?

Re:EFF fails to understand the concept of MAPS

[Jay+L]

I worked in AOL mail development from 1993 to 2001. I know firsthand.

Jay Levitt

Re:EFF fails to understand the concept of MAPS

[kindbud]

But can you quantify the amount you saved, even approximately?

Re:The next DMCA/"Patriot " bill waiting to happen

[Jay+L]

Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal.

Using a falsified return address to get around spam-blocks is ALREADY illegal. Check out legal.web.aol.com. It is a violation of the federal Computer Fraud and Abuse Act, and several judges have agreed.

Jay, the (ex) AOL Mail Guy

Screw the EFF... Wipe out spam! Period!

[KC7GR]

Normally, I agree with them. I was among those cheering EFF on in their defense of Skylarov (sp?), and I've watched them tackle a number of other "cyber-liberties" cases that made me think "yep, good work."

I speak now, though, as a SysAdmin of my own domain. I run all my own servers - DNS, FTP, web, mail, the works - and I'll be switched if I'm going to let some moron spew their unwanted advertising into my mail systems just because they think they have a right to. The MAPS RSS has helped me greatly in keeping spammers out of our network, and I'm not about to stop using them just because the EFF is whining about their methods.

The EFF says:

"The rights of users to send and receive email must not be compromised for quick and dirty ways to limit unsolicited bulk email..."

That may be true. HOWEVER: The EFF forgot to add to it that "the rights of server/network owners and SysAdmins to determine what traffic they choose to carry, and which hosts they decline to peer with, must not be compromised for any reason."

Spammers and the EFF appear to have forgotten that the issue with bulk E-mail is NOT ABOUT CONTENT. I repeat, it is NOT ABOUT CONTENT. It IS about CONSENT. 'Consent' as in 'permission.' Advance and informed permission, from the owner of any given E-mail box, that says "OK, I want to receive ads and special offers. Send them to me!"

In short: I don't care what's being sent, whether it's a request for a legitimate charity or the sleaziest porno ad imaginable. If I, or my users, didn't ASK, in ADVANCE, to receive it I will take whatever steps I feel are necessary to block said traffic out of my mail system or router, whichever is appropriate.

Rep. Chris Smith, some years ago, tried to get a very good piece of legislation going (I don't recall the number of the bill at the moment) that would have extended the existing Junk FAX law to cover spam as well. Said legislation, unfortunately, died due in part to the efforts of the EFF. As an active spam-fighter, I can't ever forget that.

The EFF said that they were concerned about the constitutionality of the proposed legislation. Well, guess what? The anti-Junk FAX law passed the constitutionality test. I don't see why extending it to be anti-Junk E-mail would have done any worse. The exact same private-property rights are involved, something that spammers (and the EFF, apparently) seem to have no interest in recognizing.

So, in summary, that's why I'm saying, in this particular case: EFF, screw off!

Re:Screw the EFF... Wipe out spam! Period!

[dh003i]

The EFF's point is that IF an ISP chooses to employ SPAM-blocking methods, without their clients consent, then it is wrong for them to block out any mail that is NOT SPAM.

"The anti-Junk FAX law passed the constitutionality test. I don't see why extending it to be anti-Junk E-mail would have done any worse. The exact same private-property rights are involved, something that spammers (and the EFF, apparently) seem to have no interest in recognizing."

Actually, no, the issues are slightly different, though in theory your point is correct. The only way for most users to communicate with others on the internet via e-mail is through ISP's. SPAM blocking methods proposed by MAPS and other strongarm tactics punish entire ISP's and all of their clients for the acts of a few SPAMers. The anti-Junk fax mail laws do not punish the phone company or its clients becaues a few clients use that service to fax SPAM. The anti-Junk e-mail law would do so. If you want to deal with SPAMers, deal with them -- their ISP's and that ISP's other clients aren't responsible for their actions. An ISP is not responsible for the actions of those who use its service; not any more than AT&T is responsible for how people use its phone lines. Furthermore, what makes these ISP-strongarm tactics worse is that, as someone mentioned elsewhere, SPAMers simply hop to another ISP if one ISP identifies them and terminates their subscription.

I am strongly against SPAM -- as I said before, the right to freedom of speach DOES NOT imply the right to force other's to listen. Indeed, forcing others to listen eliminates one's own right to freedom of speach necessarily. Furthemore, the right to free speach does not imply the right to use someone else as your mouthpiece -- in this case, the ISP -- at their great detriment, without fair compensation(SPAMers clearly do not compensate the ISP's involved for how much they cost them). However, the right to free speach does require a complementary right to the freedom of the right to choose whether or not to listen, and how to listen. SPAMers deny ISP clients the right to choose whether or not to listen, thus deny their own right to freedom of speach.

What I support is a system where SPAMers have to seek affirmative acceptance before SPAMing people. Of course, enforcing such -- as I've already said -- is impractical. But many large corporations who employ SPAMers will comply because they have much to lose if they don't.

Hotmail - Open Relay?

[t_allardyce]

Hotmail, the biggest open relay in the world (kind of open relay)... Its so big, it even has its own internal spam! Let us gather our pitch forks and go on a which hunt for the perpetrators. oh.. its Billy G. from MS! Hang him!.

Heres a nice little spam i picked up... i think it sums up the entire discussion in a creative torment of words:

>You want to make some money? I can put you in touch with over 200 million people at virtually no
>cost. Can you make one cent from each of theses names? If you can you have a profit of over
>$2,000,000.00 That's right, I have over 200 Million Fresh email addresses that I will sell for only
>$149. These are all fresh addresses that include almost every person on the Internet today...

[Text deleted to save sanity]

>...People are making that kind of money right now by doing the same
>thing, that is why you get so much email from people selling you their product....it works! I will even
>tell you how to mail them with easy to follow step-by-step instructions I include with every order. I will
>send you a copy of every law concerning email. It is easy to obey the law and make a fortune. These
>200 Million email addresses are yours to keep, so you can use them over and over...

[Text deleted]

>Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise
>thereof, or abridging the freedom of speech or of the press; or the right of the people peaceably to
>assemble, and to petition the Government for a redress of grievances.
>Amendment I, The US Constitution

200 MILLION EMAIL ADDRESSES FOR ONLY $149!!!!
...err no actually, 199,999,999 - one of them is mine.

(I can see i'm going to get modded as redundant

Re:The Internet is a free-market information servi

Monopoly cable franchises have been illegal in the US for some time. The reason most places only have one cable service is because wiring a city is fucking expensive and you'd never recoop your costs in a competitive pricing situation.

Re:MAPS IS the problem

[Penguinoflight]

You're right, but that's only part of it. When I signed up for my ISP, they didn't tell me that I'd get sensored because they put their subnet in the DUL (mail-abuse.org). To me this is even more important, because if I don't like their methods of email servers, I can't run my own server. Don't get the opinion that MAPS stops spam, if it did I wouldn't be writing this. MAPS is extremely ineffecient.

MAPS problem is in the method.

[Penguinoflight]

What's the idea of MAPS?

I'd say that likely they are really trying to help stop spam, though second to making a big amount of money. Is there something wrong with this? Considering that spam is illegal (in the US) I don't think so.

But, MAPS does a very poor job of accomplishing this goal. It stops people from using their own email server on a standard connection, and doesn't really stop much spam.

How do we fix it?
It's simple, it would work, but it might cost a little bit...
Block by DNS, not by IP#/IP subnet. And if there is no TLD (top level domain), block the email.

Why?
Someone can get a static dialup account, send out 5k emails, get dumped, switch providers, repeat.

If they blocked against TLD:
First, people who want to run an email server on their box using a dynamic ip, and their domain name can do so without any trouble, but not if they spam people.

Second, Spam is illegal, but when it's so and so at an isp who left, you can't do anything about it. When they need a domain name to send emails, they need to get a new one everytime they send out a pile of junk mail, and eventually either the law enforcement will get after them, or the MAPS provider will stick any domain at that address.

Pointing out the obvious

[kindbud]

Free speech for everyone is all very well, but the galling thing is that most spam is *deceptive*, using falsified return information or deliberately implicating other innocent third parties.

Canter & Siegel, perhaps the most notorious Usenet spammers, did not hide their identity until people began attacking them directly. Spammers did not go underground until the anti-spam community decided to attach a cost to playing out in the open. Spam was easy to block before the anti-spam crowd raised the stakes and sent the spammers off to devise ways to make their messages evade detection.

Of course, after five or six years of escalation, it is hard to tell what has affected what, or how effective current measures are, relative to the past.

But it is *they* who are *deceiving* (n/t)

What on earth is this compression filter nonsense?

Are some anti-spammers going too far? I think so.

[Skapare]

Since I run my own servers, I have a right to choose who I will communicate with, and who I will decline to communicate with. I certainly don't want to receive spam from spammers, so I feel just fine about blocking it. Services like MAPS started out helping me do just that. However, it has turned into something else.

MAPS goes beyond just blocking spam. It attempts to influence other aspects of how business it performed. Examples of this include blocking an entire ISP just because a spammer connects through them, even if the spammer has a dedicated network connection with a static netblock registered via SWIP with ARIN. They also block mail from ISPs that don't host spammers, but host the web site mentioned in spam, even if the site owner was not the sender of the spam. They even go so far as to block things other than mail.

If a spammer is completely cut off, they just move on to the next ISP. They may even falsely represent what they are doing to make sure they get connected. In some cases they start their own ISP front operation to get backbone connections. But they do get back online, and they do evade for a while the information that blocks them, and we end up getting a little more of their spam.

If instead, we simply cut ourselves off from those spammers who we can reliably cut off (those that have a static netblock and stay with it), they won't be motivated to move on (as much), and our efforts to block them will be more effective for a longer time for us.

Some people know me as an avid anti-spammer who really hates spam. I really do hate spam. But I prefer not to have to keep chasing a moving target. If a spammer wants to settle down to a fixed location which I can block from my servers, I'm all for that. This is the way I want to block spammers. The trouble is, finding zone data that limits itself to just this is difficult.

Too many anti-spammers are aiming more to change behaviour and thought, than to just isolate themselves from spammers. As well intentioned as that may be, it is simply not going to work because humans don't really change very much. Most spammers are still spammers at heart (they may have quit for a while, but they are still spammers through and through). Most terrorist are terrorists for life. Most child molestors are child molesters for life. There are simply some bad people and we really can't fix that in most cases, however hard we try.

This doesn't address other kinds of spam like that which comes through open relays and that which comes from dynamic address pools for DSL, Cable, and dialup. Those still need to be dealt with in appropriate ways. The ISPs need to determine who definitely won't spam, and everyone else has to use the ISP mail server for outbound mail. Open relays can be blocked when they are found. Dynamic pools can be blocked when they are found if the ISP doesn't want to do it themselves.

And for sure, web sites with those insecure mailform scripts do need to be cleaned up. I block their outbound mail server.

I also block SMTP connections from servers which do not have valid reverse DNS. This has been very effective in blocking spam, including "spamhaus" operations (who probably can't get a decent admin to come work for them). So far not too many sites sending legitimate mail have this problem. So far this has resulted in 5 cases of legitimate mail being blocked. Of these, 3 fixed the problem, 1 did not answer, and 1 has Qwest for upstream and Qwest isn't delegating things to them correctly.

Postfix does support subject and header based string match blocking. But it is not terribly effective. I do use it for a few terms, but too often I find it rejecting legitimate mail, so I have to keep it lean, making it not so effective. Thus I do have to continue direct blocking mechanisms. I don't expect procmail to be all that effective in blocking spam, either, but it does have the advantage of being customizable to what you don't want to get.

MAPS attitude problems

[Skapare]

Recently MAPS switched to a paid service, with the option of still being free for hobbyists (lots of /.'ers would qualify for that) willing to sign an agreement. Now I'm running a service which doesn't qualify as a hobby. And I was willing to pay for the service for a while. I wrote to them twice before the cutoff date of 31 July 2001, and twice again afterwards, about arranging services. I have never received a reply. So at this point I'm assuming the people at MAPS simply don't care. It seems to me they have a very arrogant attitude. So I'm just writing them off, and will be cheering when they finally become a dot.com.bomb.

Community standards

From the web's point of view, spam is obscene. We have a perfect right to ignore people we don't want to talk to. I think that it's actually protected as part of freedom of speech...

WRONG- Abovenet stopped using the RBL in BGP mode

...months ago. Good to see you're keeping youself apprised of what is actually happening.

Message I sent to EFF in re spam

[shalunov]

Stanton McCandlish writes:

Executive Summary: Any measure for stopping spam must ensure that all
non-spam messages reach their intended recipients.

As an EFF member and supporter, I would like to state as clearly as
possible: You don't speak for me when you say this. I am opposed to
your position on spam.

You raise a number of valid points. The crux is that users might have
their mail filtered without knowledge. This is undesirable. Users
must be told what is happening with their incoming mail and under what
circumstances it can be bounced. However, it's fine for users to be
able to choose to use any filtering system they like; including ones
that have false positives (are there any that don't? even Brightmail
with its human intervention has them).

I personally don't use any spam filtering. My position on spam is
summarized at http://www.internet2.edu/~shalunov/nouce.html:

I do not wish to receive any unsolicited commercial email or
unsolicited bulk email (spam). I get on average 2.5 junk messages
a day (and several hundred real messages).

I never buy anything from a spammer. I never support a spammer in
any way. I never reply to spam.

I never disguise (munge, forge) my email address. (I find it
inconsiderate to people who wish to send me mail; if we break the
way email works, spammers win.) This doesn't apply to email
addresses that are actually mapped to more expensive or more
intrusive delivery mechanisms (fax, pager, etc.). I regularly post
to Usenet and to numerous openly archived mailing lists with my
real address.

I always report all my spam, including spam I get through numerous
mailing lists I am subscribed to (using Spamcop currently). I
often call relevant parties in addition to sending electronic
reports. I sometimes (rarely, because it takes time) place fake
"orders" based on information provided in spam.

This is my service to all people who use email. I consider this
service useful. (And I only spend seconds per day doing it.)

If you came here, you may be interested in my ideas on reporting
spam and uce.el.

However, ISPs are free to offer to their users optional spam-filtering
services or even make them part of standard offering that users can't
reject *as long as the users know how their mail is being treated*.

Blacklists have been an effective pressure tool.

ORBS et al. were what has really improved the situation with open
relays: Without pressure of legitimate mail being rejected, far fewer
people would fix their systems.

It's one right to refuse to accept mail from misconfigured systems.
If they act as an open relay (or, in fact, if I feel like it), it's my
right to not accept mail from them. If they are friendly to spammers,
it's my right not to do business with them.

I urge you to reflect this alternative point of view, which, I am
sure, is shared by many technically-minded members of the EFF in the
next issue of EFFector and on the website where this one-sided view is
presented as an opinion of EFF as a whole.

Sincerely yours,
--
Stanislav Shalunov

A fanatic is one who can't change his mind and won't change the
subject. -- Winston Churchill

Your tired old arguments...

[CaptainSuperBoy]

... have been repeated countless times.. by spammers.

Did you know that IP blocks that have been on the RBL in the past, but have been long removed, are still largely useless because of ISPs that once upon a time installed local blocking rules based on RBL information, and never bothered to keep those rules up to date.

How is this MAPS fault? Any ISP that does this should know better.. Would it be a problem if I ran an ISP and blocked IPs on my own? Say, no packets to or from China? Of course not.. nothing wrong with that, unless my users start complaining. ISPs aren't a public service, they can do whatever the hell they want.

That's not to say they are a bad idea, but only that they impose prior restraint on speech (if they didn't they wouldn't be very effective! ;). There's a balancing act that must be performed here, so that the 1st amendment is treaded upon as lightly as possible, while still addressing the problem.

Never said that spam laws aren't prior restraint.. of course they are. So are obscenity laws, and harassment laws. Can I follow you around all day shouting obscenities? No? But it's OK for me to do that to your inbox?

The legislators of anti-junk-fax laws decided that the costs of receiving the junk faxes was unfairly being borne mostly by the recipients, who have to pay for their paper and ink.

As opposed to the costs of spam, which are paid up front by the spammers, who are happy to pay for the bandwidth they use, abuse staff salary, and wasted time of all the recipients. Oh wait, spammers don't pay for any of that. Forget what I said.

Most email users do not pay extra for incoming emails, especially in the US. They would pay the same amount for their internet service, whether they receive no spam, or thousands per month. This cost/benefit analysis MUST be part of any anti-spam legislation, just as it was for the anti-junk-fax legislation.

Bullshit. Maybe you're not aware of how much it costs to run an abuse department, or how much bandwidth spammers waste. AOL estimated that 30% of their e-mail traffic was spam. In addition, processing of mail along with filtering spam takes up CPU cycles. If you think that ISPs just eat those costs without passing them along to the consumer, well, who's being naive?

In the US, it's true that most users pay a flat rate for Internet - the cost of spam is just rolled into that flat rate. However in many other countries, folks pay by the minute. I have received spam with 100, even 200k of attachments. In this case, the cost of spam is charged directly to the user.

The answer to this problem really has to be the oft-repeated "JUST HIT DELETE".

You've got to be joking.. this is a joke, right?

I was too generous in my original post. I don't believe spam should be a protected form of speech - It's actually harassment. Spammers should be charged with harassment. I have had to ditch e-mail addresses due to the amazing amount of crap in my mailbox. (20+ spams a day? Would you like to 'just hit delete' on those, while making sure not to miss any important ones? And if you tell me to filter them, that isn't, and shouldn't be the user's responsibility.)

Re:Your tired old arguments...

[kindbud]

I said:
Did you know that IP blocks that have been on the RBL in the past, but have been long removed, are still largely useless because of ISPs that once upon a time installed local blocking rules based on RBL information, and never bothered to keep those rules up to date.

Then you said:
How is this MAPS fault? Any ISP that does this should know better.. Would it be a problem if I ran an ISP and blocked IPs on my own?

I never said it was MAPS fault. I never said ISPs couldn't block whatever they wanted to. I was responding your statement:

You said:
It is clear to me that if ISPs did not agree with MAPS' policies on what to block and with its history of questionable bans, then those ISPs wouldn't subscribe to MAPS.

My point was that there are ISPs that supposedly agreed with MAPS policies - that sites who clean up their act should get removed from the blacklist - but did not remove cleaned up sites from the backlist. Therefore, they did not, in fact, agree with MAPS policies, yet they used MAPS.

This is one of the reasons why MAPS began several years ago requiring a signed agreement for any AXFR or BGP access. People were keeping stale MAPS data active, contrary to MAPS goals. This was hurting MAPS, and still does.

I said:
The answer to this problem really has to be the oft-repeated "JUST HIT DELETE".

You said:
You've got to be joking.. this is a joke, right?

No, it's just shorthand for saying only the recipient is able to judge what is and is not spam, precisely because it is his inbox that it's sitting in, and his decision as to whether it is annoying or interesting. It is shorthand for "use filters".

Should an ISP filter its HTTP proxy to block sites that use pop-up ads? Hmmmm.... a lot of people are annoyed by those, and downloading them costs bandwidth, money, staff time to help hapless customers who call up with foistware removal problems, you name it.

So should they? What is the difference, really?

I need not point out that you can save a whole lot more money by doing the Sprint ION thing. Just don't take customers, if you aren't capable of running a customer service business efficiently.

Re:Your tired old arguments...

[CaptainSuperBoy]

only the recipient is able to judge what is and is not spam

I disagree.. the recipient is part of the spam problem. If 99% of spam recipients think it's spam, but there's that 1% that really wants that credit card/loan/porn/make money fast, is it spam? I guess you'd say it's not spam. I'm sure there are people out there who wouldn't be offended if you were to put XXX porn on the Jumbotron in Times Square. They are the minority, though. Most users by far consider spam a nuisance. It is not a legitimate marketing method. A lot of spam is fraud. Spam has to be stopped, and it really is for the good of that 1% who don't know better.

Should an ISP filter its HTTP proxy to block sites that use pop-up ads?

Nope.. that's very different from spam. Pop-up ads are initiated by an action of my choosing - visiting some site. If I stop going to that site, I stop getting the ads, and I stop paying for that bandwidth. On the contrary, receiving spam is completely out of my control.

Re:Your tired old arguments...

The cost of proxying documents containing "pop-up ads" (which are only effective if the user is so foolish as to enable ECMAScript indiscriminately) is inherently limited by the number of your customers using that proxy. The cost of receiving spam is limited only by the abusers' persistence.

Spam should be fought not because it's an intractably crippling problem now, but because it will immediately become one if it's legitimized, as some nontrivial fraction of all the businesses in the world all try to reach every mailbox that even potentially exists.

Wireless Devices.

[Asphalt]

What do you recommend for wireless email devices in which the end user pays strictly by the Kilobyte? Have you written a version of procmail that runs on handheld OS'es, ie Palm OS? If so, please post it.

Re: Spam and free speech

[MikeBabcock]

I think the EFF is unfortunately right. If we allow independant groups who have no external accountability to create and administer lists like MAPS which, if used widely, can arbitrarily cut off a person's ability to communicate with the outside, we're setting ourselves up for very large freedom of speech problems.

If a person is too loud and someone wanted them silenced, getting them onto all the MAPS-like lists by way of pursuasion (in the future) might be a good method. Being able to silence that person on the Internet shouldn't be possible without public review -- that's why we have court systems for crimes.

MAPS is too vigilante for the EFF is what it comes down to for me, and unfortunately MAPS-like services are very useful but I think closing down spammers themselves is a much better long-term solution.

One of the most complex issues if you're a moron.

[glrotate]

SPAM sucks. It is theft. No reasonable person appreciates paying for unsolicited advertisements. The SPAM have no right to fill your mailbox with trash. Kill 'em all.

Absolutely

[macdaddy]

If you don't like it as a customer, take your business elsewhere. Simple as that.

Re:The Internet is a free-market information servi

[isdnip]

Fact: There is no government-granted cable monopoly. There are two cable companies passing my house; I use one of them (AT&T), and my next-door neighbor uses the other (RCN). Municipalities have been prohibited by federal law from granting exclusive franchises since 1992; even before then, there were few exclusives. Financially, it is generally a lousy investment to be the second cable company in a given place, which is why overbuilding is so rare. But lack of competition does not equate to government monopoly.

But in any case, if you want to regulate an ISP because it is so good, then what else do you regulate? If it MUST by law deliver me ten pitches a day to enlarge my penis size or get a mortgage from some crook, then what else must an ISP do by law? It would be a victory for lawyers (since ISPs would need a lot of them) but most ISPs would simply go out of business rather than be subject to regulation.

Re:The next DMCA/"Patriot " bill waiting to happen

[mckyj57]

It's perfectly possible for someone to get unsolicited mail from someone, ask them to not mail them again, and get compliance for that request, while never revealing to the recipient who the sender is..

And we would be expected to do that once for each of several million companies that have the capacity to send email? Along with changes of management and "mysterious database problems"? Bah. Anyone who thinks that unsolicited bulk email is *ever* correct is either a criminal or criminally stupid.

Email to EFF

[breser]

Here's the email I sent to EFF yesterday:

From: Ben Reser
To: editors@eff.org
Subject: Re: EFF on Spam
Date: Wed, 17 Oct 2001 09:01:35 -0700

On Tue, Oct 16, 2001 at 09:20:30PM -0700, Stanton McCandlish wrote:
> Public Interest Postion on Junk Email: Protect Innocent Users
>
> EFF Statement Regarding Anti-Spam Measures
>
> Executive Summary: Any measure for stopping spam must ensure that all
> non-spam messages reach their intended recipients.
>
> ...

I disagree greatly with your statement about Anti-Spam. It is clearly
poorly researched. You may a number of statements that I find really
odd. It is unfortunate that because of your inaccurate stance I may
have to reconsider my continuing membership in EFF when my membership
comes up for renewell.

* System adminstrators are forced to adopt anti-spam policies. The only
policy MAPS or ORBS seeks to have other admins adopt on their systems is
to close their open relays and other ways for non-customers to inject
email into their mail servers. While this may be inconvient to some end
users it is not difficult to be sure and select the correct mailserver
to send your email. However, you make it sound like admins are forced
into filtering with MAPS or ORBS. This is absolutely untrue. The use
of any blocking system is entirely voluntary.

* 50% of ISPs use blocking systems like MAPS or ORBS. This may have
been the case in the past but most certainly is no longer the case.
ORBS has changed hands recently and has a very uncertain future. Mainly
because ORBS is controversial among administrators who feel that it's
proactive scanning is a violation of the internet norms of stayiing out
of other peoples systems. In the case of MAPS it has gone from a free
service to a pay service. I know that they lost me as a site that was
using them when they did this and I'm sure the vast majority of their
users also haven't subscribed.

* users are not being informed their email is not being delivered. This
is cleary false. Users receive an bounce message explaining why the
email was bounced and giving the URL of the blocking list organization.

* Email is protected speech. It's a Fundamental free speech right to be
able to send and receive messages. Yes but it's also a fundamental
right that I be allowed to reject messages. With telephones you can use
a number of blocking technologies to attempt to keep out telemarketers.
Many of these technologies will ultimately block people who are not
telemarketers. You can choose not to answer your door when someone
knocks. Free speech is not a guarantee that any one has to listen to
you. Only that you may speak. Block email is the same situation. I as
a system admin have a right to block any traffic coming into my private
owned system.

* Blacklisting isn't a magic bullet. Nobody ever said it was. It takes
lots of different efforts to stop spam. No one effort will ever truely
be 100% effective.

* Filtering is good. Yes but you make it out to be a magic bullet.
It's not anymore than blacklisting. To be precise you're talking about
content filtering. Blacklisting is actually a filter. I use content
filtering myself. However, it misses many many many pieces of spam and
blocks some legitimate mail. It's no better than blacklisting in that
respect. Further quite a few content filtering systems are not setup to
notify the sender that they were filtered.

I believe that given further research into this issue and discussion
with many system admins will paint you an entirely different picture. I
strongly urge that you undertake said research.

Re:Email to EFF

[delta0]

You would drop supporting the EFF because of their stance on MAPS? Good god...

Re:Email to EFF

[Corydon76]

I would drop support of a politician who wanted to drop tons of garbage in my backyard, no matter how much s/he drops my taxes.

How is this any different?

Procmail beats any other spam prevention method...

[Fredflintston47]

Why deal with this whole issue?

Setup a password-protected inbox, and you will have just a few spams in a whole year. Simple filtering will never be able to provide this level of protection.

http://www.uwasa.fi/~ts/info/spamfoil.html

It works *really* well!

Define: "speech" and "censorship"

[sounds]

Why hasn't anyone considered that MAPS and ORBS have a "right" to create a list of ip addresses and distribute it as they see fit? Wouldn't it be restricting their free "speech" to stop them? (oops, too late: ORBS is already gone)

On the flip side, it isn't "censorship" if you still have a way to hear what the spammers are saying. From the point of view of MAPS, their DNS servers only give out information on specific ip addresses as they are requested. They're not delivering a (complete) list of spammers, and they're not even involved in the delivery of the spam itself. If a message is not delivered, it is not under the direct control of MAPS servers. Also, if you are not at liberty to remove MAPS rejection from your personal email, then that is an issue with your ISP, not MAPS.

It is inaccurate to say that MAPS has "failed in [its] fundamental design" - to quote the EFF. It's only when you try to paint the service as something it isn't that you might consider it to be a failure.

Antivirus also ?

[AftanGustur]

Should the virus scanning-and-removal also be delayed until the end user receives the mail ?

What is the difference anyway, UCE or Viruses, both are unwanted (the 'U' in UCE) and eat up bot the users and the ISPs resources, time/disk space/cpu/bandwith.

I came to work once, and was greeted by 13000 bounces in my mailbox, somebody had discovered a client's open sendmail who forwarded everything to our backup MX server, who then sent it to the promary MX, who happily processed it ;-(

Those who deliberatly run open mail-relays deserve to be either blacklisted by MAPS or simply shot.

Re:Antivirus also ?

[delta0]

Actually the U in UCE stands for Unsolicited. Not always equiv. w/ Unwanted. But by chance most UCE is also unwanted! ;)

Policy and implementation

Is everyone aware of "Hashcash"
(http://www.cypherspace.org/~adam/hashcash/)?
Basically is requires an email sender to "pay"
(in terms of a verifiable and unique calculation) to send an email.
If widely enforced it would make spamming uneconomic.

I'm a member and supporter of EFF, in general terms I agree with them
on this issue. However, some of my best friends are system
administrators and they are very practical people.

We have two different issues here: policy and implementation.
Who should decide the policy? Where should the implementation be placed?
I and not my ISP should be able to restrict who I receive email from.
If for practical reasons my ISP blocks email when I have not requested
the block, then I should be informed.

The current economics of the internet means that the bulk of the
filtering needs to be implemented upstream from the recipient.

Governments tend to pass technological laws which are misconceived
and do more harm than good.

In my ideal world neither ISPs nor governments would decide policy.
However, ISPs would implement policy decided by their users.

Lots of technical problems here. New interfaces, new protocols,
browser and server changes. Its all possible (to filter most spam).
Maybe we do need temporary solutions which are less than ideal:
like MAPS and legislation.

Too simplicistic

[CaptainZapp]

On a larger scale, EFF supports combatting spam by providing end-users with adequate tools to filter unwanted messages on the receiving end.

This is all fine and nice. It is a bit of a US centric view though, since (virtually) the rest of the world pays for their internet connection by the second.

So if I filter on my end, I still pay for the downloaded crap, despite the fact that I never (want to) see it. A powerful -, end user configurable filter directly at my ISP would be a different story.

The Problem With Not Rejecting Spam

[cjs]

The problem with local filtering is that if you automatically put spam in /dev/null rather than your mailbox, and a legimate e-mail is misidentified as spam, it disappears and nobody knows about it. Whereas if you bounce it, at least the sender knows the message was never delivered.

You can put it in a separate folder and examine, of course, but then you have to look at the stuff, so you might as well put it in your regular inbox. And you still stand the chance of missing a legitimate e-mail that looks too much like a spam.

cjs

Dislikes a solution != likes the problem

[geekotourist]

The EFF is coming out against non-spammers getting the spammer treatment. The EFF has to hold this position to be consistent with earlier cases like...

1. Not forcing adults to read filtered content because children could read it, or

2. Not having entire email servers seized because one recipient is under investigation.

This doesn't mean that the EFF wants to stop investigations or force children to see porn, but that it is sensitive to certain types of collateral damage, even for the best of reasons.

The EFF person who posted earlier states that Spam is Evil for all the reasons discussed in this thread. He also wrote in his collection of essays on spam that being against a solution can get one labeled as pro-spam. So the EFF had to be quite aware that their position would them money / supporters, but they did it anyways. Willingness to anger supporters on one case is a good sign, because it means not weakening your principles for popularity. These are the same principles that make the EFF fight for 2600 , and Felten, and other DVD cases , and many other cases on such tiny topics as anonymity, satire, whether hacking=terrorism, encryption, reverse engineering... some of which will need to go to the Supreme Court, costing $$$. I'd rather have them dedicated to principles and sometimes make me angry than see them go for keeping everyone happy. (and I'm sure they didn't like losing Adobe's money while they support Sklyarov. )

Alan's ORBS was a personal powertrip,new are rude

[mr]

First off, if you are the system admin, there is something called a logfile. What is nice about reading the longs and interperting the logs is that is your job. Had you read your logs, you would not need ORBS to tell you there was a problem.

The ORBS run by Alan Brown used the entry tables as a form of 'punishment'. If you spoke out about how his methods were flawed, on the list you'd go.

Two of the new ORBS are not much better, in the method department. (I don't know about the 3rd). Neither of the ORBS's can produce copies of 'spam' comming from my box when asked. (Given I look at the logs daily, I'd be interested in seeing how the relaying would be done) I have told the two off them NOT to come back with their probes until they have some proof. The jury is out if these new ORBS will honor the simple idea of "don't bother me until you have proof" or will put systems on thier lists simply because admins find thier methods rude.

SPAM solution: sender pays arbitrary amount

[vandan]

I have heard than when IPV6 becomes the standard, forging headers will be much more difficult (impossible?).
I propose that owners of email address be allowed to set arbitrary delivery charges on all mail coming into THEIR account. After all, it is THEIR account. I would charge $2 per email, which I would refund to all those authorised senders automatically upon delivery (ie authorised senders pay a net amount of nothing).
And the spammers pay. Finally, the spammers pay!

What stinks about this situation?

[grgcombs]

MAPS is the best thing since sliced bread. There's currently some big coalition against it, (COMBAT?), and from what I can figure, it's well funded by spam factories. So far what they seem to put out is a lot of excited inflamatory talk, with no real figures and facts.

From the sounds of it, they did a little donation and some palm greasing for the EFF guys too. That's too bad, I used to like them.

RBL has saved me from having to slog through literally tens of thousands of messages. And what doesn't get caught by RBL usually gets nabbed by spambouncer anyway.

Going through the logs, I've never had a message get stopped by RBL that was a valid, non-spam email.

Greg

Flaws in their argument

[Syberghost]

First off, they link off to a site that talks about using Procmail to filter spam.

But Procmail says you should use MAPS...

...second, I love this quote:

Anti-spam blacklisting groups, such as MAPS and ORBs, put heavy pressure on ISPs to conform to a set of restrictive anti-spam policies and to virally pressure other ISPs to adopt the same policies.

Yeah, those nasty folks at MAPS, they force you to conform a restrictive anti-spam policy, to whit: stop letting your users send spam.

Oooo, I'm being repressed! Come see the violence inherent in the system!

Lies

Guilty until proven innocent, eh?

Murdedring innocents?

What you're saying is it's akin to *murdering innocents* eh?

The end never justifies the means, and here's additional proof.

I don't see a problem with this

[maxpublic]

I don't see a problem using blacklists so long as:

- the ISP informs its customers it uses blacklists;
- the ISP provides the complete blacklist on demand (e.g., a downloadable flat file of blacklisted IPs and their associated domain names)
- the ISP includes a REASON next to each IP/domain name (e.g., short like 'SPAM').

As a user I'd love to have my ISP blacklisting every spamming asshole under the sun. But as a user I also want to know that they *only* block spammers and not folks that they happen to dislike for political or personal reasons (e.g., an IP associated with pro-choice users).

If the ISP uses a blacklist generated by a third party, then I want that third party to make it easy for me to retrieve the list and see why each address was blocked.

Max

DreamSynthesis! Is that you??

I see you're posting to Slashdot again.

Why did you ditch your old account? Is it becuase you got trolled to hell and back and your karma got seriously butt-raped?

This is a bunch of whining

[tuxlove]

The EFF can go to hell on this. MAPS is awesome. It stops spam-factories and their lazy ISPs in their tracks (even more cool is ORBS, which programmatically blocks open SMTP relays).

Do you really want to know why the EFF is doing this? Because Dan Gillmore, one of the founders, runs an open relay himself and has been nailed for it. Never mind that his open relay has been used by spammers for nefarious purposes, and that his anti-spam measures have failed - he wants the right to have a spam-friendly SMTP server.

My right to have a spam-relay is more important than your right not to be spammed, isn't it? That's a rhetorical question, of course. *Everyone*, that is *everyone*, except spammers themselves, feel they have the right to not be spammed. You hear that argument constantly on slashdot and elsewhere, but when it's the EFF saying that a perfectly good anti-spam measure is evil, well then, by golly, it must be evil!

The EFF needs to get its head on straight. Like so many of the causes the EFF and Mr. Gillmore take on, this one is based on a personal problem rather than a widespread injustice. That's a poor basis for taking a stance such as the one they've taken here. It detracts from the legitimacy of the EFF.

To fill in the details a little, Mr. Gillmore has an open relay so his friends will have a known SMTP server they can use to send mail when they're travelling and are plugging into the net on different networks/ISPs. There are numerous solutions to this problem that don't involve having an open SMTP relay. I have to wonder why Mr. Gillmore doesn't utilize one of them rather than choosing to fight a silly battle. Possible solutions might include settin up a VPN for his friends with a secure SMTP server behind it, or even having them use Yahoo mail accounts. I'm sure there are also authenticating SMTP servers out there, or similar solutions.

MAPS is one of the best tools around for fighting spam. I would hate to see it go away.

Re:The next DMCA/"Patriot " bill waiting to happen

[sqlrob]

Most of the SPAM I get is US related. It may be routed through a server in Taiwan, but the site is hosted in the US or it has a US phone number or a US stock.