Slashdot Mirror
EFF speaks out against MAPS
Control-Z has brought our attention to the latest EFF newsletter which speaks out against MAPS ? and ineffective spam legislation. According to the EFF: "The rights of users to send and receive email must not be compromised for quick and dirty ways to limit unsolicited bulk email. Neither misguided and ignorant legislation, nor collusive, high pressure protection schemes, have a legitimate function or place in our online future " The EFF is reminding us that freedom isn't always easy. I feel much worse for those who haven't figured out procmail yet though.
when i said maps and rbl was just another form of censorship i got modded down...
now the EFF finally catches on and everyone flocks behind it sheep style...
Not if your packets happen to travel through abovenet. Vixie, founder of MAPS, is the CTO at abovenet, and they regularily drop packets based on MAPS RBL.
Not much choice there for end users.
PJRC: Electronic Projects, 8051 Microcontroller Tools
'blackbox' solutions are dangerous .... avergage users will never be able to infer what goes on behind the scenes. Far more useful would be a 98% successful (my guesstimate at what an acceptable fail rate should be) intelligent, learning filtering system on the client end .. where you can just scan-the-spam topics and make sure you're not missing anything important.
.. ie, you can provide email addresses that somehow 'hide' your real email address and some timeout value, such that only email servers on your end could decrypt the address and figure out if that communication priviledge has 'expired'. I think mail servers would have to know if a mailing was a 'bulk' or 'single' mailing .. single mailings could accept normal email addresses, but multiple mailings would require these encrypted addresses with built in time out values.
It would be much easier to tackle this problem if a 'pseudolution' (spam is, by its very nature, not 100% solvable) is rolled out with the next generation mail protocal. To this end, does anyone know if there are any current undertakings addressing a next generation email protocol capable of more interaction/configuration from a client?
One VERY nice feature I'd like to see is email addresses with embedded timeout values in them
I havn't thought TOO deeply about it, as you can tell, and I'm not much of a privacy/encryption expert, but can anyone articulate a set of rules based on the above postulation that is technically feasible?
"Old man yells at systemd"
I implemented MAPS and Procmail Sanitizer at my employers corporate gateway about 6 months ago. As the EFF article mentions, there is a concern for legitimate mail being blocked. My solution for this is to include my direct phone line, and a request to contact me if the mail is legit, in the error message sent to mail denied by MAPS. In about 6 months of operation, at a company with about 120 users, we block on average 150 messages per day, with an all time high of 262 in one 24 hour period. I have yet to get a phone call from ANYONE, spammer or otherwise. Meanwhile, users who were getting 10-15 spams per day are now down to 1-2, sometimes none.
Frankly, I've found MAPS to be highly effective. I expected to occasionally toss out legit messages, which was why my direct line is included in every bounce, but MAPS has been considerably better than I could have hoped for. With proper setup and configuration it is quite easy to ensure that legitimate mail gets through with only a minimum of delay. MAPS has been a very worthwhile investment for our company, and our end users have consistently thanked us for implementing it. Likewise, Procmail Sanitizer has stopped all kinds of trojans and viruses cold at the gateway-even catching new ones before being publicized. Although we don't use Outlook, we still find it useful to stop the stuff, and I can't fathom anyone running an Outlook environment without Procmail Sanitizer. Good stuff.
ehintz
Errr ... I think I'm offtopic, but to hell with karma.
It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list. Your email client could auto delete email from people that aren't in your address book. I guess filters could be used to do this, but it's not obvious for the 'common users', like Grandma (:
There could/should also be a way for the email client to tell the mail server "hey, stop sending me mail from X@X.X". That way you cut it off at the source and it stops messing with your bandwidth. The server could also build a list of ignored email address and domains and stop responding to their requests all together for all users. This could become hurtful, putting control into the user's hands a bit, but somehow I think it would do more good than harm. It would need lots of revision, but I don't have the time or energy to care (:
~LoudMusic
No sig for you. YOU GET NO SIG!
Fascinating. So if your ISP just decided to drop the letter P wherever it appeared in a packet, without telling you, you'd have no problem with that? You don't own their network, after all.
Its their right... I'd have a problem with it, sure. But the fact I have a problem with it doesn't mean they don't have the right to do it. I'd go get another ISP. Problem solved.
Contracts are good for avoiding this sort of thing as well, you know?
DrLunch.com The site that tells you what's for lunch!
The EFF's anti-MAPS stance has little to do with careful consideration of the legal and ethical issues involved, and a great deal to do with the fact that EFF honcho John Gilmore has landed himself on multiple spam blacklists, and been booted off at least one ISP (Verio) for intentionally running a wide-open relay.
Gilmore's stance is pretty straightforward: running an open relay was a good thing in 1987, so of course it must still be best practice in 2001.
News for Nerds. Stuff that Matters? Like hell.
So here's my idea:
/included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout .. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.
.. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."
Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)
So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)
Now, here's the kicker:
So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this
Am I on crack? I think its a good idea.
"Old man yells at systemd"
If it's bad to share a list of open relays, wouldn't sharing a procmail script be just as bad?
If I tell you how to automatically delete email with subjects like "MAKE MONEY FAST", how am I different from someone telling you that some ISP has an open relay? After all, if I publish a list of subjects that spammers are likely to use, am I not denying their right to send me email just as if I didn't accept email from their domain?
And BTW, I use spambouncer (a set of procmail recipes) to block spam. It's trapped 190 email messages since October 1. I think 3 have slipped past.
-- Don't Tase me, bro!
is my weapon of choice when it comes to dealing with spam. About 80 per cent gets caught by the "not addressed to me" filter and all the trash gets deleted from the server prior to download.
I work for a small ISP, and we tried very hard to keep our mail relay as open as possible so our users could set up mail at work, at the office and other places where they may have a different connection to the net. We did and still do run filters on our mail server, to try and stop spam and virii, yet we were placed on ORDB and on ORBZ . The whole we were placed on these lists was not due to anyone complaining about spam originating or being relayed from our server, but just because it had an open relay. In the end we closed the relay, which caused us to lose customers who could no longer send mail through us from their work or other places, but we were also losing customers when we were on these lists because people could not send mail to their friends and business contacts.
Most of these Blackhole lists do send a message back to the person trying to send the mail, and they often portray admins who run open relays as evil spammers or complete morons. Neither of these is true. We were trying to provide a service to our customers, and we work CONSTANTLY to keep the spam out.
Blocking or denigrating the ISP or admin of a mail server which happens to have an open relay that may get used for spamming is like blaming Boeing for the recent trade center attacks. They built the plane but they did not do the deed. We ran a mail server, but we did not spam people. Go after the spammers, and their backbone providers, and their corporate backers, not the little guys who get hurt by this the most.
In the wild there are no dumb lions tigers or bears. Only humanity subsidizes the continued existence of the stupid.
Wow.. it's about time the EFF finally put up the forefinger of logic and said "hey, wait a sec" in regard to the anti-spam movement. This has to be one of the most often grossly exagerrated problems anyone ever cites -- receive a few unsolicited emails and your inbox is "filled" with spam. And so off you go to champion hamstringing the the email system, banning ISPs, etc, etc. I am as annoyed by spam as the next guy. But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly. There are a number of methods an individual can use to reduce the amount of spam received that are quite effective. These days I get more annoying crap from friends, co-workers and other associates than spam. I'm amazed at how some people can overlook all of the chain letters, images, flash movies and other crap that truly does chew up their resources and then go ballistic when they receive one piece of email that can technically be classified as spam.
Here's where the whole thing gets messy. Yes, it's expected that email that is sent should be received. But the Internet isn't regulated like that, so it's not really a right. I had a big long spiel about this and the Usenet Blackhole list a while back.
The point is that if your ISP is blacklisted, there's usually a good reason for it. It's because they don't control spam like they should, and thus they degrade email service for many many people. The blackhole list is designed to be a wake up call, and it usually isn't used until repeated requests to fix the problem have been ignored. If you find your ISP on the blacklist, complain to them to fix the problem that got them there. Either that, or switch to an ISP that isn't on the list. It's not your right to send email that's curtailed, it's the privilege to send it through that ISP that's restricted. Complaining about the lists themselves won't accomplish anything.
ISPs who have contracts that don't allow them to block email don't use the RBLs, but many ISPs specifically retain the right to block email if they need or want to. As companies, it's in their interests to protect their bottom line, and spam email is a bandwidth and storage killer. We won't see those lists go away until a better way of stopping spam comes along.
Electronic Frontier Foundation for online civil rights information
Are you serious???
When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.
I'm waving the bullshit flag on this one. But your assertion is an unprovable one since you assert that the rules are "unwritten" and thus no amount of arguing will convince you otherwise.
It is not my ISP's business to arbitrarily block inbound e-mails for me.
I agree. But if your ISP blocks mail without telling you, then your problem is with your ISP and the idiots who made that decision, not with MAPS.
Rather, it is my resonsibility to control the availability of my address, and to deal with any and all mail I receive, regardless of source or desirability.
And some people choose to delegate this authority to their ISP who in turn delegate this to MAPS or ORBS(with the full knowledge, consent, and approval of their customers). Who the hell are you to tell these people that they can't delegate that authority???
If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.
And just how would new people get themselves added to your authorization list? Are you going to start posting your phone number next to your e-mail address so that people can call you to get added to your authorization list so that they can send you an e-mail? I understand where you're coming from here, but it's an inviable solution.
Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous. It would be like arresting people for driving on the road because the locals didn't like the paintjob on your car.
No, it's like the government telling you that you can't live in a gated community. After all, the roads and driveways in that community(paid for and maintained by your money) were built to be drived upon and you can't delegate the policing of those roads and driveways to another entity(the landlord of the gated community, the homeowner's association, etc). If you want your driveway policed and you don't want undesireable people to park there, then you'll just have to police it your own damn self.
Kevin
The article implies that the loss of freedom comes from MAPS listing mail servers. But isn't the problem really with the ISPs? They are the ones who are implementing the filtering, without the explicit consent of either the sender or receiver.
There's a simple solution. Each ISP should provide users with three radio buttons - Block Detected Spam, Deliver Detected Spam to a Bulk Folder, and Pass All Messages. Then the freedom to choose is back in the hands of the user.
I'm not so sure that this would satisfy the EFF and Dan Gilmore, though. It seems that he is peeved that anyone should object that he operates an open relay. (Can't find the link - www.toad.com is creaking under the weight)
The fulcrum to the EFF argument is 'Any measure for stopping spam should have as its first goal "Allow and assist every non-spam message to reach its recipients."' To that should be added, "unless otherwise desired by the recipient."
Freedom means the government can't tell you to shut up; it doesn't mean I have to listen to you.
Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.
That's not free speech. Free speech is the right to say things that people don't like - not the right to say things at no cost to yourself, to people who don't want to subsidize you, in their private space.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I don't know how authoritative this is, but my old ISP (XMission in Salt Lake City) had a page listing attempts blocked by the MAPS rules. They were blocking somewhere about 10-20 thousand attempts per day on average, with regular spikes into the 40 thousand range and occasional spikes into the 70-80 thousand attempt neighborhood.
As a sanity check, they only flagged messages listed on ORBS and, for a while, only flagged messages listed on MAPS (until the spamload got too high). In 6 years, I got precisely one piece of mail that was ORBS-flagged that wasn't spam, and no non-spam with a MAPS-flag while MAPS flagging was in effect. Since ORBS is more aggresive in listing sites than MAPS is, this is sufficient evidence to me that at the very least the amount of non-spam incorrectly flagged by MAPS and/or ORBS was a small fraction of the amount of spam they were catching.
Trying to prevent spam is like trying to prevent the diffusion of flatulence through the air.
You can't.
But, human beings have the ability to reason and match patterns in history to pattern in planning. And if they see masses of spammers being investigated and tried and sentenced and punished, that's a pattern that will be strong in their history.
Spam is not a violent crime. The inability to intercept it is not a detriment to public safety. But our apathy has led to the feeling among spammers that they can get away with it. By showing them they can't, they will for the most part stop trying.
And it's very easy to enforce. Every spam necessarily includes directions on how to contact those who would profit from your participation. And they need to stay there in order to collect your request. So every spam is a notice to the authorities to go to this place and arrest these people. Their trial will sort out whether they are guilty or not.
--Blair
The apartment complex has no right to tamper with that mail because they have no legitimate control over any point in the delivery system. The mail is routed through workers employed by the people receiving the mail, and the terms of their service are that it will be delivered in an untampered state (I'm ignoring the public/private service distinction at the moment). If the apartment complex wanted to give themselves the right to tamper with delivery, they'd need to institute a policy that allowed them to tamper with materials coming onto their property which are designated for the recipient, and it would have to be an agreed upon clause in the rental contract. In which case yes, you'd find another apartment.
Of course your reference to 'without your knowledge', despite that his original point was that knowledge was what was required, shows how well you're comprehending this discussion in the first place.
Sure, the end user (you) won't see the mail, but the bandwidth is already wasted at that point.
This doesn't solve the problem that ISP's face
when they have huge amounts of bandwidth and CPU time consumed by SPAM. ugh.
Your suggestion that the Constitution of the USA is relevant to RBLs also seems weak to me. Private entities are not generally bound by restrictions on the behavior of governments.
Federal case law on the anti-fax spam statute says otherwise. When it was challenged constitutionally in Destination Ventures vs. FCC under the 1st Amendment, it was ruled constitutional because it limited only unsolicited commercial faxes. Based on Supreme Court case law, the court felt it would be unconstitutional to limit any other form of fax-based speech, unsolicited or not.
So, while the anti-spam types say "content doesn't matter," the law says otherwise.
No. Saying "don't lie about your return address" does not equal "you must disclose your return address". "I don't want to tell you" is not fraud. And all it requires technically is something like an anonymous remailer (which even still allows for replies).
It's perfectly possible for someone to get unsolicited mail from someone, ask them to not mail them again, and get compliance for that request, while never revealing to the recipient who the sender is.
If you're an end user, the EFF paper completely and totally supports your right to use whatever you want, including MAPS, to filter your own email.
If you're providing mail service to others, you are making that decision for them, probably without their knowledge or consent. That is what they take issue with.
Exim allows MAPS and other DNS based black lists to be used to mark e-mails. Then procmail can be used to filter those e-mails. This I have found to be very useful.
Further, legslation should be in place that unsolicited e-mail gets an extra header "unsolicited: yes" or something like that so that I can filter better. Those that don't fill in this header should be liable for damages. Also, a flag for sexual content would be good as well.
Clark
I wonder if the EFF also believes that junk faxes should be legal--even though the anti-junk-fax law was upheld as constitutional when challenged on First Amendment grounds.
Never take moderation advice from sigs, including this one.
Should the virus scanning-and-removal also be delayed until the end user receives the mail ?
What is the difference anyway, UCE or Viruses, both are unwanted (the 'U' in UCE) and eat up bot the users and the ISPs resources, time/disk space/cpu/bandwith.
I came to work once, and was greeted by 13000 bounces in my mailbox, somebody had discovered a client's open sendmail who forwarded everything to our backup MX server, who then sent it to the promary MX, who happily processed it ;-(
Those who deliberatly run open mail-relays deserve to be either blacklisted by MAPS or simply shot.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
This is all fine and nice. It is a bit of a US centric view though, since (virtually) the rest of the world pays for their internet connection by the second.
So if I filter on my end, I still pay for the downloaded crap, despite the fact that I never (want to) see it. A powerful -, end user configurable filter directly at my ISP would be a different story.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk