EFF speaks out against MAPS

Control-Z has brought our attention to the latest EFF newsletter which speaks out against MAPS ^? and ineffective spam legislation. According to the EFF: "The rights of users to send and receive email must not be compromised for quick and dirty ways to limit unsolicited bulk email. Neither misguided and ignorant legislation, nor collusive, high pressure protection schemes, have a legitimate function or place in our online future " The EFF is reminding us that freedom isn't always easy. I feel much worse for those who haven't figured out procmail yet though.

Re:MAPS?

[pjrc]

...don't you have to opt-in to use MAPS?

Not if your packets happen to travel through abovenet. Vixie, founder of MAPS, is the CTO at abovenet, and they regularily drop packets based on MAPS RBL.

Not much choice there for end users.

I agree

[SirSlud]

'blackbox' solutions are dangerous .... avergage users will never be able to infer what goes on behind the scenes. Far more useful would be a 98% successful (my guesstimate at what an acceptable fail rate should be) intelligent, learning filtering system on the client end .. where you can just scan-the-spam topics and make sure you're not missing anything important.

It would be much easier to tackle this problem if a 'pseudolution' (spam is, by its very nature, not 100% solvable) is rolled out with the next generation mail protocal. To this end, does anyone know if there are any current undertakings addressing a next generation email protocol capable of more interaction/configuration from a client?

One VERY nice feature I'd like to see is email addresses with embedded timeout values in them .. ie, you can provide email addresses that somehow 'hide' your real email address and some timeout value, such that only email servers on your end could decrypt the address and figure out if that communication priviledge has 'expired'. I think mail servers would have to know if a mailing was a 'bulk' or 'single' mailing .. single mailings could accept normal email addresses, but multiple mailings would require these encrypted addresses with built in time out values.

I havn't thought TOO deeply about it, as you can tell, and I'm not much of a privacy/encryption expert, but can anyone articulate a set of rules based on the above postulation that is technically feasible?

MAPS has been highly effective for us

[ehintz]

I implemented MAPS and Procmail Sanitizer at my employers corporate gateway about 6 months ago. As the EFF article mentions, there is a concern for legitimate mail being blocked. My solution for this is to include my direct phone line, and a request to contact me if the mail is legit, in the error message sent to mail denied by MAPS. In about 6 months of operation, at a company with about 120 users, we block on average 150 messages per day, with an all time high of 262 in one 24 hour period. I have yet to get a phone call from ANYONE, spammer or otherwise. Meanwhile, users who were getting 10-15 spams per day are now down to 1-2, sometimes none.

Frankly, I've found MAPS to be highly effective. I expected to occasionally toss out legit messages, which was why my direct line is included in every bounce, but MAPS has been considerably better than I could have hoped for. With proper setup and configuration it is quite easy to ensure that legitimate mail gets through with only a minimum of delay. MAPS has been a very worthwhile investment for our company, and our end users have consistently thanked us for implementing it. Likewise, Procmail Sanitizer has stopped all kinds of trojans and viruses cold at the gateway-even catching new ones before being publicized. Although we don't use Outlook, we still find it useful to stop the stuff, and I can't fathom anyone running an Outlook environment without Procmail Sanitizer. Good stuff.

Some "ICQ" features ...

[LoudMusic]

Errr ... I think I'm offtopic, but to hell with karma.

It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list. Your email client could auto delete email from people that aren't in your address book. I guess filters could be used to do this, but it's not obvious for the 'common users', like Grandma (:

There could/should also be a way for the email client to tell the mail server "hey, stop sending me mail from X@X.X". That way you cut it off at the source and it stops messing with your bandwidth. The server could also build a list of ignored email address and domains and stop responding to their requests all together for all users. This could become hurtful, putting control into the user's hands a bit, but somehow I think it would do more good than harm. It would need lots of revision, but I don't have the time or energy to care (:

~LoudMusic

There is a hidden context here.

[Doktor+Memory]

The EFF's anti-MAPS stance has little to do with careful consideration of the legal and ethical issues involved, and a great deal to do with the fact that EFF honcho John Gilmore has landed himself on multiple spam blacklists, and been booted off at least one ISP (Verio) for intentionally running a wide-open relay.

Gilmore's stance is pretty straightforward: running an open relay was a good thing in 1987, so of course it must still be best practice in 2001.

A solution

[SirSlud]

So here's my idea:

Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)

So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)

Now, here's the kicker: /included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout .. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.

So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this .. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."

Am I on crack? I think its a good idea.

Collective solutions are bad?!?

[Col.+Klink+(retired)]

If it's bad to share a list of open relays, wouldn't sharing a procmail script be just as bad?

If I tell you how to automatically delete email with subjects like "MAKE MONEY FAST", how am I different from someone telling you that some ISP has an open relay? After all, if I publish a list of subjects that spammers are likely to use, am I not denying their right to send me email just as if I didn't accept email from their domain?

And BTW, I use spambouncer (a set of procmail recipes) to block spam. It's trapped 190 email messages since October 1. I think 3 have slipped past.

Rights vs. privileges

[M_Talon]

Here's where the whole thing gets messy. Yes, it's expected that email that is sent should be received. But the Internet isn't regulated like that, so it's not really a right. I had a big long spiel about this and the Usenet Blackhole list a while back.

The point is that if your ISP is blacklisted, there's usually a good reason for it. It's because they don't control spam like they should, and thus they degrade email service for many many people. The blackhole list is designed to be a wake up call, and it usually isn't used until repeated requests to fix the problem have been ignored. If you find your ISP on the blacklist, complain to them to fix the problem that got them there. Either that, or switch to an ISP that isn't on the list. It's not your right to send email that's curtailed, it's the privilege to send it through that ISP that's restricted. Complaining about the lists themselves won't accomplish anything.

ISPs who have contracts that don't allow them to block email don't use the RBLs, but many ISPs specifically retain the right to block email if they need or want to. As companies, it's in their interests to protect their bottom line, and spam email is a bandwidth and storage killer. We won't see those lists go away until a better way of stopping spam comes along.

Silly EFF

[seebs]

Freedom means the government can't tell you to shut up; it doesn't mean I have to listen to you.

Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.

That's not free speech. Free speech is the right to say things that people don't like - not the right to say things at no cost to yourself, to people who don't want to subsidize you, in their private space.

Re:Amount of SPAM question...

[Todd+Knarr]

I don't know how authoritative this is, but my old ISP (XMission in Salt Lake City) had a page listing attempts blocked by the MAPS rules. They were blocking somewhere about 10-20 thousand attempts per day on average, with regular spikes into the 40 thousand range and occasional spikes into the 70-80 thousand attempt neighborhood.

As a sanity check, they only flagged messages listed on ORBS and, for a while, only flagged messages listed on MAPS (until the spamload got too high). In 6 years, I got precisely one piece of mail that was ORBS-flagged that wasn't spam, and no non-spam with a MAPS-flag while MAPS flagging was in effect. Since ORBS is more aggresive in listing sites than MAPS is, this is sufficient evidence to me that at the very least the amount of non-spam incorrectly flagged by MAPS and/or ORBS was a small fraction of the amount of spam they were catching.

Enforcement, not prevention.

[blair1q]

Trying to prevent spam is like trying to prevent the diffusion of flatulence through the air.

You can't.

But, human beings have the ability to reason and match patterns in history to pattern in planning. And if they see masses of spammers being investigated and tried and sentenced and punished, that's a pattern that will be strong in their history.

Spam is not a violent crime. The inability to intercept it is not a detriment to public safety. But our apathy has led to the feeling among spammers that they can get away with it. By showing them they can't, they will for the most part stop trying.

And it's very easy to enforce. Every spam necessarily includes directions on how to contact those who would profit from your participation. And they need to stay there in order to collect your request. So every spam is a notice to the authorities to go to this place and arrest these people. Their trial will sort out whether they are guilty or not.

--Blair

Re:The next DMCA/"Patriot " bill waiting to happen

Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal.

No. Saying "don't lie about your return address" does not equal "you must disclose your return address". "I don't want to tell you" is not fraud. And all it requires technically is something like an anonymous remailer (which even still allows for replies).

It's perfectly possible for someone to get unsolicited mail from someone, ask them to not mail them again, and get compliance for that request, while never revealing to the recipient who the sender is.

EFF position on Junk Fax?

[Sodium+Attack]

I wonder if the EFF also believes that junk faxes should be legal--even though the anti-junk-fax law was upheld as constitutional when challenged on First Amendment grounds.

Antivirus also ?

[AftanGustur]

Should the virus scanning-and-removal also be delayed until the end user receives the mail ?

What is the difference anyway, UCE or Viruses, both are unwanted (the 'U' in UCE) and eat up bot the users and the ISPs resources, time/disk space/cpu/bandwith.

I came to work once, and was greeted by 13000 bounces in my mailbox, somebody had discovered a client's open sendmail who forwarded everything to our backup MX server, who then sent it to the promary MX, who happily processed it ;-(

Those who deliberatly run open mail-relays deserve to be either blacklisted by MAPS or simply shot.

Too simplicistic

[CaptainZapp]

On a larger scale, EFF supports combatting spam by providing end-users with adequate tools to filter unwanted messages on the receiving end.

This is all fine and nice. It is a bit of a US centric view though, since (virtually) the rest of the world pays for their internet connection by the second.

So if I filter on my end, I still pay for the downloaded crap, despite the fact that I never (want to) see it. A powerful -, end user configurable filter directly at my ISP would be a different story.