EFF speaks out against MAPS

Control-Z has brought our attention to the latest EFF newsletter which speaks out against MAPS ^? and ineffective spam legislation. According to the EFF: "The rights of users to send and receive email must not be compromised for quick and dirty ways to limit unsolicited bulk email. Neither misguided and ignorant legislation, nor collusive, high pressure protection schemes, have a legitimate function or place in our online future " The EFF is reminding us that freedom isn't always easy. I feel much worse for those who haven't figured out procmail yet though.

Re:MAPS?

[Evangelion]

The ISP opts-in, the user doesn't.

Furthermore, a user on an ISP that got listed on MAPS certainly doesn't.

The next DMCA/"Patriot " bill waiting to happen.

[dave-fu]

Everyone hates spam, everyone wants it to go away... unfortunately, no one has any really good answers as to how it should happen.
Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal.
Any legislation created will boil down to one thing: the Balkanization of the Internet.
I see a big market in e-mail wizards that will help guide you towards writing e-mail that's legal in every country in the world if anti-spam bills start getting passed.

I think that they are right

[einhverfr]

The whole point of fighting for freedom is that it is even the freedoms of those we don't like that we are preserving, or those we wished would have no freedom. Freedom is only as great as its lowest common denominator.

So yes, I think that this is reasonable and a laudable position to take. Censorship is especially a lowest common denominator freedom-- who decides the standards on which things are censored? How are false accusations handled? Can that censorship be turned on you or I?

Re:I think that they are right

[COAngler]

The whole point of fighting for freedom is that it is even the freedoms of those we don't like that we are preserving, or those we wished would have no freedom. Freedom is only as great as its lowest common denominator.

Whose freedom are we talking about here? Mine. Specifically, MY freedom to decide who is allowed to use MY SMTP server. I paid for the server. I decide who is allowed to send through it and who is allowed to receive through it. If somebody thinks I need to let him use it without my permission, then I trust that he'll understand when I spraypaint _my_ business's advertisements on his car's windshield.

So yes, I think that this is reasonable and a laudable position to take. Censorship is especially a lowest common denominator freedom-- who decides the standards on which things are censored? How are false accusations handled? Can that censorship be turned on you or I?

Censorship has nothing to do with this discussion. MAPS is publishing a list of IP addresses and representing that "These IP's have been implicated in spamming. We have tried to contact the owners of these IP's. Some of the owners could not be reached. Others have refused to take measures to prevent spamming from their services."

That's all they do: publish the list. I used to use it as a true blocklist. Other people I know have used it to insert an X-Spam header into incoming email. It's up to each individual admin to implement it and decide how it's to be used.

You might also take a look at the US Constitution. Show me the _EXACT_ wording that gives a right to send or receive email. It ain't there. Nobody has a right to send me email and have it received. No sensible ISP will make any guarantee that email will go through.

And if someone doesn't like a spamblocked ISP, then he has to remember that he doesn't own the ISP. He's a customer. Customers are worth listening to, but they don't own the machines. If they want to be in charge of a mail server, then they should buy their own. Sendmail is free and early Pentiums are damned cheap. And considering what volume of my incoming mail is spam, I doubt they want the increase in rates that I'd have to charge to pay for the larger pipes and larger hard drives.

I floated the question about two years ago, back when MAPS was the Great White Hope of the pro-property-rights people, and got better than 75% saying to go ahead and filter.

And when someone doesn't like MAPS, thinks they're unreliable or has false info, they can get rid of them easily enough, stop using the MAPS RBL in the filters. Contrary to a popular delusion among spammers, nobody holds a gun to anybody's head and forces them to use MAPS, SPEWS, ORBZ, or any of the other lists.

Procmail

[Kozz]

For the uninitiated, procmail is a fantastic tool. To learn more about it, check this link for how-tos, documentation, tutorials, and other spam-fighting tools.

Re:Procmail

From the Procmail FAQ:

Q: I want to use Procmail for spam filtering. A: Good luck. Have fun. Have you considered the following? It's really kind of late to stop the spam when it's already on your mail server. Better solutions would involve your mail administrator and IP-level blocks against spam sites (RBL et al.) as well as probably additional server-level filtering. Don't reinvent the wheel. There are good recipe packages out there which you cannot duplicate without serious effort. And it'd be a waste of time anyway. You'll find links to many Procmail spam filtering packages on the links page. Procmail is excellent for fine-tuning and for sorting already identified spam to a separate folder (some sites will just tag suspect messages, but still let them through) but on today's Internet, proper antispam measures belong in the mail server layer (if not in the political layer).

Basically it says Procmail shouldn't be used for this and to use RBL.

Re:Procmail

[G27+Radio]

Good luck. Have fun. Have you considered the following? It's really kind of late to stop the spam when it's already on your mail server. Better solutions would involve your mail administrator and IP-level blocks against spam sites (RBL et al.) as well as probably additional server-level filtering.

I agree with the last sentence that I quoted. But as of now, there is no way for the end user to filter it at that level. I think this is the key to stopping spam. I think it's as ridiculous to expect legislation to stop spam as it is to expect legislation to stop people from walking into my house if I don't lock the doors. The fact is that we need the tools to block spam from our e-mail boxes ourselves. Do we really want our goverments to pass a bunch of ineffective laws instead?

Back my original point, they say that it's too late to block spam when it's already on our mail server. But right now we can't as end users block it until we've already downloaded it to our own machines, so blocking between the server and our PC would be a vast improvement at this point.

Ultimately I'd like sendmail to be able to block based on a black/gray/white-list file/database on the server. Blacklist=never accept, whitelist=always accept, and greylist is an autoresponder that gives human-readable instructions requesting that the sender enter an arbitrary keyword to get on the whitelist.

You currently don't have access to this mailbox. This mailbox does not allow unsolicted commercial e-mail. If you agree to these terms please type 'accept' now to send your e-mail.

That's really just a rough outline. But the thing that would make it all possible would be for sendmail to allow the owner of the mailbox to be able to have their black/grey/whitelist's and a list of keywords that would determine which list to put undetermined senders on.

I posted this idea on Usenet six or seven years ago and got flamed for it, but I really believe that giving the mailservers the ability to filter based on address lists and keyword lists would empower e-mail client developers and users to truly combat spam.

Re:Procmail

[cymen]

Do we really need such disclaimers? If you read /. and have some nads you should be able to get procmail working. Jeeze...

Re:Procmail

[cymen]

Once you get past ignoring their little disclaimer go get JunkFilter - addon scripts for procmail that that help eat spam... Personally I send it to a Spam-JF IMAP folder just in case it gets something important. In the last 2+ years of using it only a couple emails have been misclassified (plus I'm even running an old version!). Time to go upgrade...

Don't take away my MAPS!

[CmdrTaco+on]

How the hell will I be able to take vacations across country with out good maps? This is a conspiracy by the airline companies to increase sales of tickets since Sep. 11! Fucking bastards!

How to stop spam :

[Gaijin42]

I highly reccommend all people go out and use sneakemail link.

This is a great utility for stopping spam while not interfereing with your normal email.

It gives you unlimited disposable email addresses to give out whenever you need an email for a website.

If you dont want email from that address anymore, you can turn it off.

On the other hand : Spam is meant to market a good or service. Therefore there must be some way to get in contact with the spammer, otherwise their spam would be ineffective. a task force needs to be created which smacks spammers upside the head with fines, or just plain shuts them down.

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

Re:How to stop spam :

[mmontour]

Another good service is, of course, spamcop.net.

There's a free tool to de-obfuscate the headers of Spam and send complaint letters to the appropriate abuse departments. They also have a paid filtering service that will hold any possible spam messages until you manually approve the sender (or report it as spam). Money well spent, IMHO.

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

As for the valid return address, I would say this is necessary (but not sufficient) for a Spam to be "legal" in any sense (along with "ADV:" in the subject line, other standard headers to identify it as spam, and a notification of how they got my email address so that I can badger / LART the upstream company to stop selling my info).

However, the "remove" method doesn't really work because these addresses are often just a way to verify that your address is still "live". One way to test this is to send a removal request using a newly-created address, then wait to start receiving spam on that address.

The only way for "opt-out" to actually work is to have a higher-level, trusted agency maintain the opt-out list (similar to "do-not-call" lists that exist for telemarketing agencies). However, given the nature of the Internet, it's hard to say what agencies should have jurisdiction here.

Of course, the best way to deal with spammers involves a jar of honey and an anthill...

Re:How to stop spam :

[harlows_monkeys]

Spam should be legal, as long as they include a valid return addy, and have a way to remove people (for real)

The big problem with that Gaijin42, is that spam is very cheap to send, and mailing lists are easy to build and exchange.

Run some numbers...say, several thousand companies sending spam to 20 million people each, with a lot of overlap on the mailing lists. Some people would get thousands of emails. This would make email completely unusable for anything other than receiving spam, for many people.

As long as the sender does not pay the cost of email, spam has to be limited.

Re:How to stop spam :

[Jay+L]

There are 22 million small businesses in the U.S. alone.

If one-tenth of one percent of them decided to send you one message this year, and if they coordinated to achieve load-balancing, you would still get over 200 pieces a DAY.

Opt-out doesn't scale.

Re:How to stop spam :

[Technician]

I think the above poster does not have e-mail or is a newbie. The post does not mention anything regarding actually trying to fight spam. Anybody who has recieved it in large quanities knows otherwise. Maybe the above post is just a troll. Sure you can contact them. Call the Tarrot card reader phone number given in the spam and complain. That'll be $10.95 + $3 per minute billed to your phone number. thanks..

Re:MAPS?

[pjrc]

...don't you have to opt-in to use MAPS?

Not if your packets happen to travel through abovenet. Vixie, founder of MAPS, is the CTO at abovenet, and they regularily drop packets based on MAPS RBL.

Not much choice there for end users.

Fighting for freedom

[unformed]

"When they took away the Fourth Amendment, I said nothing. I didn't deal in drugs. When they took away the Sixth Amendment, I said nothing. I was innocent. When they took away the Second Amendment, I said nothing. I didn't own a gun. Now they've taken away the First Amendment, and I can say nothing." -author unknown

EFF is misguided in this

[gorilla]

Your right to send mail stops at my mail server, I can refuse to accept mail based upon anything I feel like, including irrational reasons.

Re:EFF is misguided in this

[Reality+Master+101]

That's fine, but they are not saying that you are required to read all mail that comes into your server.

The question is, do you want your ISP and/or the government making the decision on what mail you can or can't receive -- without your knowledge?

Re:EFF is misguided in this

[gorilla]

That's fine, but they are not saying that you are required to read all mail that comes into your server.

Yes they are. They're saying that all the filtering should happen at the end user end, when the spam has already cost money. To give a REAL example, I had someone sending mail to over 30,000 random names @domain in one night, all starting with the letter a, before I blocked them. These were names which had never existed in our system. If I adopted the EFF's position, then all of my users would have had a month of bad service, or I'd have to get a much bigger mail server.

Re:EFF is misguided in this

[Reality+Master+101]

They're saying that all the filtering should happen at the end user end, when the spam has already cost money.

I'm not arguing that spam isn't a problem in many cases, but I know that I DO NOT want a bunch of nannies telling me what mail I can or cannot recieve. If an ISP wants to offer blocking based on MAPS or any other system, then they should set up an opt-in for individual users, and the default should be opt-out.

Re:EFF is misguided in this

[gorilla]

Sure I do. They can decide they don't like the service and not use it.

I don't really care how inaccurate they are. As long as they stop at least 1 item of spam ever then they have paid for the effort putting them in (Not much at all).

Re:EFF is misguided in this

[gorilla]

An ISP can choose whatever policies it likes. If it thinks that it can get most customers by blocking everyone except users with the username 'banana' then they're allowed to do that. If you don't like that policy, then go to another ISP.

Re:EFF is misguided in this

[Reality+Master+101]

An ISP can choose whatever policies it likes.

At this time, it's a question of ethics. It is unethical to block mail for an individual user without that user's consent.

Quite frankly, however, I think it should probably be illegal to block someone's e-mail without their consent. It's a lot like interfering with postal mail, which is a federal offense.

Re:EFF is misguided in this

[gorilla]

I disagee. It's unethical to not operate a system in the best interests of the owners, who are not the users.

Re:EFF is misguided in this

[Reality+Master+101]

So if your apartment complex, who are the owners, decided to sort through your postal mail and decide what you would or wouldn't receive, and did it without your knowledge, you wouldn't have a problem with that? After all, they own the mail boxes, right?

Re:EFF is misguided in this

[harlows_monkeys]

If an ISP wants to offer blocking based on MAPS or any other system, then they should set up an opt-in for individual users, and the default should be opt-out

It is opt-in. When deciding what ISP to use, one of the things you should look at is how they deal with spam. If they use MAPS and you don't want to use MAPS, don't use that ISP.

Re:EFF is misguided in this

[Skapare]

I am the ISP. My customers complain about spam. They don't want it. So I do what I can to block it. There is some collateral damage, but it is very small compared to the spam that I'm now successfully blocking. If a customer wants spam, they can use another ISP, or run their own MX server, or pay me to run a parallel set of ublocked servers. They have the freedom to choose. The ISPs are not forcing anything on their customers if there is a choice there.

Re:EFF is misguided in this

[Skapare]

Yes, you can refuse your own mail for any reason you like. But if you provide a service to other people you have no right to arbitrarily decide to discard their incoming mail.

It is you who have no right to arbitrarily tell me what I can do or not do with my business. I'll make the decision that best reflects the way I want to do business. If you were my customer and didn't want to have your mail filtered the way I do it, you're free to move on to another ISP.

While I am concerned about some of the blacklist policies, I've found they are tremendously effective and have quite little collateral damage. What little I have found I can fix up myself. But I'd certainly like to have a better blacklist, but somehow I doubt you and I could work together to create one.

Re:EFF is misguided in this

[Skapare]

The default is you get no mail at all. That's not just how I think it should be, that is how it actually is before you get on the internet. Now how you do choose to get online is your choice. Want to go with an ISP that subscribes to every blacklist? Want to go with an ISP that subscribes to none? Want to run your own mail server? The choice is yours. Don't go whining because one of the choices happens to be something you would not want.

Re:EFF is misguided in this

[Skapare]

Oh, it's you again.

The user consents when they choose to use an ISP that opts to use blacklisting to satisfy most of their customers.

I'm not opening the mail to see what's inside. I just choose not to allow the mail to be coming from places known to be sources of problems. If the Post Office knew that mail coming from a certain place was costing them more than what they are paid to deliver it, you can be sure they will stop taking the mail from there. That's not interfering with the mail, because that's the post office doing it themselves. I'm sure these days if the package looks suspicious, they're going to check on it. They may not even deliver it right now. But that is not interfering with the Post Office because it is they who are doing it.

I deliver mail in my mail server the way I like, and I don't want interference from outsiders telling me what to do. If you are a potential customer, and prefer a different ISP, then certainly tell me why you don't want my service. If there are enough people like you to justify setting up the service you want, I'd probably do it.

Re:EFF is misguided in this

[Skapare]

If they are doing the sorting of the mail from big mailbags arriving from the postoffice, then I'd tell them I'd like to have the junk mail removed, and if anything else is removed, or junk added, I'll move. But if it is not their job to do that, of course I'd have a problem with it. I don't interfere with the IP packets going to the mail servers of customers who do their own. I only do the filtering of email in my own servers.

Re:EFF is misguided in this

[Skapare]

If the junk snail mail levels were anywhere like the levels in email, I think I would like to have them sort out the junk and toss it. It would save me a lot of time. The question is, how would they do that? The problem is, they don't get mail directly from different distinctive places which can be identified as sources of junk or not. But in email, this does happen, and it makes it very easy to filter fairly accurately. So I believe your scenario simply would not happen because there is no practical means to accomplish with snail mail that which is accomplished fairly effectively in the realm of email.

MAPS & ORBS aren't that painful

[fetta]

A few years ago, I came onboard at a small company just in time for their mail server (Exchange 5.0) to get blacklisted (by ORBS, I think). It sucked at the time, but if we hadn't gotten blacklisted the open relay would have remained open for a long time (the problem prompted our move to qmail). Once I closed the open relay and informed ORBS, we were quickly removed from the list.

In theory, I have no problem with the concept of these blacklists. The use of them is voluntary. From what I've heard, there may need to be some serious discussions about how they gather their data and their procedures for getting off their blacklists, but the concept seems to be both effective and practical. Also, mail providers should be up front about their use of these lists so that users can choose to use an "unprotected" mail server if they choose.

Re:MAPS & ORBS aren't that painful

[fetta]

I bet you'd have a problem if you had to pay a $10 dollar "processing" fee to be removed from the list, wouldn't you?

Yes. When I was blacklisted, there were no fees to be removed - you just had to fix the problem and inform the list maintainer. I haven't been in charge of a mail system in quite some time, so I'm not up to date on all the latest details of the controversy. Giving somebody a profit motive for "false positive" listings is disturbing and changes the nature of the list significantly (IMHO).

Re:MAPS & ORBS aren't that painful

[McSpew]

The problems with most of these blacklists (and there are lots of them) is that there are no globally-accepted standards for how open relays should get on or off the lists, how to notify owners of blacklisted IPs and how long entries should be blacklisted in the absence of other feedback.

I hate spam at least as much as the next guy, but I'm still cleaning up from an attack that happened two months ago through a server I thought had been configured to prevent relaying. Unfortunately, it had been rebuilt (and badly) since the last time I'd verified its configuration. The attack launched through the relay lasted no longer than 36 hours. I realize that's a helluvalong time in Internet time, but considering the attack began over a weekend, the fact that I caught it and stopped it on Sunday morning means I caught it 24 hours faster than I normally might have.

I fully expected to wind up on some blacklists because of the incident, but I didn't expect to be winding up on new blacklists 30 days after the fact.

Today, I got an email from a user who hasn't been able to contact somebody important for three weeks. The user on the other end was completely unaware that their ISP was blocking our email.

I'd like to see standards for notifications, for aging entries (and eventually dropping them), for active verification and automated retesting, and for subscribing ISPs to notify their users how many emails they blocked and from whom they were blocked.

But that's just me.

Re:MAPS & ORBS aren't that painful

[macdaddy]

Why should I tell you I'm blacklisting you? I list 10-30 spamming domains per day in my Sendmail access lists. Many are known spamming outfits like Alan Ralsky. Others are ISPs that I've reported mail abuse to and nothing was done about it or I got a reply saying "it's not our fault" or "we don't believe you". I get both of those often or nothing at all and the spam continues to flow. I see nothing wrong with not telling you that I'm not going to accept mail from you.

Re:MAPS & ORBS aren't that painful

[StenD]

Why should I tell you I'm blacklisting you? I list 10-30 spamming domains per day in my Sendmail access lists. [...] I see nothing wrong with not telling you that I'm not going to accept mail from you.

And this is the reality that the EFF is ignoring, and that MAPS and ORBS were created to address. Lacking the magically intelligent mail filter, individual ISPs create their own blacklists, and it is impossible to get off of all of the individual blacklists. Using a global blacklist is like democracy - it sucks, but it's better than anything else that's available.

Re:MAPS & ORBS aren't that painful

[McSpew]

Why should I tell you I'm blacklisting you?

If you're a private citizen, you owe me nothing. If you're an ISP, you owe me at least a cursory attempt to have an automated program try to email me. Fer cripes sake, how hard would it be to write a perl script that parses the IPs, performs a reverse-DNS lookup, tries to email postmaster@ and then blacklists?

If I'm a real spammer or a moron with a cable modem, you won't get a valid or useful reverse-DNS. Fine. Don't notify those morons or scumbags directly. But for poor bastards who got caught with their shorts down, let's not go out of our way to make their lives hell after they've already fixed the problem.

The sites that have blacklisted me aren't private individuals. They're blacklist organizations that small ISPs and some corporations belong to. The SMTP service that acted as a relay for a day and a half has a valid RDNS name that is mx.mydomain.com. It shouldn't have been tough for somebody to figure out they could send an email to postmaster@mx.mydomain.com or abuse@mx.mydomain.com or even postmaster@mydomain.com.

I'm all for killing spammers and sterilizing their children. And I don't have a problem with blacklisting morons like myself. I do have a problem with making it impossible for me to redeem myself.

Re:MAPS & ORBS aren't that painful

[macdaddy]

I owe you something if I'm an ISP? Now just where the hell did you come up with that? I'm assuming (since you didn't say) that the "poor bastard" with their shorts down had an open relay that was used to spam me. I don't list open relays. I use the RSS for that. I report it and let MAPS test/notify. I blacklist spamming domains and very well-known pro-spam providers like Broadwing. I don't list some poor bastard because they made a config error. When I report the open relay I typically do research to find out who's machine it is (or at least the upstream) and CC them on the report. I blacklist hosts when they do nothing but spam us, Rumplestiltskin attacks, floods, etc... I also go out of my way to get their provider to do something about the, (typically it's a DSL/cable customer). It is however my hardware and my resources. I made no garuntees to my users that they would receive full, complete, and unfiltered email. I filter viruses too. They don't seem to mind that at all. I would love to find a way to let my users opt-out of our checks but there isn't such a way yet. Sendmail either accepts the message if it doesn't match, or rejects it if it does match. It doesn't give a damn who the message is going to. If there was a way to set an X-Spam tag for users that ask for non-filtered mail, I'd implement it. The only way of doing it now is with a LDA like procmail. By the time a message gets to procmail, you've already wasted your resources by fully accepting the message. All you can do then is send it back to MAILER-DAEMON@that-domain.tld. Your MTA can't reject it the way SMTP was meant to work. If someone came up with the program to do it, I'd love to do it for my users. Unfortunately it's not there yet. I would still filter all mail unless they explicitly asked for the other option (which would entail me still identifying the mail I'd reject as spam with a header tag and let the user's MUA filter it).

J

Re:MAPS?

[igjeff]

Not true...it is not difficult for an ISP to set up the use of things like MAPS RBL on a user by user basis.

Jeff

MAPS is not the problem

[ethereal]

...lack of notification that your ISP uses MAPS is the problem. Any ISP that uses MAPS without saying so should be sued for fraud; since they're not providing the complete connectivity that they advertise. ISPs should just put their MAPS usage in their TOS, or even (if possible) allow the user to choose MAPS or not for their email accounts. Some ISPs could advertise that they use MAPS and are spam-safe; others could advertise that they don't use MAPS and are freedom-enabled (or something like that).

As long as there is sufficient notification and user choice, then there's nothing wrong with MAPS. It's only when their somewhat strong-arm tactics are combined with ISP coercion that the user really has a problem.

Re:MAPS is not the problem

[stilwebm]

Most ISPs have terms of serice which state that they have the right to a) determine what you can and cannot send and receive and b)terminate your service at any time.

Re:MAPS is not the problem

[Bishop]

Hmm, why not two mail hosts? user@isp.net and user@ns.isp.net or some such. Might be a bit of an admin nightmare though. I can see how to do it, but would it work for 10000 users?

Re:MAPS is not the problem

[_Sprocket_]

OK, here's a good ISP idea: just add a header to the mail saying that the ISP tagged the email as being MAPS-blacklisted. X-ISP-MAPS-Found, or something like that. Then the user could very easily configure their client to drop mail with that header, or not.

I've worked for a company that did this with their corporate mail environment. Works pretty good, if you know what to look for (and they did a good job to educate their people about the system).

However, that does nothing to protect the ISP and the user from the burdon of the email. They still take a hit when dealing with this undesired traffic. Even if it does allow a hook to automatically deal with it without human intervention.

What's wrong with voluntary collective solutions?

[vees]

It's a shame to see MAPS and collective protection schemes dumped into this list of "bad things." Like most geeks, I don't like everything that MAPS does and I'll admit that I've even been on the wrong side of the ORBS cluestick in the past. However, I believe the concept of collective protection is a good one. If there's a problem with ISPs using systems like that to block legitimate mail, then customers who want to receive said mail won't be with them for long. There are natural market pressures at work to provide what the most important people (the end users like our friends and family) want.

Like most of you, I have a pretty potent procmail script, but I have to say I've probably invested an absurdly significant amount of time in my labor of love getting it just right. If I were less of a geek, I might tend towards finding a group of like-minded mail readers and collecting our resources together. If evantually our creation became a widely recognized and used method of mail filtering, great! Then that's the choice of every sysadmin and every participant (by the merits that they all pay his/her salary) to be behind that shield. Nobody else has the right to tell me I have to accept socket connections from them if I don't want to.

Blacklist implementation voluntary, too

[Erasmus+Darwin]

An issue the article fails to address is that the provider subscribing to a given blacklist may choose how to handle that information. Automatically rejecting emails is only one choice (and happens to be what we use where I work). Another option is to merely flag messages from blacklisted addresses, so that they can wind up in a lower priority "junk mail" folder that is still manually reviewed. Yet another option, the worst of the bunch and also the only one mentioned in the article, is for a server to silently discard all blocked mail with no error being returned.

Right to send email?

[Rombuu]

Since when does anyone, anywhere have the right to send email? Since when does anyone have the right to have their data go over a network that they don't own? If someone wants to drop the letter 'P' from every packet that goes over their network, last time I checked, they still have that right. And if they don't want to carry your email, for whatever reason, last time I checked, they have that right.

And the EFF wants to get rid of your rights... sigh..

Re:Right to send email?

[pjrc]

Since when does anyone, anywhere have the right to send email? Since when does anyone have the right to have their data go over a network that they don't own?

Likewise...

• phone companies have the "right" to block calls, perhaps to areas
  
• postal service has the "right" to refuse delivery to certain places, such as bad neighborhoods
  
• utilities (power, water, gas) have the "right" to offer service to only those they like
  
• banks and insurance companies have the "right" to red-line (refuse services in low-income areas, even for otherwise good customers)
  

Re:Right to send email?

[dfenstrate]

All the industries and services you listed are heavily regulated.

E-mail is not, at least currently.

Bear that in mind.

Re:Right to send email?

[Reality+Master+101]

Its their right... I'd have a problem with it, sure. But the fact I have a problem with it doesn't mean they don't have the right to do it. I'd go get another ISP. Problem solved.

So if the apartment complex decided to start rooting through your mail and deciding what you can and can't receive (without your knowledge), that's no problem, right? You'll just find another apartment?

It's illegal to tamper with postal mail. I see no reason why e-mail shouldn't have the same protections.

spam vs. the rules of the internet

[MoNsTeR]

I'm not going to couch this discussion in terms of "freedom", because it has little to do with (it. Anti-spam laws are indeed an infringement on our freedoms, as I will show, but that's not the most productive way to think about the issue.)

The arguments against spam mainly consist in the fact that spammers are ostensibly using the resources of end users and ISP's without their permission. This is simply false.
When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements. If they agreed to have every e-mail with the word "sex" in it blocked, then you can go ahead and do that. But if the user agreement the both of you are bound by includes no specification of what types of mail are and are not acceptable, then you must relay EVERYTHING your customers send and receive.
Why?
Because this is how the internet works. *I* control who I hand my e-mail address to, and thus who can send to me. It is not my ISP's business to arbitrarily block inbound e-mails for me. Rather, it is my resonsibility to control the availability of my address, and to deal with any and all mail I receive, regardless of source or desirability.

Imagine the consequences if these rules were discarded wholesale. If intermediary mail relays blocked transmission based on arbitrary whim, the entire structure of e-mail communication could collapse. Remember also that "spam" is not an objective label. I get e-mail adverts that I don't really want, but occiasionally I find something very interesting in them. Here, I'm speaking of mails from vendors I've done business with who are sending my "specials" and whatnot evevn though I didn't ask for it. Fundamentally, these are every bit as much "unsolicited commercial e-mail" as those ridiculous offers for cheap toner! If one is outlawed, so is the other, and the two "perpetrators" would be subject to the same penalties.

If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you. Under the current system, however, any attempt to stem the flow of spam will harm the proper operation of internet communication more than it will help. You can't run a mail relay that's selective, that's not how it's supposed to work, and things will break down if that's not how things DO work. Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous. It would be like arresting people for driving on the road because the locals didn't like the paintjob on your car.

I hope I made some sense here.

MoNsTeR

Re:spam vs. the rules of the internet

[gorilla]

Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.

And our SLA states that email is not a gauranteed delivery service, and we can and will drop any message we feel like.

Re:spam vs. the rules of the internet

[dropdead]

"*I* control who I hand my e-mail address to, and thus who can send to me"

All the spam I get is not based on an address I handed out. You just need to look at the header file to see that the spammer is just hitting multiple combinations of my name or domain. So where is my control?

Re:spam vs. the rules of the internet

[El+Kevbo]

Are you serious???

When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.

I'm waving the bullshit flag on this one. But your assertion is an unprovable one since you assert that the rules are "unwritten" and thus no amount of arguing will convince you otherwise.

It is not my ISP's business to arbitrarily block inbound e-mails for me.

I agree. But if your ISP blocks mail without telling you, then your problem is with your ISP and the idiots who made that decision, not with MAPS.

Rather, it is my resonsibility to control the availability of my address, and to deal with any and all mail I receive, regardless of source or desirability.

And some people choose to delegate this authority to their ISP who in turn delegate this to MAPS or ORBS(with the full knowledge, consent, and approval of their customers). Who the hell are you to tell these people that they can't delegate that authority???

If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.

And just how would new people get themselves added to your authorization list? Are you going to start posting your phone number next to your e-mail address so that people can call you to get added to your authorization list so that they can send you an e-mail? I understand where you're coming from here, but it's an inviable solution.

Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous. It would be like arresting people for driving on the road because the locals didn't like the paintjob on your car.

No, it's like the government telling you that you can't live in a gated community. After all, the roads and driveways in that community(paid for and maintained by your money) were built to be drived upon and you can't delegate the policing of those roads and driveways to another entity(the landlord of the gated community, the homeowner's association, etc). If you want your driveway policed and you don't want undesireable people to park there, then you'll just have to police it your own damn self.

Kevin

Re:spam vs. the rules of the internet

[Phroggy]

Putting people in jail for sending mail over a system DESIGNED AND IMPLEMENTED FOR THE PURPOSE OF SENDING MAIL is absolutely ridiculous.

FAX machines are designed and implemented for the purpose of sending and receiving FAX transmissions. Cell phones are designed and implemented for the purpose of making and receiving telephone calls away from home. Guess what? In many states, businesses can not legally send you unsolicited commercial FAXes, and telemarketers cannot call cell phones. Why is that? And why are people thankful that these laws exist?

Re:spam vs. the rules of the internet

[infiniti99]

If you want to get rid of spam, replace SMTP. Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.

I have considered this. It would take a total overhaul of the current mail system, perhaps replacing it with something like Jabber (in fact, I think it's possible to replace SMTP and POP3 with Jabber if you made the right wrapper programs). Then you could simply ignore messages from people that don't have a subscription to you. Of course, if the spammers were persistant enough they would just send subscription requests to you first, which makes the argument moot.

You could take it further by saying that you don't allow direct subscription requests, meaning your contacts would have to ask you permission in person or on a messageboard. This might be a bit much. :)

-Justin

Re:spam vs. the rules of the internet

[mpe]

When you set up an internet MX, you are implicitly agreeing to a certain set of unwritten rules. Essentially, the rules are that you must relay any and all mail from and to your customers, except as specified in their user agreements.

Note that an MX record, which indicates either the machine is the receiving party or a proxy for this party, is something different from a third party relay. Indeed it's not actually mandated anywhere that an MTA be even capable of acting as a third party relay in the first place.
The reason third party relays still exist is primarily to cater for software which requires them, in a chicken and egg situation.

Re:spam vs. the rules of the internet

[Trepidity]

No, it's like the government telling you that you can't live in a gated community. After all, the roads and driveways in that community(paid for and maintained by your money) were built to be drived upon and you can't delegate the policing of those roads and driveways to another entity(the landlord of the gated community, the homeowner's association, etc). If you want your driveway policed and you don't want undesireable people to park there, then you'll just have to police it your own damn self.

But the government does restrict this, through zoning ordinances. Despite owning my property, I cannot build a fence around it to keep out undesirables, as that would be illegal.

Re:spam vs. the rules of the internet

[_Sprocket_]

Most gated commumities build their own roads, so they aren't public. The roads were paid for by the people living there.( which is why they are generally in good shape, too) .

And oddly enough, most ISPs build their own networks and servers, and pay for traffic to/from their backbone provider. These services are paid for by the ISP's customers.

Re:spam vs. the rules of the internet

[UnknownSoldier]

> Create a system where addresses can be "authorized-only", similar to how ICQ can work: to receive mail from someone, you must authorize them to send to you.

Good point, but bad example. ;-)
i.e. I have a version of ICQ (98a) that I can authorize anyone, even though they didn't give their authorization.

The real way to solve the unsolicited email problem, is to use something like PGP. i.e. Authenticate the sender before recieving something from them.

I agree

[SirSlud]

'blackbox' solutions are dangerous .... avergage users will never be able to infer what goes on behind the scenes. Far more useful would be a 98% successful (my guesstimate at what an acceptable fail rate should be) intelligent, learning filtering system on the client end .. where you can just scan-the-spam topics and make sure you're not missing anything important.

It would be much easier to tackle this problem if a 'pseudolution' (spam is, by its very nature, not 100% solvable) is rolled out with the next generation mail protocal. To this end, does anyone know if there are any current undertakings addressing a next generation email protocol capable of more interaction/configuration from a client?

One VERY nice feature I'd like to see is email addresses with embedded timeout values in them .. ie, you can provide email addresses that somehow 'hide' your real email address and some timeout value, such that only email servers on your end could decrypt the address and figure out if that communication priviledge has 'expired'. I think mail servers would have to know if a mailing was a 'bulk' or 'single' mailing .. single mailings could accept normal email addresses, but multiple mailings would require these encrypted addresses with built in time out values.

I havn't thought TOO deeply about it, as you can tell, and I'm not much of a privacy/encryption expert, but can anyone articulate a set of rules based on the above postulation that is technically feasible?

Re:I agree

[macdaddy]

By that time, it's already too late. The spam has already uses your resources in bandwidth coming in, processing time to parse it and write it to disk, drive space to store it, more processing to to extract that spam and form it up in packets for delivery to the client when he/she asks for it, bandwidth exiting your system, bandwidth for them to download it. Whereas thanks to the SMTP protocol we could have rejected in right away by IP or domain name before we gave our code 200 to accept the message. Much fewer resources wasted.

MAPS has been highly effective for us

[ehintz]

I implemented MAPS and Procmail Sanitizer at my employers corporate gateway about 6 months ago. As the EFF article mentions, there is a concern for legitimate mail being blocked. My solution for this is to include my direct phone line, and a request to contact me if the mail is legit, in the error message sent to mail denied by MAPS. In about 6 months of operation, at a company with about 120 users, we block on average 150 messages per day, with an all time high of 262 in one 24 hour period. I have yet to get a phone call from ANYONE, spammer or otherwise. Meanwhile, users who were getting 10-15 spams per day are now down to 1-2, sometimes none.

Frankly, I've found MAPS to be highly effective. I expected to occasionally toss out legit messages, which was why my direct line is included in every bounce, but MAPS has been considerably better than I could have hoped for. With proper setup and configuration it is quite easy to ensure that legitimate mail gets through with only a minimum of delay. MAPS has been a very worthwhile investment for our company, and our end users have consistently thanked us for implementing it. Likewise, Procmail Sanitizer has stopped all kinds of trojans and viruses cold at the gateway-even catching new ones before being publicized. Although we don't use Outlook, we still find it useful to stop the stuff, and I can't fathom anyone running an Outlook environment without Procmail Sanitizer. Good stuff.

Re:MAPS has been highly effective for us

[The+Larch]

You're unlikely to get any calls from most innocent senders whose emails end up as collateral damage because the average person is unable to parse a bounce message and extract the useful information. Most can't even tell between a delivery delay and a fatal error -- if they get a scary looking message full of words like "warning" or "error" or "delivery failure", they'll just assume that the recipient's email is broken.

I've been victimized by the RBL once that I know of (I had my outgoing email rejected by the recipient's ISP because my ISP had some clients who with open relays and MAPS had their entire address space blocked on the RBL), and I suspect it may have happened at other times, as mail to my account at my current ISP who also uses the RBL has been mysteriously disappearing, and I've had complaints from people that my email is "broken". In fact, I'm considering switching to a yahoo address as my primary email account.

Re:MAPS?

[anothy]

MAPS is opt-in, but only on a mail-server level. for users who get mail from an IPS's mail server, they often have no say in the decision. what's more, MAPS (i believe) only works on site-level blocking, nothing with finer granularity. for example, on sites i run, i block mail from *opt-out*@*. MAPS is also somewhat heavy-handed about how they decide to add people, and what it takes to get off the list.
overall, though, i don't really see the argument for MAPS as a rights violation, the way EFF is talking. i choose not to go that route because i think i and my users want more fine grain controls over who we don't want to talk with.

Some "ICQ" features ...

[LoudMusic]

Errr ... I think I'm offtopic, but to hell with karma.

It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list. Your email client could auto delete email from people that aren't in your address book. I guess filters could be used to do this, but it's not obvious for the 'common users', like Grandma (:

There could/should also be a way for the email client to tell the mail server "hey, stop sending me mail from X@X.X". That way you cut it off at the source and it stops messing with your bandwidth. The server could also build a list of ignored email address and domains and stop responding to their requests all together for all users. This could become hurtful, putting control into the user's hands a bit, but somehow I think it would do more good than harm. It would need lots of revision, but I don't have the time or energy to care (:

~LoudMusic

Re:Some "ICQ" features ...

[GlassUser]

It seems like a really nice feature for an email client would be something like the ICQ feature that auto-ignores people that aren't on your list. Your email client could auto delete email from people that aren't in your address book.

I know I'm going to get modded down for this, but you can do that with a single rule in outlook. I doubt it would be hard for any decent mail reader to do.

Re:Some "ICQ" features ...

[4of12]

One nice way for your email client to tell the mail server "hey, stop sending me mail like this" would be for it to

save your mail deletion history and use it to dynamically update your procmail recipes.

I could certainly use something like this.

Some people delete "good" mail that they read and find interesting, but I save all "good" mail, and actually only delete mail that I have absolutely no interest ever in seeing again and probably didn't want to see in the first place. All other email I save.

Under that model, it should be possible for my email client to concoct rules for a spam collection inbox that would be scheduled for automatic deletion, with an ability to see the subject titles and senders listed.

I know that procmail lets you do this already, but the key problem with procmail, as others have noted, is the level of individual effort required to constantly fine-tune the ~/.procmailrc file to "get rid of messages like this new one."

I would really prefer that ISPs don't do wholescale blocking in their crusade against spam, but, if they don't, then the current situation puts too much onus on the users to cull through things, even with procmail. I'd like to be able to (i) live in a free society and, (ii) have time to live a life of doing things besides edit ~/.procmailrc

Just block port 25...

[fmaxwell]

90% of the spam could be eliminated by blocking port 25 access for individual (read "non-business") accounts. If users were forced to go through their ISP's SMTP server, the ISPs would be able to quickly detect and shut down spammers. The spam-spew programs would not work as they would not be able to directly connect to their victims' SMTP servers.

Even though I run my own mail server, I relay through my ISP's SMTP server and it's just not a big problem -- and I'm one of the most vocal opponents of needless port blocking (e.g., "We blocked your port 80 because someone else has Code Red...").

SMTP is a protocol from a more innocent time. No one envisioned anyone being so unethical as to steal other people's bandwidth to advertise porn, get rich quick schemes, and online gambling. But since we are stuck with SMTP, we need to employ technical means to make up for its deficiencies.

Re:Just block port 25...

[kindbud]

90% of the spam could be eliminated by blocking port 25 access for individual (read "non-business") accounts.

90% of IIS worm incidents could be eliminated by blocking port 80 access for non-business accounts. You objected later in your post to the port 80 blocking. Why is port 25 any different?

If users were forced to go through their ISP's SMTP server, the ISPs would be able to quickly detect and shut down spammers. The spam-spew programs would not work as they would not be able to directly connect to their victims' SMTP servers.

They'd just use an open SSL proxy to tunnel through. CONNECT victim.host.com:25 HTTP/1.1. Boom, you're in. And the spam didn't even come from your ISP's netblock.

Re:Just block port 25...

[fmaxwell]

90% of IIS worm incidents could be eliminated by blocking port 80 access for non-business accounts. You objected later in your post to the port 80 blocking. Why is port 25 any different?

Because blocking outgoing port 25 does not deprive me of the ability to send mail or even to run a mail server. Blocking incoming port 80 deprives me of the ability to run a web server. In other words, port 25 is painless and port 80 hurts -- a lot.

They'd just use an open SSL proxy to tunnel through. CONNECT victim.host.com:25 HTTP/1.1. Boom, you're in. And the spam didn't even come from your ISP's netblock.

1. There aren't that many open SSL proxies with that kind of bandwidth that will happily talk to port 25 of someone else's mail server.
2. The spam-spew programs are not configured to use SSL proxies -- they talk directly to port 25.
3. Because the SSL server is not one being run by the spammer, the activity is much more likely to be detected and shut down.

There is a hidden context here.

[Doktor+Memory]

The EFF's anti-MAPS stance has little to do with careful consideration of the legal and ethical issues involved, and a great deal to do with the fact that EFF honcho John Gilmore has landed himself on multiple spam blacklists, and been booted off at least one ISP (Verio) for intentionally running a wide-open relay.

Gilmore's stance is pretty straightforward: running an open relay was a good thing in 1987, so of course it must still be best practice in 2001.

Best Current Practice

[hibachi]

My opinion diverges from the EFF's on this point. I would argue that using reputable services that maintain a list of open and abused mail relays to filter incoming mail is a responsible decision. The combined benefits of reduced volume of incoming spam, and the enforcement of responsible mail server configuration benefits not only local users, but the Internet as a whole.

Out of the box, most modern mail servers configure themselves to prevent the relaying of mail. What we are fighting by using services such as MAPS are legacy systems and new servers that come online and are misconfigured. It is simply negligence to be operating an open relay in today's Internet. That negligence needs to be challenged. We can ultimately get the upper hand on the abuse of open relays this way, and I would support Internet wide adoption of the use of such services as a Best Current Practice.

With regards to my users not receiving mail, it is our company policy to individually handle each complaint related to our mail filtering to benefit our customers. We will almost always explicitly permit mail from servers that we know are legitimately trying to reach our users. We will also send a courtesy email to the administrators of the open relay to inform them of the situation. This isn't about maliciously blocking every relay out there, to the detriment of our users, this is about encouraging a trend of improved mail server administration. Responsible implementation of these kinds of controls on unsolicited email benefit everyone.
Cheers

I still don't see the problem

[cs668]

If you want to use it do if you do not then don't.

If we are talking about ISP users who do not do their own sendmail setup that might be a diferent matter, but the ISP could simply offer each user a choice when they sign them up:

1) We will try to filter spam from your email

2) We leave your email compleatly unfiltered

As long as people have a choice what is the problem. And if ISPs don't give the choice then the problem is with the ISP not MAPS and friends.

The Internet is a free-market information service

[isdnip]

EFF has it wrong this time. They make the statement that e-mail is "protected speech". That's a legal issue in the USA, which means that the government doesn't have the right to block it. But private parties are also not required to pay to relay it.

The Internet is not regulated as a telecom service. The FCC doesn't regulate ISPs, just the telecom services they buy. Nobody regulates mail servers. It's a free market, and it works. Now in a free market, you have competition. If your ISP uses MAPS and you don't like it, then you're free to go elsewhere. If your ISP is RBL'd, you're free to go elsewhere. There are lots of free e-mail services out there. See for instance http://www.emailaddresses.com/ . Now I wish my own "primary" e-mail provider, the one I ping many times a day, used one of these services, because I'm spammed to death and sick of it! If somebody couldn't get through, they almost certainly would find another way to reach me. Like I have a phone too, not to mention other e-mail addresses.

So given the fact that there is no anti-spam legislation, and negligible likelihood of effective anti-spam legislation within the next few years, then the free market approach (you know, the one the spammers cite to block anti-spam legislation) is to allow anti-spam filters at the ISPs. The ISPs will install them if it's good for business, and block spammers if being blackholed is bad for business.

Indeed one of the reasons that the Internet is not regulated as a "telecommunications service" is that it does not offer to provide transport of information "without change in form or content" -- an ISP may change things, of which blocking spam is one example. It would be quite a different story if a telecomm provider attempted to do the same thing -- their mission is to pass the bits unchanged, down there below layer 3.

And please don't tell me how easy it is to build an anti-spam filter on your private mail server. 99.9% of end users do no not run mail servers; ISPs, who have full-time bandwidth, run them for us.

MAPS DUL

[Chase]

My step-mother called me frantically the other day because all email to her was being bounced. I did some checking and found that my subnet had been added the the MAPS Dial Up User List . The addition of DUL to the MAPS database means I am treated the same as a spammer even though I am not doing anything wrong.

I reconfigured exim to use my ISPs SMTP server as a smart host and all was well. Until I receive the following message which basically says that my server is an open relay.... Its not... Now my step-mother thinks I am a mail abuser... I can only guess what she think of that...

From: Abuse Investigation Team [mailto:abuse@adelphia.net]
Sent: Friday, October 05, 2001 1:59 PM
To: *
Subject: RE: email problems

Thank you for forwarding this information to us. However, the bounced
message you received indicates that the sender is being blocked due to the
originating IP address being listed in MAPS database. MAPS is a database of
domains and IP addresses that have been found to have either open mail relay
servers or are spam friendly. Adelphia, like many other ISPs, has
instituted MAPS as a means of filtering spam to lower the amount of
unsolicited email that reaches our customers.

Adelphia is unable to unblock the sender of the email. The domain
responsible for the IP address being blocked will need to follow the link in
the bounced message and take the appropriate steps as outlined by MAPS to
have their domain and/or IP address unblocked. For more information
regarding MAPS, please see their website at http://www.mail-abuse.org

Sincerely,

Abuse Investigation Team
Adelphia Communications
1-814-260-3961
abuse@adelphia.net
http://powerlink.adelphia.net/policies.html
http://powerlink.adelphia.net/policies/security_ fa q.html

Sender : *
Date : 10/5/2001 5:48 AM
---

because of MAPS my email began bouncing.

* *

-----Original Message-----
From: Mail Delivery System [mailto:Mailer-Daemon@chase.org]
Sent: Thursday, October 04, 2001 8:13 AM
To: *
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. The following address(es) failed:

*:
(generated from *):
SMTP error from remote mailer after MAIL FROM::
host mx5.dc2.adelphia.net [24.48.57.12]:
553 5.3.0 Open relay - see http://www.mail-abuse.org/

------ This is a copy of the message, including all the headers. ------

Return-path: *
Received: from smtprelay.abs.adelphia.net ([64.8.20.11]
helo=smtprelay3.abs.adelphia.net)
by loki with esmtp (Exim 3.12 #1 (Debian))
id 15p7NF-0001tp-00
for ; Thu, 04 Oct 2001 08:13:09 -0400
Received: from * ([*]) by
smtprelay3.abs.adelphia.net (Netscape Messaging Server 4.15)
with SMTP id GKOJBX02.Q4L for ; Thu, 4 Oct 2001
07:45:33 -0400
From: *
To: *
Subject: test
Date: Thu, 4 Oct 2001 07:44:08 -0400
Message-ID:
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal

test

* *
*

A solution

[SirSlud]

So here's my idea:

Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)

So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)

Now, here's the kicker: /included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout .. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.

So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this .. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."

Am I on crack? I think its a good idea.

Re:A solution

[SirSlud]

Also, this would force companies to be honest about the frequency of their communication with you .. they have no way of verifying or 'filtering' valid communication policies with you, so they would have to be honest if they actually wanted to, and expected to be able to reach you in 6 months. They cant verify that you are actually giving them a 6 month time out, so the responsibility of enabling communication falls into the hands of whom it should be in: you.

Re:A solution

[SirSlud]

One more nice thing: your web page would always be a one day timeout value (most sites that get trawled by email collecting robots are dynamic content anyways?)

So anyone who trawls your site would only have a way of reaching you within the next, say, six hours .. or 2 days .. or whatever you like! If you approve of the communication, you'd have your regular email (or maybe you prefer a 30 day permission, its up to you :) in your reply field on your mail client.

Re:A solution

[MikeBabcock]

This has already been done, but better.

http://madhaus.utcs.utoronto.ca/qmail/spam-filte r is one example that simply creates outgoing addresses that are either only good for a small amount of time or for a specific sender.

http://www.xns.org/xns/whitepapers/filtering/ describes XNS for white-list instead of black-list filtering.

There's always this one: http://software.libertine.org/tmda/ the Tagged Mail delivery agent, my personal favorite.

Re:A solution

[SirSlud]

tdma looks yummy .. any reasons why its not enforced at the mail server level (ie, not in an RFC?) .. I am just thinking that it would awesome if mail servers themselves supported knowing whether a 'username' an email is addressed to that was delivered to it was a timeout-able version of a legal local user name? I mean, does this sort of thinking stand a chance of getting into some future generation mail protocal?

I dont like white-list filtering, because email is used far too often to instigate legitimate communication from a source you were previously unaware of. (Musicians, artists, freelancers .. basically, anyone selling services who cannot hire someone to filter 'incoming mail') :) And the confirmation processes, especially when time is of the essense, its an awkward, unweildly, and hopefully ultimately unnessesary processes if you can come up with a good tagged address system.

Man, spam fighting sure is subjective tho. I am aware of the level of subjectivity when trying to formalize a suitably universal process by which to cut down noise-to-signal reatios when dealing with public means of contact info.

Anyhow, I'm still interested in knowing how much work is being done to put some of these facilities lower down in the trenches of the technology that drives mail across the net.

Re:A solution

[MikeBabcock]

There's no reason that 'held for confirmation' mail couldn't be left in a different folder (Maildir / IMAP / mbox) and still be visible to the user if they were bored and wanted to check.

Re:A solution

[SirSlud]

this is a solution for idiots who don't want to even have to think about whats 'confirmed' and 'not confirmed' .. including me. I don't even want to 'confirm' mails; nevermind that client side, non standardized filtering systems will result in at least some people/systems not following up on a confirmation who have an opportunity (or information of value) where you're the only one who has much to lose by the sender not following up .. I want to implicitly trust the first delivery if the email address is gathered from a place I publish it, all the while blocking the mail at the /mailserver/ level.

Most people don't have access to anything other than POP, so holding it server side until confirmation isn't a particularly viable solution for the masses, IMHO. (Unless my assuption that most pop clients do not support scanning your mail server-side before you actually apply filter logic to the message isn't true?) It also doesn't help if the person who has your email address rotates their from address just to prevent you from relying on the solution of whitelisting. You'd just be spammed with 'confirmation' mails.)

I mean, if you really wanna tackle this in a large way, your method has to be fool-proof, totally controllable by most simple POP clients, and easy to understand. By embedding timeouts in addresses, and enabling the server to understand this, the user can publish an email address and just forget about it, instead of having to manage a 'valid sender' list. I think the idea of you specifying privs for senders most breaks the idea that email is a convient single-step process to contact someone. Of course, maybe I'm just drunk what I perceive to be an elegant simple solution to a complex problem, but I still maintain that having this sort of logic on the mail server would help lots of people out there who just want to apply 'trust' to a sender (be it a robot that trips of their page) only within the scope of a worst case scenario (ie, the timeout prevents unlimited abuse) ... :)

I guess the general idea is that if the rules are written in stone, then it removes any power from people who collect/need your email address to leverage whatever they have against you based on your method of filtering?

I think there is always exists a simple solution that cuts down on 90% of the noise; a solution that doesn't require anymore work than you need now (which is essentially one of the priniciples of the adoption of technology by a society at large). In this case, you may want to memorize your 'one day' and 'one week' addresses for when you are in a bar, or away from a client capable of generating your timeout addresses, a negligable increase in responsibility that has to be assumed by the user of the technology.

Re:A solution

[SirSlud]

Acutally, TMDA's whitelist confirmation method just resulted in my mailbox being 'spammed' twice. Obviously, its not really spam because in entering communication with the email address I sent to, I was consenting to 2 way communication, but its still two more messages in my mailbox that are empty of actual content. Not optimal, in my opinion. New technologies and processes are very rarely accepted by the masses if they contain more steps than the process they are meant to replace or provide a level of percieved social value that overcomes these additional steps.

Re:A solution

[SirSlud]

well, the thing is, I am thinking purely from a 'I dont even want to think about the responsibility of maintaining multiple email addresses' .. thats where the encryption comes in, from both sides. You don't have to set anything up, server side ... the 'rules' are already in the email address. if you want an email address to time out, send them the encrypted-with-the-timeout address your mail client generates for you (by talking to the mail server)

the problem with the x10 example assumes you own the domain, and if we want to defeat spam (ie, the desire to send it), we have to make rules and processes that work for EVERYBODY .. ie, down to the lowest common denominator of 'the moron user who is using the uncaring provider with the free mail client'. Otherwise, spammers will accept that they cant reach the geeks .. which is okay with the geeks anyhow, cause we dont reply to spam. Stupid people do, so you need a stupid solution. My solution proposes that your mail client simply asks your mail server: "Give me my address, but with a timeout of 2 weeks." The time you choose will depend on how much you trust who you're givin your email address to. You can never truly defeat spam (cause one mans spam is another mans treasure, etc, etc), so you what you really need is a technology that allows you to specifify the worst case. Ie, at the most, this person should not be able to contact me after X days, months, years. I subscribe to alotta porn .. I'm not worried bout x10, cause they have to honour their agreements to remain in business (they are visible enough, dontcha think?), but rather the unscrupulous advertisers. The problem is /collection/ .. any place, be it a web page, or a return address on USENET .. when your email is collected and sold, it has to time out. So, for these sorts of points of presents .. like a web page, or a USENET post, its about making sure no one can contact you 10 weeks (or whatever length of time you want) after you post or show your email address.

All I want, is the ability to give my email address with what I judge is a worst case scenerio .. I'm sure I'm getting email from spammers who robot'd my email addy from my webpage 3 years ago. I just want to specifify the 'scope' of the use of my address for each medium in which I provide/publish it. I truly believe it is the best compromise between letting unknown sources contact you, and trying to stop your email from circulating via sales. Obviously, it has to be encrypted because you dont want the sender to be able to adjust that timeout value in your email, and if you make it well-formed, then you dont have to manage those timeout 'accounts' with your server, and your server doesn't have to store multple 'accounts' for you, since it just de-encrypts against a local private key and checks whether that mail is still valid.

Really tho, there are tons of client side saavy ways to deal with spam, but the problem is those who are too newbie, or, in my case, too lazy to deal with actually specifying the various contact touch points. I want a well-formed way of specifying my timeout in an address that isn't tamperable by the sender, and doesn't require me to spend more time than I do now just scanning and deleting spam.

Re:A solution

[MikeBabcock]

You contradict your first statement with your second, so why didn't you just delete it?

And what's the "twice"? The whitelist sends you one confirmation, once. It then adds you to their list, assuming they didn't give you a sender-specific address in the first place.

Re:A solution

[SirSlud]

the twice is just that, buddy :) I got a second mail after sending the authorization one, saying that my first mail was properly delivered .. ie, a 'thanks for authorizing' message.

Really, I did. I dunno, visit the TMDA page yourself, and try the whitelist message, and then 'authorize' the communication. You should get a second.

Please, I'm not baiting you, man .. I've taken courses that deal with the relation between technology and social behviour. I was in electrical engineering. But I've alwats been a programmer at heart, and now I do that. Tthe whole deal, C++/C/whatever/CORBA on freeBSD. I'm no genius, but I'm still lightyears ahead of 99% of the population when it comes to computers. You learn where the make-and-break points are with technology, as relating to social adoption. I was just saying that it was too much of a pain to know that I had to go through some sort of confirmation process to initiate communication. Don't argue for your own values .. defeating spam is a universal problem that requires that you to cater to the lowest common denomiator. Windows wouldn't have such a dominant position in the market if it wernt for the sad fact that to penerate your market (as standards must), your interface must cater to the lowest common demoninator, mostly effort-wise, while not undermining the status-quo economically.

Really tho, TMDA provides exactly what I want, only at a level that only a few of us can use (unless those in a position of power take it upon themselves to offer the functionality to clients ... which would require accepting additional responsibilities at a time that no service provider would even dream of). I want to see that as part of the general social perception of what email is. Only then does it truly become 'deployed' on a scale that is meaningful.

Anyhow, I wasn't dumping on the links you provided .. they were exactly what I wanted to see. Some push towards embedding the policy of your communication in the very contact information itself. That, in my opinion, is the holy grail of a form of communication that must, by design, exist within a logical set of well-formed rules. I think that sort of approach would lead to the best restriction of paths of communication. We wouldn't even need to rely on the government to strong-arm companies to comply. (And a fat chance of that, these days, in this plutocracy.)

Blacklisted laity

[ch-chuck]

I just got out of a battle of wits with one of our sales guys who couldn't receive mail from a potential client - the guy on the other end kept insisting that it was because *our* isp didn't have "anti spam" software, whereas the email headers clearly indicated that they were being rejected because the OTHER guy was blacklisted, he even admitted to them having a problem with their server being used for spam "a year ago", yet they were still failing relay tests as of early this month. I just told our sales guy there was nothing *I* could do, he'd have to get a hotmail acct or something that will take mail from anybody.

It's like another case of IIS users who get wormed and don't know or care what to do about it - and they /sure/ aren't going to get away with blaming it on me!!

Collective solutions are bad?!?

[Col.+Klink+(retired)]

If it's bad to share a list of open relays, wouldn't sharing a procmail script be just as bad?

If I tell you how to automatically delete email with subjects like "MAKE MONEY FAST", how am I different from someone telling you that some ISP has an open relay? After all, if I publish a list of subjects that spammers are likely to use, am I not denying their right to send me email just as if I didn't accept email from their domain?

And BTW, I use spambouncer (a set of procmail recipes) to block spam. It's trapped 190 email messages since October 1. I think 3 have slipped past.

Re:Collective solutions are bad?!?

[MikeBabcock]

Toss me an E-mail with a ".vbs" file attached for our default bounce message ;-).

It can be empty ...

Protection of freedom

[Reality+Master+101]

Should it be illegal for an ISP to use MAPS without an individual user's consent? It occurs to me that it should be illegal. Right now, it is a federal crime to interfere with regular mail delivery. Why should e-mail be any different?

If an ISP wants to offer me a service -- that I opt-in to -- to limit the amount of junk mail I receive, then that's fine. But it seems highly arrogant of an ISP to decide what should or should not go in my mailbox.

The more I think about this issue, the more I think it should be a federal crime to interfere with the delivery of e-mail.

Re:procmail shmockmail

[fmaxwell]

How do you think that women in the workplace feel when they get "Cum slurping coeds hot for you!" e-mail just because they answer the mail for sales@companyname.com -- which is posted on the company web page? Users can't participate in newsgroups without some kind of painful REMOVETHISBEFOREREPLYINGTOME crap tossed into the middle of their e-mail address. You can't participate in list servers. You can't put your e-mail address on a for-sale web site. All you have to do is become some kind of reclusive hermit, carefully hiding your e-mail address, just to the spammers don't harass you to the point of insanity.

Oh, by the way, you also can't use your initials since spammers have taken to programs that "guess" your e-mail address if it is one or two letters long. I know. I run a mail server.

Email is uni/multi cast NOT broadcast

[nyjx]

Whilst I agree that many of the legislative approaches are overblown (and dangerous), expecting all users to block their own spam is (which is what the EFF is clearly advocating) is seriously unrealistic. How many people here have a hotmail, yahoo, lycos.. account - what would that account look like if those companies didn't block spam for you? I'm sure that the average user would see this as a service offered by the ISP. As long as he/she can receive mail from granny it's fine. Most average users just want "email", they don't want the hassle of configuring 1001 spam filters. It similar to virus protection - they will just install Dr. Solomons for SPAM - or use whatever comes in the next version of XP and have Bill limit who sends them email.

The free speech argument isn't invalid its just impractical for most end users. Secondly it is being applied in the following way by the EFF:

- "ANYBODY has the right to say anything to YOU"

and not in what most people consider free speech, which is:

- "ANYBODY has the right to say anything in a public forum."

These are NOT the same thing. You get into the whole "I'm paying time and money becuase idiots keep sending me spam". Email is personal communication (uni or multi cast) it is not broadcast. If people wish to broadcast they should do so in public forums - er, like this one!

It's still an issue if an ISP blocks somebody you do want to hear from - but this is somewhat akin to the fact that millions of people around the world don't even have access to email, a telephone or even a decent postal service to even contact me in any way whatsoever.

Being black listed at least forces those areas that are to try and regulate their users. Of course Eventually this is likely to break down to requiring pretty intelligent software to determine what to block based on message content rather than sender behaviour - and even then people will still pay third parties (ISPs,M$) to perform this for them - how many pieces of software out there still use the default passwords...

Re:What's wrong with voluntary collective solution

[Reality+Master+101]

What's wrong with voluntary collective solutions?

The problem is that they are NOT typically voluntary by the people to whom it matters -- the email recipients. If an ISP wants to offer a service to block spammers, then then it should up to the individual to opt-in to the blocking.

Right now it's a federal crime to interfere with the delivery of regular postal mail. Why should e-mail be any different? How would you like it if your apartment complex decided to root through your mail and arbitrarily decided what you could or couldn't receive?

Mailfilter

[ronmon]

is my weapon of choice when it comes to dealing with spam. About 80 per cent gets caught by the "not addressed to me" filter and all the trash gets deleted from the server prior to download.

From a small isp perspective..

[johngaunt]

I work for a small ISP, and we tried very hard to keep our mail relay as open as possible so our users could set up mail at work, at the office and other places where they may have a different connection to the net. We did and still do run filters on our mail server, to try and stop spam and virii, yet we were placed on ORDB and on ORBZ . The whole we were placed on these lists was not due to anyone complaining about spam originating or being relayed from our server, but just because it had an open relay. In the end we closed the relay, which caused us to lose customers who could no longer send mail through us from their work or other places, but we were also losing customers when we were on these lists because people could not send mail to their friends and business contacts.
Most of these Blackhole lists do send a message back to the person trying to send the mail, and they often portray admins who run open relays as evil spammers or complete morons. Neither of these is true. We were trying to provide a service to our customers, and we work CONSTANTLY to keep the spam out.
Blocking or denigrating the ISP or admin of a mail server which happens to have an open relay that may get used for spamming is like blaming Boeing for the recent trade center attacks. They built the plane but they did not do the deed. We ran a mail server, but we did not spam people. Go after the spammers, and their backbone providers, and their corporate backers, not the little guys who get hurt by this the most.

Re:From a small isp perspective..

[Todd+Knarr]

SMTP AUTH maybe? Relaying allowed for authorized users, nobody else. End of open-relay problem.

Re:From a small isp perspective..

[sigwinch]

The whole we were placed on these lists was not due to anyone complaining about spam originating or being relayed from our server, but just because it had an open relay.

Shoulda used POP before SMTP: only allow SMTP access to IP addresses that have successfully authenticated with POP in the last few minutes. Since most email programs automatically check for new messages the moment they start, and repeatedly check every few minutes thereafter, legitimate users don't even know you are filtering. To the best of my knowledge, lots of ISPs have good success with this technique.

Don't blame the MAPS/ORBS because you can't deploy a trivial and obvious technical solution that thousands of other people use.

Most of these Blackhole lists do send a message back to the person trying to send the mail, and they often portray admins who run open relays as evil spammers or complete morons. Neither of these is true.

Anyone who operates a high-gain publicly-accessible network data amplifier *IS* either evil or a moron. Smurf amplifier, 0WN3D unix box, open mail relay, who cares. LART 'em till they glow then shoot 'em in the dark.

(Not that I'm not sympathetic to the difficulties of being a small ISP: I just don't think there's any excuse for operating an abusable data amplifier.)

Boycotting Spammers

[rnturn]

``In addition, Netizens should express their dismay at spam by boycotting products advertised with spam.''

Dismay?! More like anger. Boycotting doesn't work. The fact that I haven't purchased any ``100% Legal Temple Kiff'' hasn't stopped the fscking emails from coming.

I seem to remember...

[trilucid]

From this part of the executive summary in the page:

"And anti-spam blacklists, such as the MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List, the most popular), result in a large number of Internet service providers (ISPs) surrepticiously blocking large amounts of non-spam from innocent people [emphasis added by me]. This is because they block all email from entire IP address blocks--even from entire nations. This is done with no notice to the users, who do not even know that their mail is not being delivered."

I seem to recall some cases (can't put my finger on them at the moment) involving ISPs and hosting companies attempting to blackhole the address blocks of their competitors. Needless to say, a very nasty practice indeed. This is part of the reason I've never used the black hole lists.

I know mail filters aren't perfect, but I've always found good ones that worked sufficiently for my purposes. Yes, I know this doesn't reduce the technology threat posed to the infrastructure of the Net by mass spammers, nor does of it reduce the massive losses in bandwidth taken by companies dealing with major spammers on their and connected networks.

Does anyone have any specific case examples of MAPS abuse? I'd be interested to review these myself, if only to be sure I never associate myself (or my company, for that matter) with such orgs in the future. Are there any watchdog groups out there that keep tabs on this sort of thing?

Re:The next DMCA/"Patriot " bill waiting to happen

[sqlrob]

Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal

Not if done correctly. Just make false addresses/false routing information illegal on COMMERCIAL mail. Why does a company need to do something anonymously, especially one that wants me to buy something?

Out-of-hand solutions to an exaggerated problem

[keath_milligan]

Wow.. it's about time the EFF finally put up the forefinger of logic and said "hey, wait a sec" in regard to the anti-spam movement. This has to be one of the most often grossly exagerrated problems anyone ever cites -- receive a few unsolicited emails and your inbox is "filled" with spam. And so off you go to champion hamstringing the the email system, banning ISPs, etc, etc. I am as annoyed by spam as the next guy. But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly. There are a number of methods an individual can use to reduce the amount of spam received that are quite effective. These days I get more annoying crap from friends, co-workers and other associates than spam. I'm amazed at how some people can overlook all of the chain letters, images, flash movies and other crap that truly does chew up their resources and then go ballistic when they receive one piece of email that can technically be classified as spam.

Re:Out-of-hand solutions to an exaggerated problem

[Vainglorious+Coward]

I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer
I'm sure there are hundreds of people who have their own stories to prove that the above statement is simply false. Many spam operations build lists of all potential [user]@domain.com addresses; addresses for which the spam doesn't bounce are then added to the "valid address" file (which is typically then sold on to others as being a list of "people who have indicated that they wish to receive email" about whatever they're selling). And this is the point really - this is not about "free speech" or the "rights" of spammers. It's about a bunch of shysters using deceptive business practices to try and turn a dollar, and doing it *at others' expense*.

Re:Out-of-hand solutions to an exaggerated problem

[Misch]

But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

File this one under "P" for "Parody"

I know... it's such a pity. Every time I walk out into the street, I am in the sights of a sniper rifle. I wish that when I walked into the street I wouldn't have to wear a bullet proof vest and face shield, but that's the sad reality of living in this crazy world today. I'm just glad that my company was smart enough to put up thick concrete walls wigh don't allow most bullets to pass through them between me and my parking lot.

Re:Out-of-hand solutions to an exaggerated problem

[Mike+Van+Pelt]

How many people are there on this planet? About six billion, right?

How many of those people have something to sell? One one hundredth of one percent?

OK, if the "just delete it" folks carry the day, that one one hundredth of one percent means that you are going to get six hundred thousand spam emails in your inbox.

Long before that point, email has been utterly destroyed as a useful means of communication.

I like email! I do not want to see its usefulness destroyed.

That's why I want the spammers stopped.

By any means necessary.

Re:Out-of-hand solutions to an exaggerated problem

[prizog]

But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

No, some spammers will try brute force attacks, going after common names, or just trying every string under N characters.

Re:Out-of-hand solutions to an exaggerated problem

[kindbud]

But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer ...

Oh boy, you caught shit for that. Nevertheless, you're right. I have two email addresses, one I want to use, and one that I do use. The one I want to use was ruined years ago by posting to Usenet with it, before there was a spam problem. Thanks to Google, that email address is permanently findable on the web, and may never be useable again.

However, my other email address gets no spam at all. I do not use it to post to Usenet. I do not use it to sign up for anything. I do not subscribe to public mailing lists with it, especially if there is an archive for that mailing list that is web-accessible. Friends get to know it, family gets to know it, and many other correspondents get to know it.

The second address gets no spam.

Only popular domains that everyone KNOWS host millions of email accounts, get probed with a dictionary list. Only giant mail domains are worth probing this way. The solution to dictionary spam, then, is LOTS OF DOMAINS, preferably several for each person. Do you hear me ICANN? (no, but.. whatever)

Re:Out-of-hand solutions to an exaggerated problem

[radja]

> But I understand that any time I receive any piece of unsolicited email it is because *I* supplied my email address to the spammer - either directly or indirectly.

is it? did you really supply your email address?

I know I have used some email adresses of people I didn't like with the intent of them getting spammed..

//rdj

Rights vs. privileges

[M_Talon]

Here's where the whole thing gets messy. Yes, it's expected that email that is sent should be received. But the Internet isn't regulated like that, so it's not really a right. I had a big long spiel about this and the Usenet Blackhole list a while back.

The point is that if your ISP is blacklisted, there's usually a good reason for it. It's because they don't control spam like they should, and thus they degrade email service for many many people. The blackhole list is designed to be a wake up call, and it usually isn't used until repeated requests to fix the problem have been ignored. If you find your ISP on the blacklist, complain to them to fix the problem that got them there. Either that, or switch to an ISP that isn't on the list. It's not your right to send email that's curtailed, it's the privilege to send it through that ISP that's restricted. Complaining about the lists themselves won't accomplish anything.

ISPs who have contracts that don't allow them to block email don't use the RBLs, but many ISPs specifically retain the right to block email if they need or want to. As companies, it's in their interests to protect their bottom line, and spam email is a bandwidth and storage killer. We won't see those lists go away until a better way of stopping spam comes along.

Re:What's wrong with voluntary collective solution

[Dredd13]

The problem is that they are NOT typically voluntary by the people to whom it matters -- the email recipients. If an ISP wants to offer a service to block spammers, then then it should up to the individual to opt-in to the blocking.

It IS voluntary... the customer continues to pay the ISP each month for service.

If an ISP decides that "the cost of accepting mail from $ROGUE_SENDER_NETWORK is too high for me to accept", that's the ISP's decision, not the end user's. If you want "unfiltered" mail, you should be prepared to pay MORE for that service, because it costs your ISP more, in terms of bandwidth, disk space, etc.

Re:You're both wrong.

[Dredd13]

You cannot opt into or out of MAPS as an end-user,

Sure you can. Change to an ISP that doesn't use MAPS. Free market economy at work. No company HAS to do what you tell them to. Find one who behaves the way you want them to.

Re:Windows

[BadDoggie]

Does anyone know of an E-Mail server that works under Windows?

Mailtraq. Good software. It has no trouble handling offices with 1,000 boxes and can hook up to any provider using SMTP or POP. Good rules sets, accounts, fairly easy to set up, blah blah blah. A search on Google will bring back a lot of third-party info on the software, its configuration and more.

woof.

I would appreciate this more...

[devphil]

...except I can already hear nothing (because your message is lost in the thousands of spam emails in my mailbox) and say nothing (because the line is clogged with traffic).

When we're trying to hold a useful meeting, and everybody's yelling and screaming to try and make themselves heard, the guy at the front pounding the gavel isn't trying to deprive me of the First. He's trying to insure that I still have the right to speak and not be drowned out. He's asking for silence to restore order, so that we can resume speaking.

The mailing lists hosted by the FSF don't use any spam filters. At all. Now, go look at this month's archives of the binutils bug-reporting list and wonder how they manage to get any work done. (I have to hope the individual developers use filters.)

Re:What's wrong with voluntary collective solution

[Reality+Master+101]

Then like I said... if an apartment complex decided that "the cost of accepting mail from J.C. Penney catalogs is too high for me to accept", should they have the right to just dump the catalogs into the trash and not give them to the recipients? Without even their knowledge? Just find another place to live, right?

Right now federal law says no -- you do not have the right to interfere with the delivery of postal mail. I see no reason why e-mail shouldn't be afforded the same protections.

John Gilmore (-1 Flamebait)

[Vainglorious+Coward]

I support the EFF (inc. with money) but I can't help suspect that John Gilmore's own personal desire to operate an open relay has significantly influenced the EFF into slamming MAPS and praising Brightmail. Has JG's machine just been added to MAPS or something?

I entirely agree that ISPs should not be filtering email without notice or consent and that "end-user" tools are the best solution, but I disagree vehemently that a spammer's right to "free speech" overrides my right to accept or deny data arriving at the edge of my network, for whatever reason I decide, including irrational reasons. I can and will use any tools at my disposal to control what enters (and leaves) my systems. The problem with end-user solutions that live in the mail client is that by the time spam is deleted, the resource cost has already occured. I much prefer to simply drop connections that I don't want; it still costs me a little bandwidth but I don't waste the disk space and processing cycles that I would if I accepted the spam.

Free speech for everyone is all very well, but the galling thing is that most spam is *deceptive*, using falsified return information or deliberately implicating other innocent third parties. I would settle for allowing all mail to come in iff I can puruse claims for fraud against those who won't play nice. Since this is unlikely to happen any time soon, I'll keep my blocking techniques, thank you very much, and I won't be shedding any tears over the "free speech" rights of spammers - I simply don't recognise any innate "right" to practice deception, especially when it's at my own expense.

Re:John Gilmore (-1 Flamebait)

[MikeBabcock]

I'm going to ignore most of your message because the first paragraph shows a lack of understanding so deep that your message can't be useful to me.

Read how those filtering systems work. Using the time-based or sender-based hashes means the user's E-mail doesn't have to be verified before getting through. Leaving your E-mail lying around for people to pick up and having a 3 month hash on it will prevent the spam that comes a year from now from long-term collection bots ... read how the tools work.

Re:John Gilmore (-1 Flamebait)

[MikeBabcock]

I agree that Gilmore is wrong on the issues, but I agree with the EFF on freedom of speech vs. spam. I don't think that spam is protected speech, but I do think that MAPS blocks E-mail and E-communications too arbitrarily to not be abusing peoples' free speech.

I was responding to your post about whitelists as I remember it now and my comments on hashes were w.r.t. that.

Silly EFF

[seebs]

Freedom means the government can't tell you to shut up; it doesn't mean I have to listen to you.

Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.

That's not free speech. Free speech is the right to say things that people don't like - not the right to say things at no cost to yourself, to people who don't want to subsidize you, in their private space.

Re:Amount of SPAM question...

[Todd+Knarr]

I don't know how authoritative this is, but my old ISP (XMission in Salt Lake City) had a page listing attempts blocked by the MAPS rules. They were blocking somewhere about 10-20 thousand attempts per day on average, with regular spikes into the 40 thousand range and occasional spikes into the 70-80 thousand attempt neighborhood.

As a sanity check, they only flagged messages listed on ORBS and, for a while, only flagged messages listed on MAPS (until the spamload got too high). In 6 years, I got precisely one piece of mail that was ORBS-flagged that wasn't spam, and no non-spam with a MAPS-flag while MAPS flagging was in effect. Since ORBS is more aggresive in listing sites than MAPS is, this is sufficient evidence to me that at the very least the amount of non-spam incorrectly flagged by MAPS and/or ORBS was a small fraction of the amount of spam they were catching.

Enforcement, not prevention.

[blair1q]

Trying to prevent spam is like trying to prevent the diffusion of flatulence through the air.

You can't.

But, human beings have the ability to reason and match patterns in history to pattern in planning. And if they see masses of spammers being investigated and tried and sentenced and punished, that's a pattern that will be strong in their history.

Spam is not a violent crime. The inability to intercept it is not a detriment to public safety. But our apathy has led to the feeling among spammers that they can get away with it. By showing them they can't, they will for the most part stop trying.

And it's very easy to enforce. Every spam necessarily includes directions on how to contact those who would profit from your participation. And they need to stay there in order to collect your request. So every spam is a notice to the authorities to go to this place and arrest these people. Their trial will sort out whether they are guilty or not.

--Blair

Re:Enforcement, not prevention.

[blair1q]

If nobody can get through to the spammer, nobody can provide him profit for his spam.

He's self-defusing.

Such problems are over the moment they start.

> With the very low barrier to entry that spam presents, there's no way The Authorities could ever prosecute even a small percentage of spammers.

Almost all crime has a low barrier to entry. Militant tolerance of it creates the problem.

High-profile prosecution of the ones you can catch goes a long way toward discouraging the naff attempts. But when was the last time you saw anyone pilloried on the nightly news for UCE?

--Blair

An absurdly significant amount of time?

[devphil]

Huh. Most of my procmail-using friends started their antispam recipes by downloading one of the fifty or so publicly available ones, recommended for such a purpose. Then they tweaked as necessary -- I think some of them never needed to tweak. The resource collection you speak of already exists.

(I had to start from scratch, because I started using procmail way early.)

ISP's only need to provide connectivity

[jesterzog]

If ISP's were owned and operated by governments for the purpose of delivering email, I'd agree with you. But because they're commercial entities who have an independent agreement with a user, I don't personally have a problem with blocking email.

ISP's provide Internet connectivity. If and when they provide a pop3 server (or something else) to relay people's mail, it's an added bonus.

I don't know if MAPS is the way to go or not, but IMHO anything criminal should come from the ISP breaking an agreement with the user - not just automatic determined by a government. There are lots of reasons why an ISP might not want to agree to deliver all email in the first place, and governments shouldn't require them to because of their business category. If there's an arrangement with users that says the ISP should deliver a person's email, and they don't carry that out, then there's a problem.

Hopefully that's a normal part of most ISP agreements, but I don't know for sure. I don't like it that lots of ISP's use MAPS without properly informing their users what's going on so people can decide.

Re:The Internet is a free-market information servi

[Detritus]

No, because they can legally fire you for almost anything except the protected categories of race, religion, gender etc. It's called "at will" employment.

Re:What's wrong with voluntary collective solution

[Dredd13]

if an apartment complex decided that "the cost of accepting mail from J.C. Penney catalogs is too high for me to accept

Since an apartment complex doesn't bear any of the burden for US Postal Service delivery, you're using a bogus argument.

You might not like MAPS,

[Bender+Unit+22]

but it sure does keep a lot of junk away from my mail server. I have tried to disable it, but as soon as I did that, tons of junk mail got through. I don't really care if it should filter a few wrong mails, the alternative for me would be not to use email at all.

Re:You might not like MAPS,

[taustin]

If you're an end user, the EFF paper completely and totally supports your right to use whatever you want, including MAPS, to filter your own email.

If you're providing mail service to others, you are making that decision for them, probably without their knowledge or consent. That is what they take issue with.

To: ask@eff.org Subject: RBLs

[benedict]

In my opinion as a systems administrator (and, incidentally, contributor to EFF), you guys have lost the plot when it comes to spam.

RBLs, databases of open relays in particular, are excellent tools for preventing spam. They are content-neutral and are designed only to penalize systems that misconfigure their mail servers. I have seen numerous instances where customers or employees of organizations with misconfigured systems have successfully applied pressure to management to get the mail systems configured correctly.

Remember, there are often business pressures to maintain an open relay. Management doesn't understand the issue, so they're reluctant to expend resources on it. Customers balk at use of SMTP AUTH or POP-before-SMTP. The pressures, in short, point to a tragedy-of-the-commons type of situation.

Open relay databases change the balance of pressures. They enable victims of spam to provide feedback to the organizations that maintain open relays, telling them: if you don't stop enabling others to consume my resources without permission, then your ability to communicate with others will be negatively affected. They enable victims of spam to act as a bloc.

Example.com, my employer, enables our customers to use or not use MAPS' "RSS" open relay database at their discretion. Example.net, a site for which I volunteer, uses the ORDB open relay database for all users, for many reasons; but only after determining that the consensus of the users was for such a measure. [Domain names were changed here because I felt like it. They were real in the email I sent.]

Your suggestion of a boycott of spamvertised products is quite naive. The cost of advertising through spam is so low that it takes very few sales to recoup.

Your suggestion that the Constitution of the USA is relevant to RBLs also seems weak to me. Private entities are not generally bound by restrictions on the behavior of governments. As an owner and operator of network equipment, I have the right to deny others the ability to use that equipment to send advertisements at my expense. I'll refrain from quoting the hackneyed line about freedom, fists and noses, but you get the idea.

Re:The Internet is a free-market information servi

[benedict]

I wouldn't, because I know I'd lose. If you work in the U.S.A., you might be well-served by reading up on employment law a little bit.

Re:procmail shmockmail

[fmaxwell]

Also, I have learned the fine art of filtering(right).

I have a good e-mail filtering system in place and I rarely see more than one or two spams per day while it filters probably 30 in the same time frame. But I also send complaints to get the spammers shut down. That takes time, but it's necessary if we don't want e-mail to become as worthless as Usenet newsgroups.

however it is quite simple to just look over the absolutly obvious ie: "Cum slurping coeds hot for you!" and just get on with work.

Isn't that always the argument for spam? "Just hit delete" say the pro-spam advocates -- ignoring the hidden costs that we all pay in higher ISP fees. That may be a fine answer for you, but wait until some devoutly religious woman complains to personnel because she gets 10 porn spams per day at the sale@ e-mail address that she answers.

Re:Amount of SPAM question...

[Todd+Knarr]

Having checked, I have to update this. The average is now about 20-40 thousand attempts from MAPS-listed sites blocked per day, with occasional dips down to 15 thousand or so. This out of an average volume of 200 thousand pieces of mail per day.

Re:The Internet is a free-market information servi

[dillon_rinker]

Imagine this - your employer tells you that you will be fired because you said "GET LOST!" to your boss. (freedom of speech)

Imagine this - your employer tells you that you will be fired because you said "YA MORON!" to a customer. (freedom of speech)

Imagine this - your employer tells you that you will be fired because they searched your desk and found cocaine. (freedom from unlawful search or seizure)

Imagine this - your employer tells you that you will be fired and you are not able to appeal the decision to anyone. (due process)

Imagine this - your employer tells you that because someone else says you stole from the company but won't tell you who. (freedom to confront witnesses against you)

Imagine this - the government says that your employer, a private citizen, can't fire you. (freedom of association).

Governments are more restrained than private citizens.

Re:To: ask@eff.org Subject: RBLs

[taustin]

Your suggestion that the Constitution of the USA is relevant to RBLs also seems weak to me. Private entities are not generally bound by restrictions on the behavior of governments.

Federal case law on the anti-fax spam statute says otherwise. When it was challenged constitutionally in Destination Ventures vs. FCC under the 1st Amendment, it was ruled constitutional because it limited only unsolicited commercial faxes. Based on Supreme Court case law, the court felt it would be unconstitutional to limit any other form of fax-based speech, unsolicited or not.

So, while the anti-spam types say "content doesn't matter," the law says otherwise.

Re:The next DMCA/"Patriot " bill waiting to happen

Making falsified return addresses a punishable offense has the side effect of rendering anonymous communications illegal.

No. Saying "don't lie about your return address" does not equal "you must disclose your return address". "I don't want to tell you" is not fraud. And all it requires technically is something like an anonymous remailer (which even still allows for replies).

It's perfectly possible for someone to get unsolicited mail from someone, ask them to not mail them again, and get compliance for that request, while never revealing to the recipient who the sender is.

Re:To: ask@eff.org Subject: RBLs

[benedict]

Assuming you have your facts straight, the court felt it would be unconstitutional for *the government* to limit non-commercial speech in that context. RBLs are a measure taken entirely by private entities. The government is not involved. Therefore, the First Amendment is unlikely to be applicable.

MAPS is good for *sorting* not for *rejecting*

[ClarkEvans]

Exim allows MAPS and other DNS based black lists to be used to mark e-mails. Then procmail can be used to filter those e-mails. This I have found to be very useful.

Further, legslation should be in place that unsolicited e-mail gets an extra header "unsolicited: yes" or something like that so that I can filter better. Those that don't fill in this header should be liable for damages. Also, a flag for sexual content would be good as well.

Clark

Re:What's wrong with voluntary collective solution

[Dredd13]

Where? I've yet to live anywhere in the US where the USPS would allow anyone but themselves to come between the mail and the recipient. (in fact, it's a law that they can only deliver to the recipient, which would seem to rule out delivering to an apartment complex mailroom.. the only exception I can think of from experience is mail delivery to APO/FPO addresses, but that gets handed off to "a different Federal agency", the military. ;-) ).

Even when I've lived in high-rise apartments or private gated apartment complexes, the guy or gal who got my mail to me wore the USPS uniform.

A cool experiment

[Cardhore]

A cool experiment would be to set up an e-mail address and try and see how much spam it can get.

EFF has it wrong

[Burdell]

The EFF says: And anti-spam blacklists, such as the MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List, the most popular), result in a large number of Internet service providers (ISPs) surrepticiously blocking large amounts of non-spam from innocent people. This is because they block all email from entire IP address blocks--even from entire nations. This is done with no notice to the users, who do not even know that their mail is not being delivered. Inaccuracies:

1. "surrepticiously blocking": I have not run across an ISP that won't tell you they use MAPS
2. "entire IP address blocks": The MAPS RBL and RSS lists list the IPs of individual servers, not large blocks. The only MAPS list that lists large blocks is the DUL (Dial-Up List), which lists IP blocks of dial-up users (voluntarily contributed by ISPs to help block direct-to-MX spam).
3. "even from entire nations": IP blocks are only somewhat assigned according to international boundaries (and see previous entry about large IP blocks).
4. "no notice to the users": Most ISPs will announce that they use MAPS and other anti-spam methods to their users because it shows that the ISP is trying to do something about the spam their users hate.
5. "who do not even know that their mail is not being delivered": The typical use of the MAPS lists causes messages to be rejected, so the sender is notified that their message was not delivered. Also, some server admins configure their mail servers to tag messages instead of rejecting them (so they are still delivered, but users can filter on the tag in their mail client).

And that is just the second paragraph.

Email is not protected speech, anymore than snail mail is. Senders don't have the right to force recipients to read their mail. The owner of the recipient's mail box (the US Government in the case of US snail mail) has the right to decline to deliver some types of mail. There are quite a few things that the US Post Office won't deliver (including "suspicious" packages). A package may be suspicious because it has no return address and white powder leaking out, or it may be suspicious because of where it originated (be it a post office in New Jersey or a mail server at a particular IP address).

Another comparison can be made to the telephone system. I recently added a feature on my telephone service that blocks "unknown callers" (people, usually telemarketers, that don't allow their caller-ID information to be sent). Those calls are blocked at the carrier. The US Post Office and the telephone companies are "common carriers" and have to carry most communication, but they are allowed to block some. ISPs are not common carriers; they can refuse to carry whatever they don't like.

The MAPS RBL also rarely (if ever) blocks "legitimate" mail. The servers on the RBL are the servers for large spam houses that are repeat offenders and refuse to do anything about it. The RSS list does hit some legitimate email, but not much. These are lists of irresponsible mail servers. Just as it is irresponsible to yell "fire" in a crowded theater, it is irresponsible to run a mail server that allows third party relay.

There are some other DNS based blacklists that do get more "collateral damage" (sometimes intentionally). Guess what: they are not nearly as widely used as the MAPS lists. ISPs want to deliver legitimate email, because not doing so will cause unhappy customers (or no customers). However, at the same time, customers are screaming at ISPs to get rid of the spam, so each ISP has to make up its own mind as to what steps it will follow to answer the demands of customers.

Spam is one of the most complex issues

[btempleton]

It sits at the intersection of property rights, free speech and communications rights and privacy rights.

Amazingly, because of this, many of the people writing here with opposite positions may both be right.

I've written extensively on this and have a collection of essays on my web site, though they are not all endorsed by fellow EFF people. As you might expect, with such new and contentious issues, no group, not slashdotters and certainly not the EFF, finds itself of a single mind.

Those who have written that the first amendment applies only to government action are correct. However, the principles of free speech apply universally, if you defend them. Private actors do have their right to block speech, but this does not make such actions immune from criticism by free speech advocates.

Instead, I look to define good principles by which we private actors might govern ourselves. There are many good lessons in the free speech principles to which we have held governments.

Amongst the principles (not just in free speech) is the protection of the innocent. That you don't punish the bystanders to get at the guilty. Private actors usually have the right to do that, but it need not be lauded.

Unfortunately, and I think this sits at the soul of problems with MAPS, blacklists tend to operate that way. I know many are aware of this, but have dedided that blacklists are the only way, and so a few innocents must be punished to stop spam.

This is of particular concern when the area is communication.

People do have the right not to listen to any communication, but this is a very simple statement about a complex issue. There is much to be said about how they should exercise that right.

Re:Spam is one of the most complex issues

[Todd+Knarr]

You're right, but there's one problem. You have a hard time blocking just the spammers from an ISP, and if you limit it to the spammers then the ISP has no motivation to do anything. The spammers keep paying them for new usernames and such, and the ISP doesn't suffer if it ignores the complaints since they're all coming from people who don't pay them any money. The only way to goad the ISPs into taking action against the spammers is if their paying customers start suffering and complaining because of the spammers, to the point where the spammers are costing the ISP more than they're paying the ISP.

That's where MAPS and ORBL and such come in. They list ISPs who don't police their own userbase. They make it easy for other ISPs to refuse to do business with offending ISPs until the offenders do police their own users. Call it a mass boycott of companies who won't play by certain rules.

I think users should have the right to know which blocking lists, if any, their ISP uses. I disagree with the EFF that blocking lists are a problem, though. Blocking lists are, like boycotts, the solution to the problem. The problem is ISPs who tolerate customers who abuse the rest of us.

Re:Spam is one of the most complex issues

[btempleton]

Indeed, I know why blacklisting is done. The question is a moral one, decided by where you stand on punishing innocents to protect your own mailbox.

Some people do that knowingly, some without much thought. We do feel that when mail is blocked, it should be done publicly, and that there should be a duty (moral if not legal) for those who block ordinary non-spam mail in the cause of fighting spam to inform those whose mail is blocked.

It is though always tough question of ends and means.

Should ISPs act to stop bulk email abuse by their users? Indeed they should. Should Joe Innocent user at an ISP that doesn't do this sufficiently find himself unable to send mail? His only sin was signing up for an ISP without knowing about, to him, a fairly obscure aspect of its email policies.

This is a tough thing. Some feel that there is no other way. However "no other way" is a pretty bold claim. They really mean "no other easy way."

I think there are ways to deal with spam, and even rogue ISPs, that don't block the mail of the innocent. Note that those can even include "blacklists" or "whitelists" that slow mail volumes so that single mails get through but bulk mail is throttled.

I outline such a system on my spam site, thogh I need to give that site some updating.

The EFF has mostly come out against two nmain things. One is SECRET blocking, and the other is the idea that punishing the innocent to get at the guilty is the right approach.

Our system of justice is actually built on the principle that you let 10 murderers go free rather than jail one innocent man. Should we have a stricter standard for spammers?

Re:Spam is one of the most complex issues

[Todd+Knarr]

Well, I don't like having to block all mail from a domain just to get the spammers. But what other pressure can be put on the rogue ISPs to take action against spammers on their networks? If following up a complaint would cost you money and ignoring it wouldn't adversely affect your company at all, if the only standard your board of directors looks at is your financial bottom line which course would you take?

I liken it to another course: if a car dealer is being used to fence cars because he refuses to do any checks on the provenance of the cars he takes in, should people buying cars who know about him only avoid the stolen cars he's selling or should they start avoiding his lot entirely?

Spammers are terrorists

[mckyj57]

I am afraid I have to disagree with the latest EFF position paper. So
much so that my future contributions to the EFF will come under review.

Spammers are like terrorists. They prevent me from using email like I
want to, steal my time, and interfere with legitimate traffic. By
distracting me with misleading subject lines and addresses, they
interfere with my livelihood, as my work requires intense periods of
concentration.

IP blocks that allow spam are like countries which sponsor turn a blind
eye to terrorism. If they refuse to stop their spammers, then their
citizens must suffer by not being able to send email.

For instance, no one sending from China can send me email. Why? Because
China lets spammers run amok. If I allowed email from China, I would
receive 100 more spam emails a week. I know; I have tried it.

Filtering is a non-issue. The best filters that run no significant
chance of blocking legitimate email are those of AOL, and we know how
ineffective those are.

Brightmail makes me jump through hoops -- I don't want to spend my time
every day with it.

Spammers are terrorists, and IP blocks that allow spam should be treated
like countries which harbor terrorists. Forcing an airport to accept
airplanes (or even snail mail nowadays) originating in Afghanistan is
sheer stupidity; why is email any different?

To the people who say "it only takes a couple of seconds to delete, it
is worth it" I say -- WHO ARE YOU TO TELL ME WHAT TO DO WITH MY TIME?

Let people sign up for AOL if they want all legitimate mail at the cost
of mindnumbingly time-wasting stupidity.

So say I.

Re:Spammers are terrorists

[kindbud]

Spammers are like terrorists.

Even Canter & Siegel declined to fly an airplane into a building to get attention.

Get a little perspective, please.

They prevent me from using email like I
want to, ...

The SMTP protocol prevents me from using email like I want to, for gods' sakes.

IP blocks that allow spam are like countries which sponsor turn a blind
eye to terrorism. If they refuse to stop their spammers, then their
citizens must suffer by not being able to send email.

Oh please. Grow up.

EFF is Wrong here

[bwt]

The EFF position is summarized by this statement: Specifically, any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

That statement is false. The right to speak does not include the right to have the attention of the listener. Would the EFF say that the mailroom at NBC that opens and filters Tom Brokaw's mail violates the right of the sender to reach Tom Brokaw? Hiring an ISP that uses blacklists is no different than having a mail room screen your snailmail.

The listener is free to delete an email without reading it that arrives at his box. He is free to automate this process. He is free to automate this process dynamically by using information from a blacklist or any other method he chooses including rolling dice, racial profiling, or astrology. He is free to choose an ISP that automates this process for him. He is free to choose an ISP that automates this process for him by using dynamic information from a blacklist. These freedoms are inherent in the first amendment's right to receive information. What is not OK is for the government to mandate a filtering process, since this violates the listener's right to receive speech as well as the right of the sender to communicate with a willing listener.

The right to free speech exercised by sending email is a right to attempt to attract the attention of the listener through that particular medium. It is not a right to obtain that attention (which would essentially be a right to involuntary servitude). The scenario that the EFF rightly fears is that the sender and recipient want the email to get through, but the ISP filters it in a way unknown to the recipient. The proper way to avoid this is to eliminate deceptive trade practices on the part of the ISP. All that is required is for the ISP to state it's filtering policy up front and adhere to it.

The other side of it

[staplin]

Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.

I agree with you, but at the same time, this is a very tricky issue that impacts someone negatively no matter what you do. For a counter example, my dad can't email me at my work from his work, because my company uses a blacklist, and his work's clueless company has an open relay.

In general, I support the idea of getting people to close their relays, but there just doesn't seem to be much of a "helpful" attitude to getting them closed. All my dad knew was that sending email to me at work was "broken"... the small note inserted in the headers didn't tell him anything meaningful, and they didn't tell him to refer the problem to the postmaster. It was only after he forwarded me a bounced message (at another provider) that I diagnosed his trouble and told him to see his admins.

It seems that this approach to preserving free speech for some is limiting speech for others, even when they aren't directly responsible for the behavior that is being blocked in the first place. Maybe the strongarm is what is needed to effect a change, but there seems to be little help offered to the offending parties before they get blacklisted.

Just my $0.02.

Re:The other side of it

[seebs]

The question is, who really deserves the blame? I don't blame the police for the sirens; I blame the people who make it necessary for the police to drive quickly.

Without blacklists, you might well lose a lot of this mail anyway - and other people would lose more. Is this solution ideal? No. However, the only ideal solutions to this problem involve killing spammers, and we can't do that.

Re:What's wrong with voluntary collective solution

[Trepidity]

Well, my college at the very least has a mail-room that distributes mail - the postal service dumps it off in big bags, and student employees sort and put it in students' boxes. It's still illegal to interfere with the delivery of mail, despite the school bearing the cost to do it (through paying the students' salaries).

Re:What's wrong with voluntary collective solution

[Trepidity]

It's not voluntary if the ISP is a government-granted monopoly, like the cable company. And with the way things are going lately, most people only have a handful of ISP choices available to them; if they all have the same policies, there is no choice.

It's like saying AMD and Intel implementing some sort of filtering in their processors wouldn't be wrong, because hey, you can always make your own processor.

Re:The Internet is a free-market information servi

[Trepidity]

The ISP market is not nearly as free as you indicate, especially as dialup service fades away and is replaced by broadband. In any given area, there are generally a handful of internet providers, depending on infrastructure available. Especially in areas where there is no DSL available (a large percentage) essentially the only choices are DirecPC satellite service or cablemodem through a government-granted cable monopoly. It would be my opinion that cablemodem companies should not be allowed to use things like MAPS, as their status as a government-granted monopoly prevents them from being able to claim they are private businesses free to do as they please.

Second Gilmore in the same day

[BlowCat]

When I noticed the story about Secret Cyber Court my first though was: "Good that I didn't sent my tax relief to EFF, Mr. Gilmore is unsane". Then I realized that it's another Gilmore and thought - "well, maybe I should donate to EFF, they are good guys and will fight against cybercourts".

Now I'm in doubt again.

not a useful approach

[jesser]

Executive Summary: Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

I'd much rather have my ISP _bounce_ the message, informing the sender that I did not receive the message, than have to set up filters to delete the message once it reaches my computer. I can't bounce the message myself, because that would inform the spammer that my address is active.

There is a fundamental free speech right to be able to send and receive messages, regardless of medium. Unless that right is being abused by a particular individual, that individual must not be restricted.

If you're using an ISP that has been blocked due to allowing spam (or not helping to find the individuals who spam using the service), you can switch to another ISP that hasn't been blocked. You cannot use a spam-friendly ISP and expect to be able to send messages to users at other ISPs.

EFF position on Junk Fax?

[Sodium+Attack]

I wonder if the EFF also believes that junk faxes should be legal--even though the anti-junk-fax law was upheld as constitutional when challenged on First Amendment grounds.

Doesn't make sense.

[Kasreyn]

When someone stuffs junkmail into my physical mailbox, is EFF saying that is their free speech right? When I avoid getting my phone # / address listed in certain places to avoid snail mail and telephone spam, I'm not curtailing others' first amendment freedoms.

If someone wants to put a message up on a bullettin board in a public place describing their pyramid scam on how to "$$$MAKE MONEY FAST$$$!!!!", then maybe that's their first-amendment protected speech. But that protection ends at MY borders. When someone is in my HOME, they do not have full 1st amendment rights. If I don't like what they are saying, I can tell them to get the fuck out. I see no difference between my home, my physical mailbox, and my email inbox. In neither case is it a public place. No stranger has the right to force his way into my inbox, fill it with spam, and then say "You HAVE to hear me out, the EFF says it's my 1st amendment right!" Unh-uh, buddy, it don't work that way. My private home and territory are private and *I* decide what speech occurs in them. And I include my inboxes in my territory.

The EFF has picked the wrong fight here. Please, folks, I respect the good work you're doing upholding the Bill of Rights. But this one stands too much chance of alienating the techies who are the EFF's main means of support. Please, lay off. Not to mention the ridiculousness of supporting spammers, none of whom care about 1st amendment rights, and most of whom are flybynight scammers anyway. Please, EFF, find an underdog to champion who doesn't actually DESERVE to be an underdog.

-Kasreyn

Reductio ad absurdum

[kindbud]

If you're using an ISP that has been blocked due to allowing spam (or not helping to find the individuals who spam using the service), you can switch to another ISP that hasn't been blocked. You cannot use a spam-friendly ISP and expect to be able to send messages to users at other ISPs.

You cannot use a spam-friendly telephone company, and expect to be able to make phone calls to customers of other telephone companies.

You cannot use a spam-friendly bank, and expect to be able to wire money to customers of other banks.

You cannot use a spam-friendly legal firm, and expect to be able to sue clients of other legal firms.

Need I go on?

Re:Reductio ad absurdum

[jesser]

It's possible to opt out of telemarketing, and a telemarketer actually has to spend money to advertise, so phone companies don't try to prevent telemarketers from making calls. I don't understand what you mean by a "spam-friendly bank" or a "spam-friendly legal firm": you can't send spam through a bank or a legal firm, so it wouldn't make sense to bounce e-mail coming through one.

Re:Reductio ad absurdum

[kindbud]

I don't understand what you mean by a "spam-friendly bank" or a "spam-friendly legal firm": you can't send spam through a bank or a legal firm, so it wouldn't make sense to bounce e-mail coming through one.

I'm glad you asked that question, because in fact, mail server addresses belonging to people who have no connection with spam, are in the RBL. They were unlucky enough to be the credit card company picked by a spammer to handle online transactions. Or perhaps they rented office space to a spammer. You really ought to go look at the archives for the rbl-nominate mailing list, and see what is being discussed there. Many of the MAPS contributors are seeking to cause deliberate collateral damage to people who never sent any spam, but who happen to be a spammer's banker, or provide some other business service to a spammer.

Re:The Internet is a free-market information servi

[aardvarkjoe]

essentially the only choices are DirecPC satellite service or cablemodem...

...or a dialup. I've seen no evidence that dialups are going to suddenly dissappear, even if they're becoming less important. Until the cable modem providers really do have a monopoly on internet access, they should be able to act as any other private business.

Choice Statistics

[_Sprocket_]

ISPs should just put their MAPS usage in their TOS, or even (if possible) allow the user to choose MAPS or not for their email accounts.

This touches on a point that occured to me while reading the EFF newsletter. It would be nice to have some enduser preference statistics.

Anti-spam activists are often portrayed as some kind of out-of-touch net-nazi brotherhood by SPAMers and their supporters. They apparently hate commercial use of the internet and are hell-bent on depriving normal internet users from valuable information that they really want. At least, that's the impression I've gotten from reading some SPAMer's writing on the issue.

Oddly enough, I haven't ran in to one customer, co-worker, or client thats said "I wish I got more valuable information about marketing oportunities and special offers in my inbox". They usually say "I hate spam. How do I stop it?"

It would be interesting to give endusers the choice between protected/shielded/MAPS'd/etc service and wide-open email. I suspect it would provide data contrary to the SPAMer's points.

Re:Choice Statistics

[Jay+L]

I don't have numbers, but here's some data:

- When I worked on the AOL mail system, any time I met someone new - whether socially, in business, at the gas station, whatever - the first and only question they'd ask was how to stop the spam.

- During periods where the spamblocks are less effective (because the spammers are ahead of the game), spam is by far THE NUMBER ONE COMPLAINT to Steve Case's mailbox and to Customer Service.

And this is *after* scores of millions of spams have already been blocked each day.

The strong libertarian/individualist/techie pull of Slashdot notwithstanding, the average American e-mail user just doesn't want their spam.

I agree wtih others who said that ISPs should publicize the existence of their spamblocks, and it must be part of the Terms of Service. But to say that even if users agree to filtering, it should be illegal? I don't get it.

Jay, the ex AOL mail guy

Re:The Internet is a free-market information servi

[Trepidity]

I disagree - the cable modem providers are still being given a government-granted monopoly on a certain method of internet access, which also happens to be superior to the dialup method. When the government grants such a competitive advantage, the company cannot consider itself a "normal" private company.

EFF fails to understand the concept of MAPS

[CaptainSuperBoy]

Systems administrators who will not adopt the suggested anti-spam policies find themselves unable to deliver their non-spamming users' mail to recipients who are on systems that participate in blacklisting.

The EFF, like many other groups, is incorrectly stating that MAPS is the organization doing the actual blocking of packets, not the ISPs. It is clear to me that if ISPs did not agree with MAPS' policies on what to block and with its history of questionable bans, then those ISPs wouldn't subscribe to MAPS. It is clear that ISPs see a benefit in using a blacklist, one that saves them money on bandwidth and support. Aside from the purely practical aspect, many feel very strongly about spam.

The EFF stated that they wouldn't support a blacklist if it blocked one legitimate piece of e-mail. Aside from the fact that this is impossible, they don't seem to understand the reason that MAPS works. It wouldn't work if spam-friendly ISPs were free to sign up spammers, without any fear of ALL their traffic being blackholed.. In order for a blackhole to work, you have to block ALL of their users' traffic. Yes, it sucks if you are that user.. however, it may teach you a lesson that it doesn't pay to have a spammer one IP over from you. If ISPs don't deal with their spam problems, they are free to watch all their users go away.

MAPS 'suggested anti-spam policies' are not overly demanding. They don't force ISPs to jump through hoops, they are reasonable requests to make. An ISP who subscribes to MAPS is saying, "I don't want to receive newsletters that are not confirmed opt-in. I don't want to receive mail from ISPs with open relays." Folks, that's not too much to ask for.

Yes it's a strong arm tactic, but it's one or the other - strong arm, or legislation. The EFF believes that filtering at the user's end is the right way to deal with spam. Bullshit. Filtering doesn't stop them from using up my bandwidth. Filtering doesn't stop them from spewing all over the net, wasting the time of support staff nationwide. Until every last AOL box is filtered from receiving a single piece of spam, there WILL be suckers responding to this shit, and the spammers WILL get paid. Filtering doesn't stop spam support services, spamvertised web sites, or spamware companies.

The EFF throws around that word, 'censorship,' like they don't know what it means. This worries me.. it is censorship if someone (correct me if I'm wrong, but censorship applies only to gov'ts) prevents you from voicing your opinion, or saying whatever you have to say. It is NOT censorship if I say to you, "I'm not going to listen to what you, or anyone from your ISP, has to say."

As for legislation, illegal censorship prevents speech based on CONTENT. Legal restraint of speech, such as junk fax laws, prevents speech based on the METHOD of the speech.

Re:EFF fails to understand the concept of MAPS

[kindbud]

The EFF, like many other groups, is incorrectly stating that MAPS is the organization doing the actual blocking of packets, not the ISPs. It is clear to me that if ISPs did not agree with MAPS' policies on what to block and with its history of questionable bans, then those ISPs wouldn't subscribe to MAPS.

That is not clear to me at all. Did you know that IP blocks that have been on the RBL in the past, but have been long removed, are still largely useless because of ISPs that once upon a time installed local blocking rules based on RBL information, and never bothered to keep those rules up to date. MAPS policies state that once a mail site has cleaned up its act, it is to be removed from the RBL. So much for agreeing with policies.

(correct me if I'm wrong, but censorship applies only to gov'ts)

You're wrong. Censorship is denying another person the right or ability to speak their mind, regardless of who does it. In any case, censorship by governments is practiced all over the world, and is legal to varying degrees in most places, including the USA. Official censorship is regarded with the highest degree of suspicion, and the US public is afforded the greatest degree of protection from it by the 1st Amendment to the US Constitution. However, the government can still legally censor speech of private citizens in certain circumstances, such as when national security requires it. Why? Because other parts of the Constitution are just as important as the 1st Amendment, and also have to be respected.

As for legislation, illegal censorship prevents speech based on CONTENT. Legal restraint of speech, such as junk fax laws, prevents speech based on the METHOD of the speech.

The only problem with this line of reasoning, is that you cannot determine if something is spam without examining the CONTENT, whatever the method of transmission, be it fax or email.

Junk fax laws are on their face, prior restraint of speech. The lawmakers knew this, and so did the supporters of those laws. That's not to say they are a bad idea, but only that they impose prior restraint on speech (if they didn't they wouldn't be very effective! ;). There's a balancing act that must be performed here, so that the 1st amendment is treaded upon as lightly as possible, while still addressing the problem. The legislators of anti-junk-fax laws decided that the costs of receiving the junk faxes was unfairly being borne mostly by the recipients, who have to pay for their paper and ink. But phone solicitation is not illegal because it uses no more resources than the recipient was already going to expend on having incoming phone service in the first place.

There's a similar significant difference between a junk fax and junk email, as there is betweeen junk faxes and phone solicitations. Most email users do not pay extra for incoming emails, especially in the US. They would pay the same amount for their internet service, whether they receive no spam, or thousands per month. This cost/benefit analysis MUST be part of any anti-spam legislation, just as it was for the anti-junk-fax legislation.

I believe the costs of prior restraint on email communications are much higher than the cost of leaving spam legal. The answer to this problem really has to be the oft-repeated "JUST HIT DELETE".

Re:EFF fails to understand the concept of MAPS

[kindbud]

Spam filtering saves recipient ISPs millions of dollars a year in hardware and network costs.

Reference, please? Sounds reasonable, but that is not enough. Do you know of a study that has been done?

Re:EFF fails to understand the concept of MAPS

[kindbud]

But can you quantify the amount you saved, even approximately?

Re:procmail shmockmail

[prizog]

How do you think that women in the workplace feel when they get "Cum slurping coeds hot for you!" e-mail just because they answer the mail for sales@companyname.com

And you think men feel any better? Nobody likes porn spam.

Pointing out the obvious

[kindbud]

Free speech for everyone is all very well, but the galling thing is that most spam is *deceptive*, using falsified return information or deliberately implicating other innocent third parties.

Canter & Siegel, perhaps the most notorious Usenet spammers, did not hide their identity until people began attacking them directly. Spammers did not go underground until the anti-spam community decided to attach a cost to playing out in the open. Spam was easy to block before the anti-spam crowd raised the stakes and sent the spammers off to devise ways to make their messages evade detection.

Of course, after five or six years of escalation, it is hard to tell what has affected what, or how effective current measures are, relative to the past.

Are some anti-spammers going too far? I think so.

[Skapare]

Since I run my own servers, I have a right to choose who I will communicate with, and who I will decline to communicate with. I certainly don't want to receive spam from spammers, so I feel just fine about blocking it. Services like MAPS started out helping me do just that. However, it has turned into something else.

MAPS goes beyond just blocking spam. It attempts to influence other aspects of how business it performed. Examples of this include blocking an entire ISP just because a spammer connects through them, even if the spammer has a dedicated network connection with a static netblock registered via SWIP with ARIN. They also block mail from ISPs that don't host spammers, but host the web site mentioned in spam, even if the site owner was not the sender of the spam. They even go so far as to block things other than mail.

If a spammer is completely cut off, they just move on to the next ISP. They may even falsely represent what they are doing to make sure they get connected. In some cases they start their own ISP front operation to get backbone connections. But they do get back online, and they do evade for a while the information that blocks them, and we end up getting a little more of their spam.

If instead, we simply cut ourselves off from those spammers who we can reliably cut off (those that have a static netblock and stay with it), they won't be motivated to move on (as much), and our efforts to block them will be more effective for a longer time for us.

Some people know me as an avid anti-spammer who really hates spam. I really do hate spam. But I prefer not to have to keep chasing a moving target. If a spammer wants to settle down to a fixed location which I can block from my servers, I'm all for that. This is the way I want to block spammers. The trouble is, finding zone data that limits itself to just this is difficult.

Too many anti-spammers are aiming more to change behaviour and thought, than to just isolate themselves from spammers. As well intentioned as that may be, it is simply not going to work because humans don't really change very much. Most spammers are still spammers at heart (they may have quit for a while, but they are still spammers through and through). Most terrorist are terrorists for life. Most child molestors are child molesters for life. There are simply some bad people and we really can't fix that in most cases, however hard we try.

This doesn't address other kinds of spam like that which comes through open relays and that which comes from dynamic address pools for DSL, Cable, and dialup. Those still need to be dealt with in appropriate ways. The ISPs need to determine who definitely won't spam, and everyone else has to use the ISP mail server for outbound mail. Open relays can be blocked when they are found. Dynamic pools can be blocked when they are found if the ISP doesn't want to do it themselves.

And for sure, web sites with those insecure mailform scripts do need to be cleaned up. I block their outbound mail server.

I also block SMTP connections from servers which do not have valid reverse DNS. This has been very effective in blocking spam, including "spamhaus" operations (who probably can't get a decent admin to come work for them). So far not too many sites sending legitimate mail have this problem. So far this has resulted in 5 cases of legitimate mail being blocked. Of these, 3 fixed the problem, 1 did not answer, and 1 has Qwest for upstream and Qwest isn't delegating things to them correctly.

Postfix does support subject and header based string match blocking. But it is not terribly effective. I do use it for a few terms, but too often I find it rejecting legitimate mail, so I have to keep it lean, making it not so effective. Thus I do have to continue direct blocking mechanisms. I don't expect procmail to be all that effective in blocking spam, either, but it does have the advantage of being customizable to what you don't want to get.

MAPS attitude problems

[Skapare]

Recently MAPS switched to a paid service, with the option of still being free for hobbyists (lots of /.'ers would qualify for that) willing to sign an agreement. Now I'm running a service which doesn't qualify as a hobby. And I was willing to pay for the service for a while. I wrote to them twice before the cutoff date of 31 July 2001, and twice again afterwards, about arranging services. I have never received a reply. So at this point I'm assuming the people at MAPS simply don't care. It seems to me they have a very arrogant attitude. So I'm just writing them off, and will be cheering when they finally become a dot.com.bomb.

Message I sent to EFF in re spam

[shalunov]

Stanton McCandlish writes:

Executive Summary: Any measure for stopping spam must ensure that all
non-spam messages reach their intended recipients.

As an EFF member and supporter, I would like to state as clearly as
possible: You don't speak for me when you say this. I am opposed to
your position on spam.

You raise a number of valid points. The crux is that users might have
their mail filtered without knowledge. This is undesirable. Users
must be told what is happening with their incoming mail and under what
circumstances it can be bounced. However, it's fine for users to be
able to choose to use any filtering system they like; including ones
that have false positives (are there any that don't? even Brightmail
with its human intervention has them).

I personally don't use any spam filtering. My position on spam is
summarized at http://www.internet2.edu/~shalunov/nouce.html:

I do not wish to receive any unsolicited commercial email or
unsolicited bulk email (spam). I get on average 2.5 junk messages
a day (and several hundred real messages).

I never buy anything from a spammer. I never support a spammer in
any way. I never reply to spam.

I never disguise (munge, forge) my email address. (I find it
inconsiderate to people who wish to send me mail; if we break the
way email works, spammers win.) This doesn't apply to email
addresses that are actually mapped to more expensive or more
intrusive delivery mechanisms (fax, pager, etc.). I regularly post
to Usenet and to numerous openly archived mailing lists with my
real address.

I always report all my spam, including spam I get through numerous
mailing lists I am subscribed to (using Spamcop currently). I
often call relevant parties in addition to sending electronic
reports. I sometimes (rarely, because it takes time) place fake
"orders" based on information provided in spam.

This is my service to all people who use email. I consider this
service useful. (And I only spend seconds per day doing it.)

If you came here, you may be interested in my ideas on reporting
spam and uce.el.

However, ISPs are free to offer to their users optional spam-filtering
services or even make them part of standard offering that users can't
reject *as long as the users know how their mail is being treated*.

Blacklists have been an effective pressure tool.

ORBS et al. were what has really improved the situation with open
relays: Without pressure of legitimate mail being rejected, far fewer
people would fix their systems.

It's one right to refuse to accept mail from misconfigured systems.
If they act as an open relay (or, in fact, if I feel like it), it's my
right to not accept mail from them. If they are friendly to spammers,
it's my right not to do business with them.

I urge you to reflect this alternative point of view, which, I am
sure, is shared by many technically-minded members of the EFF in the
next issue of EFFector and on the website where this one-sided view is
presented as an opinion of EFF as a whole.

Sincerely yours,
--
Stanislav Shalunov

A fanatic is one who can't change his mind and won't change the
subject. -- Winston Churchill

Your tired old arguments...

[CaptainSuperBoy]

... have been repeated countless times.. by spammers.

Did you know that IP blocks that have been on the RBL in the past, but have been long removed, are still largely useless because of ISPs that once upon a time installed local blocking rules based on RBL information, and never bothered to keep those rules up to date.

How is this MAPS fault? Any ISP that does this should know better.. Would it be a problem if I ran an ISP and blocked IPs on my own? Say, no packets to or from China? Of course not.. nothing wrong with that, unless my users start complaining. ISPs aren't a public service, they can do whatever the hell they want.

That's not to say they are a bad idea, but only that they impose prior restraint on speech (if they didn't they wouldn't be very effective! ;). There's a balancing act that must be performed here, so that the 1st amendment is treaded upon as lightly as possible, while still addressing the problem.

Never said that spam laws aren't prior restraint.. of course they are. So are obscenity laws, and harassment laws. Can I follow you around all day shouting obscenities? No? But it's OK for me to do that to your inbox?

The legislators of anti-junk-fax laws decided that the costs of receiving the junk faxes was unfairly being borne mostly by the recipients, who have to pay for their paper and ink.

As opposed to the costs of spam, which are paid up front by the spammers, who are happy to pay for the bandwidth they use, abuse staff salary, and wasted time of all the recipients. Oh wait, spammers don't pay for any of that. Forget what I said.

Most email users do not pay extra for incoming emails, especially in the US. They would pay the same amount for their internet service, whether they receive no spam, or thousands per month. This cost/benefit analysis MUST be part of any anti-spam legislation, just as it was for the anti-junk-fax legislation.

Bullshit. Maybe you're not aware of how much it costs to run an abuse department, or how much bandwidth spammers waste. AOL estimated that 30% of their e-mail traffic was spam. In addition, processing of mail along with filtering spam takes up CPU cycles. If you think that ISPs just eat those costs without passing them along to the consumer, well, who's being naive?

In the US, it's true that most users pay a flat rate for Internet - the cost of spam is just rolled into that flat rate. However in many other countries, folks pay by the minute. I have received spam with 100, even 200k of attachments. In this case, the cost of spam is charged directly to the user.

The answer to this problem really has to be the oft-repeated "JUST HIT DELETE".

You've got to be joking.. this is a joke, right?

I was too generous in my original post. I don't believe spam should be a protected form of speech - It's actually harassment. Spammers should be charged with harassment. I have had to ditch e-mail addresses due to the amazing amount of crap in my mailbox. (20+ spams a day? Would you like to 'just hit delete' on those, while making sure not to miss any important ones? And if you tell me to filter them, that isn't, and shouldn't be the user's responsibility.)

Re:Your tired old arguments...

[kindbud]

I said:
Did you know that IP blocks that have been on the RBL in the past, but have been long removed, are still largely useless because of ISPs that once upon a time installed local blocking rules based on RBL information, and never bothered to keep those rules up to date.

Then you said:
How is this MAPS fault? Any ISP that does this should know better.. Would it be a problem if I ran an ISP and blocked IPs on my own?

I never said it was MAPS fault. I never said ISPs couldn't block whatever they wanted to. I was responding your statement:

You said:
It is clear to me that if ISPs did not agree with MAPS' policies on what to block and with its history of questionable bans, then those ISPs wouldn't subscribe to MAPS.

My point was that there are ISPs that supposedly agreed with MAPS policies - that sites who clean up their act should get removed from the blacklist - but did not remove cleaned up sites from the backlist. Therefore, they did not, in fact, agree with MAPS policies, yet they used MAPS.

This is one of the reasons why MAPS began several years ago requiring a signed agreement for any AXFR or BGP access. People were keeping stale MAPS data active, contrary to MAPS goals. This was hurting MAPS, and still does.

I said:
The answer to this problem really has to be the oft-repeated "JUST HIT DELETE".

You said:
You've got to be joking.. this is a joke, right?

No, it's just shorthand for saying only the recipient is able to judge what is and is not spam, precisely because it is his inbox that it's sitting in, and his decision as to whether it is annoying or interesting. It is shorthand for "use filters".

Should an ISP filter its HTTP proxy to block sites that use pop-up ads? Hmmmm.... a lot of people are annoyed by those, and downloading them costs bandwidth, money, staff time to help hapless customers who call up with foistware removal problems, you name it.

So should they? What is the difference, really?

I need not point out that you can save a whole lot more money by doing the Sprint ION thing. Just don't take customers, if you aren't capable of running a customer service business efficiently.

Re:Your tired old arguments...

[CaptainSuperBoy]

only the recipient is able to judge what is and is not spam

I disagree.. the recipient is part of the spam problem. If 99% of spam recipients think it's spam, but there's that 1% that really wants that credit card/loan/porn/make money fast, is it spam? I guess you'd say it's not spam. I'm sure there are people out there who wouldn't be offended if you were to put XXX porn on the Jumbotron in Times Square. They are the minority, though. Most users by far consider spam a nuisance. It is not a legitimate marketing method. A lot of spam is fraud. Spam has to be stopped, and it really is for the good of that 1% who don't know better.

Should an ISP filter its HTTP proxy to block sites that use pop-up ads?

Nope.. that's very different from spam. Pop-up ads are initiated by an action of my choosing - visiting some site. If I stop going to that site, I stop getting the ads, and I stop paying for that bandwidth. On the contrary, receiving spam is completely out of my control.

Re: Spam and free speech

[MikeBabcock]

I think the EFF is unfortunately right. If we allow independant groups who have no external accountability to create and administer lists like MAPS which, if used widely, can arbitrarily cut off a person's ability to communicate with the outside, we're setting ourselves up for very large freedom of speech problems.

If a person is too loud and someone wanted them silenced, getting them onto all the MAPS-like lists by way of pursuasion (in the future) might be a good method. Being able to silence that person on the Internet shouldn't be possible without public review -- that's why we have court systems for crimes.

MAPS is too vigilante for the EFF is what it comes down to for me, and unfortunately MAPS-like services are very useful but I think closing down spammers themselves is a much better long-term solution.

Absolutely

[macdaddy]

If you don't like it as a customer, take your business elsewhere. Simple as that.

Re:The Internet is a free-market information servi

[isdnip]

Fact: There is no government-granted cable monopoly. There are two cable companies passing my house; I use one of them (AT&T), and my next-door neighbor uses the other (RCN). Municipalities have been prohibited by federal law from granting exclusive franchises since 1992; even before then, there were few exclusives. Financially, it is generally a lousy investment to be the second cable company in a given place, which is why overbuilding is so rare. But lack of competition does not equate to government monopoly.

But in any case, if you want to regulate an ISP because it is so good, then what else do you regulate? If it MUST by law deliver me ten pitches a day to enlarge my penis size or get a mortgage from some crook, then what else must an ISP do by law? It would be a victory for lawyers (since ISPs would need a lot of them) but most ISPs would simply go out of business rather than be subject to regulation.

Email to EFF

[breser]

Here's the email I sent to EFF yesterday:

From: Ben Reser
To: editors@eff.org
Subject: Re: EFF on Spam
Date: Wed, 17 Oct 2001 09:01:35 -0700

On Tue, Oct 16, 2001 at 09:20:30PM -0700, Stanton McCandlish wrote:
> Public Interest Postion on Junk Email: Protect Innocent Users
>
> EFF Statement Regarding Anti-Spam Measures
>
> Executive Summary: Any measure for stopping spam must ensure that all
> non-spam messages reach their intended recipients.
>
> ...

I disagree greatly with your statement about Anti-Spam. It is clearly
poorly researched. You may a number of statements that I find really
odd. It is unfortunate that because of your inaccurate stance I may
have to reconsider my continuing membership in EFF when my membership
comes up for renewell.

* System adminstrators are forced to adopt anti-spam policies. The only
policy MAPS or ORBS seeks to have other admins adopt on their systems is
to close their open relays and other ways for non-customers to inject
email into their mail servers. While this may be inconvient to some end
users it is not difficult to be sure and select the correct mailserver
to send your email. However, you make it sound like admins are forced
into filtering with MAPS or ORBS. This is absolutely untrue. The use
of any blocking system is entirely voluntary.

* 50% of ISPs use blocking systems like MAPS or ORBS. This may have
been the case in the past but most certainly is no longer the case.
ORBS has changed hands recently and has a very uncertain future. Mainly
because ORBS is controversial among administrators who feel that it's
proactive scanning is a violation of the internet norms of stayiing out
of other peoples systems. In the case of MAPS it has gone from a free
service to a pay service. I know that they lost me as a site that was
using them when they did this and I'm sure the vast majority of their
users also haven't subscribed.

* users are not being informed their email is not being delivered. This
is cleary false. Users receive an bounce message explaining why the
email was bounced and giving the URL of the blocking list organization.

* Email is protected speech. It's a Fundamental free speech right to be
able to send and receive messages. Yes but it's also a fundamental
right that I be allowed to reject messages. With telephones you can use
a number of blocking technologies to attempt to keep out telemarketers.
Many of these technologies will ultimately block people who are not
telemarketers. You can choose not to answer your door when someone
knocks. Free speech is not a guarantee that any one has to listen to
you. Only that you may speak. Block email is the same situation. I as
a system admin have a right to block any traffic coming into my private
owned system.

* Blacklisting isn't a magic bullet. Nobody ever said it was. It takes
lots of different efforts to stop spam. No one effort will ever truely
be 100% effective.

* Filtering is good. Yes but you make it out to be a magic bullet.
It's not anymore than blacklisting. To be precise you're talking about
content filtering. Blacklisting is actually a filter. I use content
filtering myself. However, it misses many many many pieces of spam and
blocks some legitimate mail. It's no better than blacklisting in that
respect. Further quite a few content filtering systems are not setup to
notify the sender that they were filtered.

I believe that given further research into this issue and discussion
with many system admins will paint you an entirely different picture. I
strongly urge that you undertake said research.

Antivirus also ?

[AftanGustur]

Should the virus scanning-and-removal also be delayed until the end user receives the mail ?

What is the difference anyway, UCE or Viruses, both are unwanted (the 'U' in UCE) and eat up bot the users and the ISPs resources, time/disk space/cpu/bandwith.

I came to work once, and was greeted by 13000 bounces in my mailbox, somebody had discovered a client's open sendmail who forwarded everything to our backup MX server, who then sent it to the promary MX, who happily processed it ;-(

Those who deliberatly run open mail-relays deserve to be either blacklisted by MAPS or simply shot.

Too simplicistic

[CaptainZapp]

On a larger scale, EFF supports combatting spam by providing end-users with adequate tools to filter unwanted messages on the receiving end.

This is all fine and nice. It is a bit of a US centric view though, since (virtually) the rest of the world pays for their internet connection by the second.

So if I filter on my end, I still pay for the downloaded crap, despite the fact that I never (want to) see it. A powerful -, end user configurable filter directly at my ISP would be a different story.

The Problem With Not Rejecting Spam

[cjs]

The problem with local filtering is that if you automatically put spam in /dev/null rather than your mailbox, and a legimate e-mail is misidentified as spam, it disappears and nobody knows about it. Whereas if you bounce it, at least the sender knows the message was never delivered.

You can put it in a separate folder and examine, of course, but then you have to look at the stuff, so you might as well put it in your regular inbox. And you still stand the chance of missing a legitimate e-mail that looks too much like a spam.

cjs

Alan's ORBS was a personal powertrip,new are rude

[mr]

First off, if you are the system admin, there is something called a logfile. What is nice about reading the longs and interperting the logs is that is your job. Had you read your logs, you would not need ORBS to tell you there was a problem.

The ORBS run by Alan Brown used the entry tables as a form of 'punishment'. If you spoke out about how his methods were flawed, on the list you'd go.

Two of the new ORBS are not much better, in the method department. (I don't know about the 3rd). Neither of the ORBS's can produce copies of 'spam' comming from my box when asked. (Given I look at the logs daily, I'd be interested in seeing how the relaying would be done) I have told the two off them NOT to come back with their probes until they have some proof. The jury is out if these new ORBS will honor the simple idea of "don't bother me until you have proof" or will put systems on thier lists simply because admins find thier methods rude.

Flaws in their argument

[Syberghost]

First off, they link off to a site that talks about using Procmail to filter spam.

But Procmail says you should use MAPS...

...second, I love this quote:

Anti-spam blacklisting groups, such as MAPS and ORBs, put heavy pressure on ISPs to conform to a set of restrictive anti-spam policies and to virally pressure other ISPs to adopt the same policies.

Yeah, those nasty folks at MAPS, they force you to conform a restrictive anti-spam policy, to whit: stop letting your users send spam.

Oooo, I'm being repressed! Come see the violence inherent in the system!

I don't see a problem with this

[maxpublic]

I don't see a problem using blacklists so long as:

- the ISP informs its customers it uses blacklists;
- the ISP provides the complete blacklist on demand (e.g., a downloadable flat file of blacklisted IPs and their associated domain names)
- the ISP includes a REASON next to each IP/domain name (e.g., short like 'SPAM').

As a user I'd love to have my ISP blacklisting every spamming asshole under the sun. But as a user I also want to know that they *only* block spammers and not folks that they happen to dislike for political or personal reasons (e.g., an IP associated with pro-choice users).

If the ISP uses a blacklist generated by a third party, then I want that third party to make it easy for me to retrieve the list and see why each address was blocked.

Max