EFF speaks out against MAPS

Control-Z has brought our attention to the latest EFF newsletter which speaks out against MAPS ^? and ineffective spam legislation. According to the EFF: "The rights of users to send and receive email must not be compromised for quick and dirty ways to limit unsolicited bulk email. Neither misguided and ignorant legislation, nor collusive, high pressure protection schemes, have a legitimate function or place in our online future " The EFF is reminding us that freedom isn't always easy. I feel much worse for those who haven't figured out procmail yet though.

Procmail

[Kozz]

For the uninitiated, procmail is a fantastic tool. To learn more about it, check this link for how-tos, documentation, tutorials, and other spam-fighting tools.

EFF is misguided in this

[gorilla]

Your right to send mail stops at my mail server, I can refuse to accept mail based upon anything I feel like, including irrational reasons.

MAPS & ORBS aren't that painful

[fetta]

A few years ago, I came onboard at a small company just in time for their mail server (Exchange 5.0) to get blacklisted (by ORBS, I think). It sucked at the time, but if we hadn't gotten blacklisted the open relay would have remained open for a long time (the problem prompted our move to qmail). Once I closed the open relay and informed ORBS, we were quickly removed from the list.

In theory, I have no problem with the concept of these blacklists. The use of them is voluntary. From what I've heard, there may need to be some serious discussions about how they gather their data and their procedures for getting off their blacklists, but the concept seems to be both effective and practical. Also, mail providers should be up front about their use of these lists so that users can choose to use an "unprotected" mail server if they choose.

MAPS is not the problem

[ethereal]

...lack of notification that your ISP uses MAPS is the problem. Any ISP that uses MAPS without saying so should be sued for fraud; since they're not providing the complete connectivity that they advertise. ISPs should just put their MAPS usage in their TOS, or even (if possible) allow the user to choose MAPS or not for their email accounts. Some ISPs could advertise that they use MAPS and are spam-safe; others could advertise that they don't use MAPS and are freedom-enabled (or something like that).

As long as there is sufficient notification and user choice, then there's nothing wrong with MAPS. It's only when their somewhat strong-arm tactics are combined with ISP coercion that the user really has a problem.

What's wrong with voluntary collective solutions?

[vees]

It's a shame to see MAPS and collective protection schemes dumped into this list of "bad things." Like most geeks, I don't like everything that MAPS does and I'll admit that I've even been on the wrong side of the ORBS cluestick in the past. However, I believe the concept of collective protection is a good one. If there's a problem with ISPs using systems like that to block legitimate mail, then customers who want to receive said mail won't be with them for long. There are natural market pressures at work to provide what the most important people (the end users like our friends and family) want.

Like most of you, I have a pretty potent procmail script, but I have to say I've probably invested an absurdly significant amount of time in my labor of love getting it just right. If I were less of a geek, I might tend towards finding a group of like-minded mail readers and collecting our resources together. If evantually our creation became a widely recognized and used method of mail filtering, great! Then that's the choice of every sysadmin and every participant (by the merits that they all pay his/her salary) to be behind that shield. Nobody else has the right to tell me I have to accept socket connections from them if I don't want to.

Right to send email?

[Rombuu]

Since when does anyone, anywhere have the right to send email? Since when does anyone have the right to have their data go over a network that they don't own? If someone wants to drop the letter 'P' from every packet that goes over their network, last time I checked, they still have that right. And if they don't want to carry your email, for whatever reason, last time I checked, they have that right.

And the EFF wants to get rid of your rights... sigh..

MAPS has been highly effective for us

[ehintz]

I implemented MAPS and Procmail Sanitizer at my employers corporate gateway about 6 months ago. As the EFF article mentions, there is a concern for legitimate mail being blocked. My solution for this is to include my direct phone line, and a request to contact me if the mail is legit, in the error message sent to mail denied by MAPS. In about 6 months of operation, at a company with about 120 users, we block on average 150 messages per day, with an all time high of 262 in one 24 hour period. I have yet to get a phone call from ANYONE, spammer or otherwise. Meanwhile, users who were getting 10-15 spams per day are now down to 1-2, sometimes none.

Frankly, I've found MAPS to be highly effective. I expected to occasionally toss out legit messages, which was why my direct line is included in every bounce, but MAPS has been considerably better than I could have hoped for. With proper setup and configuration it is quite easy to ensure that legitimate mail gets through with only a minimum of delay. MAPS has been a very worthwhile investment for our company, and our end users have consistently thanked us for implementing it. Likewise, Procmail Sanitizer has stopped all kinds of trojans and viruses cold at the gateway-even catching new ones before being publicized. Although we don't use Outlook, we still find it useful to stop the stuff, and I can't fathom anyone running an Outlook environment without Procmail Sanitizer. Good stuff.

The Internet is a free-market information service

[isdnip]

EFF has it wrong this time. They make the statement that e-mail is "protected speech". That's a legal issue in the USA, which means that the government doesn't have the right to block it. But private parties are also not required to pay to relay it.

The Internet is not regulated as a telecom service. The FCC doesn't regulate ISPs, just the telecom services they buy. Nobody regulates mail servers. It's a free market, and it works. Now in a free market, you have competition. If your ISP uses MAPS and you don't like it, then you're free to go elsewhere. If your ISP is RBL'd, you're free to go elsewhere. There are lots of free e-mail services out there. See for instance http://www.emailaddresses.com/ . Now I wish my own "primary" e-mail provider, the one I ping many times a day, used one of these services, because I'm spammed to death and sick of it! If somebody couldn't get through, they almost certainly would find another way to reach me. Like I have a phone too, not to mention other e-mail addresses.

So given the fact that there is no anti-spam legislation, and negligible likelihood of effective anti-spam legislation within the next few years, then the free market approach (you know, the one the spammers cite to block anti-spam legislation) is to allow anti-spam filters at the ISPs. The ISPs will install them if it's good for business, and block spammers if being blackholed is bad for business.

Indeed one of the reasons that the Internet is not regulated as a "telecommunications service" is that it does not offer to provide transport of information "without change in form or content" -- an ISP may change things, of which blocking spam is one example. It would be quite a different story if a telecomm provider attempted to do the same thing -- their mission is to pass the bits unchanged, down there below layer 3.

And please don't tell me how easy it is to build an anti-spam filter on your private mail server. 99.9% of end users do no not run mail servers; ISPs, who have full-time bandwidth, run them for us.

A solution

[SirSlud]

So here's my idea:

Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)

So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)

Now, here's the kicker: /included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout .. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.

So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this .. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."

Am I on crack? I think its a good idea.

John Gilmore (-1 Flamebait)

[Vainglorious+Coward]

I support the EFF (inc. with money) but I can't help suspect that John Gilmore's own personal desire to operate an open relay has significantly influenced the EFF into slamming MAPS and praising Brightmail. Has JG's machine just been added to MAPS or something?

I entirely agree that ISPs should not be filtering email without notice or consent and that "end-user" tools are the best solution, but I disagree vehemently that a spammer's right to "free speech" overrides my right to accept or deny data arriving at the edge of my network, for whatever reason I decide, including irrational reasons. I can and will use any tools at my disposal to control what enters (and leaves) my systems. The problem with end-user solutions that live in the mail client is that by the time spam is deleted, the resource cost has already occured. I much prefer to simply drop connections that I don't want; it still costs me a little bandwidth but I don't waste the disk space and processing cycles that I would if I accepted the spam.

Free speech for everyone is all very well, but the galling thing is that most spam is *deceptive*, using falsified return information or deliberately implicating other innocent third parties. I would settle for allowing all mail to come in iff I can puruse claims for fraud against those who won't play nice. Since this is unlikely to happen any time soon, I'll keep my blocking techniques, thank you very much, and I won't be shedding any tears over the "free speech" rights of spammers - I simply don't recognise any innate "right" to practice deception, especially when it's at my own expense.

Silly EFF

[seebs]

Freedom means the government can't tell you to shut up; it doesn't mean I have to listen to you.

Freedom of speech is *harmed* by spam; it is harder and harder to talk to people, because more and more of them need a variety of local blacklists, buggy procmail rules, or other harsh filters, just to use their mailboxes *at all*. My friend can't email her dad, because the first time he checked his mailbox, he had a thousand pieces of spam.

That's not free speech. Free speech is the right to say things that people don't like - not the right to say things at no cost to yourself, to people who don't want to subsidize you, in their private space.

Spam is one of the most complex issues

[btempleton]

It sits at the intersection of property rights, free speech and communications rights and privacy rights.

Amazingly, because of this, many of the people writing here with opposite positions may both be right.

I've written extensively on this and have a collection of essays on my web site, though they are not all endorsed by fellow EFF people. As you might expect, with such new and contentious issues, no group, not slashdotters and certainly not the EFF, finds itself of a single mind.

Those who have written that the first amendment applies only to government action are correct. However, the principles of free speech apply universally, if you defend them. Private actors do have their right to block speech, but this does not make such actions immune from criticism by free speech advocates.

Instead, I look to define good principles by which we private actors might govern ourselves. There are many good lessons in the free speech principles to which we have held governments.

Amongst the principles (not just in free speech) is the protection of the innocent. That you don't punish the bystanders to get at the guilty. Private actors usually have the right to do that, but it need not be lauded.

Unfortunately, and I think this sits at the soul of problems with MAPS, blacklists tend to operate that way. I know many are aware of this, but have dedided that blacklists are the only way, and so a few innocents must be punished to stop spam.

This is of particular concern when the area is communication.

People do have the right not to listen to any communication, but this is a very simple statement about a complex issue. There is much to be said about how they should exercise that right.