Slashdot Mirror
Open Relays, Free Speech, and Virus Propagation
sirsnork writes: "There is a story about John Gilmore running an open relay that is being used by a virus to propagate running over at Newsbytes. His defence? He wants his friends to be able to send email through his server from whereever they are. You'd think he'd know better." Gilmore has been skirmishing with Verio for some time over his open mail relay. Is it a good thing because it promotes the free flow of information? Is it bad for promoting the free flow of spam? Do the ethics change because someone writes a virus that uses the server to propagate? Interesting questions.
If you want people to use you as a relay from where ever you are, use smtp authentication. it doesn't have to be a real account, and using things like cram-md5 the password isn't set in the clear (or one can use smtp-tls, but that's less supported)
I do this with evolution, I know outlook and netscape support it.
What's wrong with using POP-before-SMTP?
Quite a few servers use it now. My favourite "toy" server, eXtremail, does this by default...
Part of John's complaint was that Verio was filtering mail to their customers based on the RBL, and that John couldn't send mail to his own ISP because of this.
I largely agree with what you said, but I think part of John's complaint which you missed is that Verio is making the decision for their customers as to whether or not to accept email from John's open relay, and not allowing their customers to make that decision themselves.
My ISP (Verio, it turns out) lets me send email via my own domain, from any IP address. I just need to get email first, so the server knows I'm a legitimate user. This rule makes sense for spam prevention - and it also means that I don't need to change smtp settings when switching from DSL to dial-up to private network behind a firewall. If your ISP doesn't do this, it should.
sulli
RTFJ.
I largely agree with what you said, but I think part of John's complaint which you missed is that Verio is making the decision for their customers as to whether or not to accept email from John's open relay, and not allowing their customers to make that decision themselves.
As long as Verio is being upfront and honest with their customers that they are using RBL, then their customers have made the choice, by choosing Verio. It would be nice if verio provided a facility for their customers to opt in or out of using the RBL list, but really that is just a convinience: their customers can easilly opt out of the RBL by choosing another ISP.
As a previous post said, "everyone is right." John has the right to run an open relay, Verio has the right to sell him service (or not), and I (as well as Verio) have the right to filter his site because I don't like his actions. His rights stop at my home's router (whether I've chosen to block him of my own accord, or because of RBL's recommendation, or not at all, is my buisiness, not his).
The Future of Human Evolution: Autonomy
My provider allows anyone to use SMTP, provided that they have first made a successful POP connection. Once the POP connection is made and the user authenticated, then their IP address is added to the relay, for a period of time (a few hours, I think).
Why doesn't Gilmore implement something like this? Then his friends could still use his relay from anywhere in the world, but spammers wouldn't be able to.
I'm inclined to agree with the comment in the article at Gilmore is "being a stubborn old fool for leaving his mail systems as open relays"
HH
That signature is from a User Friendly strip. The characters were actually Stef and Greg. See the original comic strip.
Gilmore is a true Internet pioneer and activist, a dedicated supporter of free speech. A short list of his accomplishments is available here, including being one of the first employees at Sun and helping found the EFF. In addition he was an early activist in getting the Usenet alt. groups going as an alternative to the rest of the hierarchy where tight controls were in place. He has been active in supporting free access to cryptography, helping found the Cypherpunks and participating in a number of law suits and FOIA actions to get the government to reduce restrictions on crypto. He has funded the FreeSwan effort to build transparent point to point crypto into the Linux kernel.
He also founded Cygnus Support, probably the first company to prove that you could make money off of open source software. The company was sold to Red Hat in 1999 for $674 million.
John Gilmore was fighting for free speech and the right to communicate before most of us had ever heard of the Internet. If his actions seem out of step with an increasingly paranoid and closed Internet community, I suggest that we not be so quick to assume that everyone else is right and Gilmore is wrong. History has shown him to be a far sighted thinker who has been on the right side of virtually every issue.
I went and saw a talk this afternoon, given by John Peter Barlow (another co-found of EFF) at my school. Someone asked about this, and he had a very good response, one which makes me side with Gilmore on this:
The whole point of the internet is dumb network, smart nodes. If the end nodes aren't smart enough to deal with spam (99.9% is quite easy to identify) and viruses (hello MS, I'm talking to you), then that is the problem of the end nodes, not the network.
<possible flamebait>
If I take a bus to downtown and proceed to throw a brick through a store window, is that the fault of the city, for running the bus service? (I know this isn't a particularly good analogy, but it's the best I can come up with on short notice)
</possible flamebait>
Posting at +2 on purpose. Moderate as you like.
The 1st Amendment doesn't apply to this. You're attempting to raise emotions instead of solving a problem, makes me think you're trolling, but oh well.
Yes, running an open SMTP relay is bad. Best analogy is leaving your house unlocked, and leaving the liquor cabinet unlocked as well. If you did that, and some 16-year-old got into your whiskey and then behind the wheel of a car, you'd be in trouble... but it's totally legal to leave your house and liquor cabinet unlocked.
You personally may not be a bad person, but you are certainly lazy, sloppy, and remiss in your duties, since there are a number of ways you can set your machine up to relay mail from legitimate users without running a wide-open relay:
- POP/IMAP-before-SMTP (easy to do, works with all clients)
- SMTP Authentication (slightly harder but more secure, some clients may not function properly)
- Turn relaying off, SSH to your machine and use a local client (very secure, but inconvenient)
- Set up a web-mail client, access your machine from any browser.
An SMTP relay is similar to an "attractive nuisance" like a swimming pool in a residential neighborhood. Best course of action is to put a fence up, so people don't piss in your SMTP server, or fall in and sue you.Give a monkey a brain and he'll swear he's the center of the universe.
http://www.kde.org/food/rms.html
Stupid job ads, weird spam, occasional insight at
To John's credit he acknowledges this problem with spam and also proposes a solution Grokmail. It looks like it will be an email reader that will use an intelligent agent to filter your mail. But as I see it his solution fails in two ways.
1) It is not yet a reality.
2) it doesn't address the burden on the network of masses of unsolicited mail. His solution will actually make this much, much, WORSE. If his system works and everyone uses it. Then it makes the most sense to send your commercial email to (quite literally) everyone! Those that don't want it won't even see it (though it will have been sent to them), those that do will. Win/win for everyone right? You don't see unwanted spam though occasionally you will get an unsolicited commercial email that actually interests you (hey, it could happen). The spammer gets his message in front of every single interested potential customer in the whole freakin' world! Yay!! But behind the scenes the network is transmitting EVERY SINGLE commercial message to EVERY SINGLE user. Masses of useless data that will never even be seen - probably many orders of magnitude a greater volume of data than that which is actually going to be seen and used. Perhaps technology will make this a viable system (seems outrageously inefficient though)
Connected to 140.174.2.1.
e nd mail.html
Escape character is '^]'.
220 toad.com ESMTP Sendmail 8.7.5/8.7.3; Thu, 7 Mar 2002 14:40:04 -0800 (PST)
Sendmail 8.7.5 ? Forget open relay -- unless he's been patching this by hand,he's going to be rooted any minute !
http://www.netcraft.com/presentations/interop/s
Or perhaps a bit more to the point, he could set up authentication for his friends. That's like making duplicate keys for your friends (where you are authorized to do so - not a "janitor" situation) while still keeping strangers out.
This won't give 100% accessibility, but it's a reasonable compromise. If he wants 100% accessibility, he should set up a web mail server interface, again with some form of authentication.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken