Open Relays, Free Speech, and Virus Propagation

sirsnork writes: "There is a story about John Gilmore running an open relay that is being used by a virus to propagate running over at Newsbytes. His defence? He wants his friends to be able to send email through his server from whereever they are. You'd think he'd know better." Gilmore has been skirmishing with Verio for some time over his open mail relay. Is it a good thing because it promotes the free flow of information? Is it bad for promoting the free flow of spam? Do the ethics change because someone writes a virus that uses the server to propagate? Interesting questions.

It's bad.

[strredwolf]

Gilmore should know better. Verio's being majorly blocked by this person, and when Verio gets a clue, they may get their laywers in on the game and sue him.

He should at least know how to lock the server down to use SMTP Authorization. Even better, if he wants his friends to communicate freely, he should give them Unix shell access. Open relays being free speech? YEAH RIGHT! There's no goverment there, so the First Admendment does not apply! (If you think otherwize, REREAD your Admendments.)

Re:It's bad.

So basically, you're saying that instead of going after the people that are breaking the law, we should go after the people that are facilitating it? It's not his fault people are using his service illegally, just like it's not the fault of Morpheus or Kazaa, as I've heard justified many times on this forum. Perhaps we should outlaw computers, because after all, they enable people to break the law. Same for cars, right?

Re:It's bad.

[strredwolf]

You're missing the point, already. Verio has a ton of spammers that it knows about -- spam complaints keep flooding in, SPEWS/SBL keeps tightening the noose, independent sysadmins keen adding them to their own private lists. Verio should of gotten a clue by now... and it hasn't. It's forgotten.

However, to address your question: Only in a few states is it illegal to spam, and even then the spam has to violate a few basic rules. Fortunately, spammers are stupid (Rule #1) and spammers lie (Rule #3). There is no federal anti-spam statue because our (USA) goverment is that slow! (The only good thing they're doing about spam is prosecuting the fraud that results from the spams to begin with. Eh, as much as we can get, we'll take it).

BUT, the entire Internet community has said "Close your servers, they are being abused." The guy hasn't. It's being abused. Negligence? Aparently so. Conspiracy to spam? Maybe. The server's listed on blocklists. The guy hasn't fixed it yet. He's virtually required, or his ISP gets wind. His ISP is Verio. They've been sent notice. Neither he nor Verio has fixed the problem in a timely matter. The only recorse is to block all of Verio, because they're not playing nice.

Now, you say about outlawing the tools. Is Napster/Gnutella commiting copyright violations? No, they make software that shares files eazily. Any file. Every file. You configure it. It's a *general purpose tool*. It's like a car or a computer. That's ok, we shouldn't outlaw that. We should outlaw *specific purpose tools* -- programs which have only one or two functions which allow the user to break laws. Spamware falls under specific purpose tools. E-mail gatherers/spiders fall under specific purpose tools.

Re:It's bad.

[b1t+r0t]

Even better, if he wants his friends to communicate freely, he should give them Unix shell access.

Even better yet, give them SSH access. Then they can port-forward to his mail server from the inside, where there are no open relay problems.

Either way, if he's really only leaving the relay open for his friends, and not for so-called "friends" whom he's never met before, he should make them prove their identity as his friends through some means of authentication. There is no reason that I can think of that should require him to run an un-authenticated server so that a handful of people can use it.

God forbid...

[Ledge]

someone would use a little common sense. Perhaps his "friends" need to do what the rest of the world does and get a shell account or a webmail account. If the janitor of a school left the door unlocked so that his wife could come in after hours and drop off his dinner and a bunch of kids came in through the unlocked door and trashed the place, the kids would be at fault, but the janitor would be guilty of neglegence. If the janitor didn't lose his job, he probably would be smart enough to leave the door locked in the future.

Everyone's right!

[Frater+219]

John Gilmore has every right to run an open mail relay.

Verio has every right not to sell Internet service to people who want to use it to run open mail relays. John Gilmore has no right to demand Internet service form Verio.

MAPS, ORDB, ORBZ, and the other blackhole lists have every right to tell me that John Gilmore is running an open relay. John Gilmore has no right to gag the blackhole lists' truthful speech about him.

I have every right to refuse to accept email from John Gilmore's open relay. I may do this on my own information, or on the advice of a blackhole list. John Gilmore has no right to force me to allow him or his traffic on my property.

So everyone's right, as long as everyone stays within their rights.

Re:Everyone's right!

[Frater+219]

Part of John's complaint was that Verio was filtering mail to their customers based on the RBL, and that John couldn't send mail to his own ISP because of this.

So what? I'd say this might be a problem if he couldn't get in touch with Verio's administrators -- but he doesn't have any right to send email to Verio's other customers from his open relay. Even if he could not email Verio's administrators, I don't think that would be an issue of rights -- more an issue of Verio's competence or good sense. If he thinks they're incompetent, insensible, or malicious, he shouldn't keep sending them money.

I largely agree with what you said, but I think part of John's complaint which you missed is that Verio is making the decision for their customers as to whether or not to accept email from John's open relay, and not allowing their customers to make that decision themselves.

I don't think this changes the rights involved, although it may be a valid comment on Verio's desirability as one's ISP. (Spam filtering makes an ISP more desirable to me, but may make it less desirable to John Gilmore. Neither of us have the right, though, to impose our preference on any particular ISP.)

In general, do customers of a business have the right to force that business to change the services it offers? No. I don't have the right to force McDonald's to serve me a charbroiled hamburger made from USDA Choice beef, when all they are selling is fried hamburgers made from inferior beef. In fact, I wouldn't even have that right if there were no high-quality burger joints in my town.

McDonald's thinks it can do better by selling burgers I don't like. Good thing I don't have to eat them. Verio thinks it can do better by selling Internet service John Gilmore doesn't like. Good thing he doesn't have to use it. I think I can do better by not accepting mail from John Gilmore's open relay. Good thing I can choose to do so.

Re:What's his IP address?

[FransUNC]

I suppose he leaves his front door unlocked too so his friends can watch cable whenever they like?

I've done this plenty of times. I guess that's why the last time I came home my air conditioning was set on 50, the oven was still on, and all my french bread pizzas were gone. :[

Jokes aside, there are sometimes that you just have to take responsibility for something. And this is one of those times. His refusal to close it is just plain a) apathy b) want for attention c) pathetic.

Ok, maybe his defense is the same of that used by file sharing programs, which unfortunately might make hypocrites out of a lot of us who complain, but anybody with common sense would know how to handle this situation. Don't be rude, Gilmore, close the damn relay!

Great example

[JordoCrouse]

This is a perfect example of why ethical issues like freedom of speech, fair use, and the right to carry a gun are not as cut and dried as we would like them to be.

It all boils down to this: While 99% of any given set of a population may be honest, ethical or safe, there is always that 1% that will take advantage of that very fact. In this case, Gilmore wants the freedom to do what he wishes with his mail server, and though most people respect that, a malious few have used that trust to damage others.

You can extend this to any argument: While most of us respect fair-use laws, there are those that take advantage of those laws and pirate music and movies. While most people with concealed gun permits have honorable intentions, there is always a small contingent that does not.

I always say, you have the right to [ speak freely, copy music, carry a gun ] until it infringes on my rights. The problem is, determining who's rights are being infringed on.

This episode is a great reminder that the issue is much more complicated that most people are willing to admit.

Bandwidth conservation

[cluge]

The gentleman in question has a home page here He also has an e-mail address of gnu@toad.com and gnu@eff.org so you can e-mail him here and here

May I suggest instead of bitching on slashdot you take a second and send an e-mail to the John and let him know how you feel. Practice your first amendment rights. Visit his web page as well. Perhaps the "slashdot affect" can do some good. Take a second and stop being so apathetic and send John Gilmore an e-mail.

Re:Jackass

[eam]

My first thought after reading the materials on his web page was: Man, what an idiot.

It is unfortunate that Verio caved. On his page he says:

When thugs come onto your block and go from door to door telling you that if you don't change how you run your business, your knees will be broken, and your children harassed until you leave town, what do you do? Lots of people change their business or quietly leave town.

Unfortunately, he doesn't seem realize that HE is the thug who is forcing Verio to change how they run their network.

Re:What's his IP address?

[Zocalo]

Quoth the article:

The address of the server, Toad.com, is one of 25 open mail relays hard-coded by its unidentified author into the W32.Yaha worm, according to analyses by anti-virus firms Symantec and Sophos.

Quoth my shell:

# nslookup toad.com

Non-authoritative answer:
Name: toad.com
Address: 140.174.2.1

# echo 140.174.2.1 >> /etc/mail/BannedIPs
# /etc/rc.d/init.d/sendmail restart

Missing point...

[Fnkmaster]

Lots of people seem to be missing the point. This guy isn't ignorant of SMTP AUTH or other possibilities and doesn't think they'd be too hard to implement. He is trying to make a political statement against MAPS, ORBZ, etc. The problem is that Gilmore is wrong.

ISPs are out there to make a living, like the rest of us. The reality is that spammers are people who don't care about inflicting what we call a "negative externality" on everybody else. That means they are inflicting a cost on those who have to read through spam, or figure out how to block/filter it, and the ISPs who have to carry large volumes of unsolicited commercial email. While ORBZ, MAPS, etc. may be annoying, these organizations do serve a function. Gilmore is free to run his open relay on his T1, but it's akin to parking your Ferrari in the middle of Harlem, with the keys in the car, and the driver's side door open. Technically, you may not be legally responsible, but ethically, if somebody walks into that car and goes joy riding and gets into a crash killing/maiming others, well, what the hell did you expect?

Society does get to set rules about permissible behavior, and we do get to enforce them by exclusion. Hell, if 40% of ISPs (by volume, or by number, I don't know) use MAPS, ORBZ, by their own choice it's probably for a reason. And frankly, I'd rather use an ISP that does, because I don't want to be on the receiving end of any more spam than I already get.

Gilmore may be right that RBLs are not the correct long term solution. I've heard it said before, so I won't take credit for it - the correct solution is a change in Internet standards - make it more "costly" in some way (bandwidth or other) to send bulk emails. This would bring the economic cost back to the spammer and remove or reduce the negative externality. Make it so it doesn't pay to spam. And no, I don't have the solution to this problem, but I could imagine alternatives to SMTP/mail routing procedures that address the problem. Of course somebody might argue that this just reduces the utility of email. Ah well. Until then, for god sakes, close your open relays.

Re:Verio doesn't honor its agreements

[Frater+219]

No, actually, Verio doesn't. It's bound by the terms under which it (indirectly) acquired The Little Garden (tlg.net), which very clearly specified [toad.com] that there was to be no blocking of service on grounds of content.

Refusing to provide Internet service to an open mail relay is not "blocking of service on grounds of content." The attribute of being an open mail relay is a formal property of a mail server. It is defined without reference to the content of the messages transmitted or rejected by that mail server.

If Verio were blocking every message that contained the word "spam", then they would be blocking on the basis of content. If they were refusing service to John Gilmore because of the political views he expresses using that service, they would be blocking on the basis of (intended or past) content. They aren't doing that. They aren't inspecting the content of the messages at all -- just the formal (and thus content-neutral) attributes of the transmitting host.

Let's say Verio goes into the bookselling business, and promises to sell any book regardless of its content. I publish pornographic novels, and you publish travel books. One month, we both decide to publish books of our respective genres which weigh one ton apiece and are the size of a small car. Verio chooses not to sell these particular books, on the grounds that they will not fit on its shelves and will cause damage to its facilities due to their weight.

I then complain that Verio lied, and is not selling my pornographic book because of its content. Is my complaint valid? No, it is not. The decision wasn't on the basis of the content of the book, but its form. Verio chooses not to sell books which weigh a ton, regardless of their content, be they travel books or porn.

Re:What's his IP address?

[geekoid]

Just because you leave your door unlocked, doesn't mean strangers can legally come into your home.

I'd love to see your statement if a cable company went after someone whoi did that.

In other news: Just because you leave your car unlocked doesn't mean you want it stolen, either.

Not a jackass. A cypherpunk.

[Chasing+Amy]

Isn't it obvious that the reason he wants to keep his relay open is so that his cypherpunk friends can send less-traceable e-mails? A noble goal, even though it has unfortunate side-effects regarding spam and this new virus.

In this day and age of government snooping, Carnivore, shutting down anti-globalization websites, justifying mass surveillance of all citizens under the rubric of anti-terrorism, and the other atrocities reported every damn day on /., surely the hypocrites here can retract their heads from their asses long enough to see the adantages of a static open relay for helping to safeguard the privacy of e-mails. Does it have unwanted side effects? Yeah. Freedom always does.

Look, let's be frank here: spammers will always find open relays in Asia. Always. China's recent baby steps forward notwithstanding, you know that this is true. This is part of the spammer's job. If spammers couldn't find open relays, they'd just purchase ISP accounts, start flooding out of their own servers, and move on when they get cut off. They sometimes do it now, even though open relays aren't hard to find.

Toad, on the other hand, is just a way for the privacy conscious to have a little conrol over how their e-mail gets routed without having to work like a spammer to keep up-to-date lists of Asian relays. It's just an added layer of obfuscation. Shutting it down won't curb spam or viruses, it'll just take away a privacy tool.

Shooting the messenger....

[lynx_user_abroad]

Just for a moment, suspend your instinctive outrage and listen to reason.

The Internet used to be about openness and trust. Back before Canter & Siegel; the "Green Card Lawyers", back before the Net was opened-up for the Dot Com's and commercial postings.

Back then, having an open relay was no big deal (it was even expected) because we were all friends working for the betterment of the Net, and each other. There was no "cut off their air" because the Internet was a cooperative; their air was our air. A network gains strength as a whole whenever any part of it is strengthened.

That was the Internet that Gillmore grew-up on (and helped found). Perhaps you can't remember, or perhaps you were just too young to remember what it was like back then.

That was back before the Fall of '93.

First it was spamming shutting down USENET groups, which begot CancelMoose.

Next we started seeing email SPAM, which begot procmail and it's necessary filters.

Then port 25 was blocked, and peer-to-peer email was to be nevermore.

Now we're starting to reap what we have sown.

The Internet will soon be owned by one or maybe two large network providers (AOL/Time Warner and/or MSN) and every packet you send will travel only with their permission; through paid transport or non at all. Intelligent routers will give these network providers the ability to block (or charge for) any activity they think they can make a buck off of.

And once there's a single majority player, it's all over. Internetworking always benefits the smaller organization more than the larger one (because it gains access to more resources in the bargain) but only benefits both sides until one gains a majority (at which point providing network access for your competitor cost more incrementally than providing the resource yourself).

We have lost the Internet to those who would claim it as their own and carve it up over those who come in good faith and trust to build and to share.

Think about those whom you loath the most, and what characterizes them all. We hate airline shoe bombers because they exploit the trust inherent in our air travel system to harm us where we are vulnerable. As a result, we must all remove our nail clippers when we fly.

We hate the RIAA and the MPAA because their actions to shutdown legitimate sharing of copyright materials. Their actions are a response not to the person who wants to rip the CD for their car, but to those who abuse the trust by ripping a track and making it available to all comers over the internet. And we (most of us here, anyway) hate them because of the price we must now pay as a result. We may find ourselves losing Fair Use forever because of the actions of a few individuals who's use was anything but fair.

We rant for columns on end about Microsoft's abuses of the market; and what we complain about is the abuse of trust we have placed with them. Then we complain about the latest Microsoft security vulnerability, and again it's about trust misplaced.

We complain about spyware, about online privacy, about the rights we've lost, about abuses of the GPL, and in each case it's the trust we've lost, and usually about how many Karma points we're going to grant to whichever post points this out in the funniest way.

So when Gillmore sticks his nose out and actually still trusts the community he helped to create, you shoot the messenger when you should be shooting the message.

It's not the open relay that's harming your computer; it's the virus, and the impure pond scum who wrote it!

You want the RIAA off your back? Give them a reason to trust you.

You want Microsoft to change their ways? Stop paying them for the trust they've stolen from you.

You want to keep spammers from sending UCE to you? Spread the word that spammers lie.

And if you want a free (speech) Internet where ideas are judged by their merits, rather than by the forum where they are delivered? Speak up and be heard.

Or don't. This Internet is already lost. Trust takes decades to build and seconds to destroy, and all of it which was once here is now gone for good.

You want to know what built the free software community? Trust is the operating system of the free software movement. Destroy that trust and free software will not survive. That's one reason why it's so important to assign your copyrights to the FSF (so they can defend them) and to contribute to the EFF (who understand all this stuff).