Internet Vigilante Justice, SPAM, and Copyrights

pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."

His relay is open

[ccandreva]

This article demonstrates the problem we are up against getting people to secure their networks.

His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.

I wonder if it is even worth e-mailing to explain the situation to him.

Re:wow

[hawthorne]

Not only is he a lawyer, but hes a lawyer with an open relay, and he doesn't believe that spammers will 'lie' to get that server to propagate their mail!

Re:wow

[sqlrob]

He does seem remarkably clue resistant though. He *IS* running an open relay and admits it.

So what if you have to forge the FROM. It's not like spammers don't do that anyway.

Seen it all before

[odaiwai]

This is the kind of thing you see every day in news:news.admin.net.abuse.email.

"Waah, I'm being blocked by your nasty list! I demand you stop blovking me or I'll drop piano's on all your heads! and I'm a lawyer!"

"A. no-one's blocking you, they're justing *choosing* not to accept email from known open relays (or whatever the perp feels accused of)."

"You're abusing my First Amendment Rights to 'Frea Speach'"

"Our list is based in the Gobi Desert. *Our* first amendment guarantees the right to tea with yak butter."

Also, searching for his email address to see if he had ranted on usenet, I found this: Archived Article

an Excerpt (from the above article by "R. A. Hettinga" ):
New Architect is a Microsoft/DotNet magazine. This article is
agitprop for Microsoft's identity solutions: UDDI, Passport, and Palladium.

Any reputation framework that arises in the wild would reduce the
profitability of a Microsoft solution, so they are going to badmouth it,
sue it, etc.

dave

Not an open relay?

[Jondor]

I do see a few problems with the story as written.

• If it's so easy for the danish people to forge an acceptable identity, it's as easy for everybody else. Including spammers. If his domain is the only domain who should be allowed to use the mailserver, lock it on an ip-range.
  
• If I want to make a personal list of domains from who I refuse to accept mail that's my good right. You can shout all you want, but I don't have to listen. If others like a copy of my list because they trust my judgement in this case, that's between them and me. Again, nobody can force me to accept mail.
  
• As for the trespassing, he asked the danish site to re-check his mailserver. If I ask a cop to check my doors and windows, and he finds a way to get in. Can I sue him for burgelary? Or call it unfair because they used a method I didn't anticipate?
  

Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..

Re:wow

No, this guy *IS* an idiot. Based on what he says in his diatribe, he has his server configured to allow relay based on the sender email address. As he doesnt seem to realize he has discovered, this is NOT a secure way of configuring a server, and a server configured that way *IS AN OPEN RELAY*. Relay controls must be based on IP address, not sender email address. Other secure options include SMTP Auth and POP-before-SMTP.

His saying his server is not an open relay doesnt make it so. If some random person on the Internet can make his server send a message to some other random person on the Internet, then his server is insecure. Yes, spammers *DO* forge sender addresses in order to abuse these servers.

Spam, and the security and policies necesarry to try and get control of it, are by nature a very technical field. More and more people who are just upset that they cant mail, and thing the blacklists are responsible, and who arent willing to take the time to understand whats really going on, and starting to get off on their soapboxes like this. THEY ARE WRONG.

Blacklists are problematic

[Elias+Israel]

The truth is that these home-grown spam mitigation methods do have their problems.

One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".

Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.

Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.

Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.

Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.

So what should we do?

First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.

As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.

Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.

Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.

(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)

The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.

Re:So you don't mind if I test your home security?

[FreeUser]

Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it.

Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit.

You sir, are of subhuman intelligence.

There is a distinct difference between a University testing the security of systems directly connected to its own network and jackasses like yourself equating it to random strangers "testing" a systems security.

To clarify in terms of the flawed analogy you provide, no one should have trouble with their landlord testing their home's security, as the landlord is the one who is responsible, and who fixes it when it is broken. That is not the same as inviting any random stranger off the street to do likewise.