Slashdot Mirror
Internet Vigilante Justice, SPAM, and Copyrights
pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
← Back to Stories (view on slashdot.org)
This article demonstrates the problem we are up against getting people to secure their networks.
His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.
I wonder if it is even worth e-mailing to explain the situation to him.
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user.
One word: Authentification.
You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
Uh, it may not be a totally open relay in the literal sense of the word, but surely that still means it can be used to send spam, as long as the spammer figures out who to identify himself as - and if the Danes could do it, then it can't be that hard?
Any spam-block that relies entirely on the "from:" header is broken by design. What, spammers disguise their identities? Never!
Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..
Nobody expects the spanish inquisition!
If you subscribe to New Architect, this guy wrote a followup article to this one after receiving a boat load of mail pointing out the he was in fact running an open relay. He admitted to being behind the times, etc, said he was sorry. He still doesn't take back the fact he's mad at the vigilantes out there. Sorry, there's no link yet, I think NA has a lag between the print and web editions.
:-)
Point being, if they can forge a header to get on your computer, a spammer can very easily do the same thing. An interesting thing on my campus is the technology department regularly scans and tries to hack into FTP sites running on campus, and sends an e-mail to the admins if they're successful. Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it. This seems to be a new effective form of security that's emerging, since we can't depend everyone to stay up to date with the latest security issues, such as the Mr. Faussett in the article. I think vigilante is the wrong term, these blacklist ops are doing everyone a favor by helping to clean up insecure sites, which in the end saves everyone money. I propose we call them "Freelance Security Advisors" or something like that.
The truth is that these home-grown spam mitigation methods do have their problems.
One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.
Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.
Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.
Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.
So what should we do?
First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.
As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.
Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.
Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.
(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)
The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.