The US post office gives reduced rates to groups that send mail in bulk. In effect this is no different.
If you don't know the difference between postal bulk mail and spam, you have not been studying either for very long. Postal bulk mail, at least in the United States, subsidizes first-class mail: although the rates are reduced, bulk mailers are required to pre-sort and bar-code their mail, which vastly reduces the cost to the Postal Service to handle it.
Spam, on the other hand, imposes additional costs on the email system and the recipient. A spammer may pay his own ISP (and sometimes not -- stolen credit cards are pretty damned common) but his actions don't subsidize the rest of the system that delivers his spam, namely the transit and the recipient's site. At most -- in the case of direct-to-MX spam in which there are no third party open relays or proxies involved -- the spammer is paying only half his costs, and forcing the other half on you. Usually, the spammer is also shoving his costs off on third parties, such as schoolchildren in South Korea.
ISPs report this consistently: spam runs up their costs. The largest email service under single management is America Online, which has also been the most frequent plaintiff against spammers. Yes, you read that right: AOL sues spammers. They also win, and they've been winning since 1996.
The Postal Service could not stay afloat solely on first-class and parcel-post mail: there just isn't enough of it. The email system would be doing much better and more reliably if it were not being clogged and slowly ruined by the theft called spam.
The government doesn't have the right to license you to spam me. It cannot rightly issue you a license to trespass upon my mail server and steal its resources for your advertisements... any more than it can issue you a license to burgle my house, joyride in my car, or pick my pocket.
Theft is made illegal because it is wrong -- it's not wrong just because it's illegal. Likewise, spamming is wrong even in jurisdictions where it is not clearly illegal in statute. Government, in its position as an balancer and protector of rights, does not thereby have the authority to collude with some wrongdoers and agree not to enforce claims against them. We call that "corruption" when a police force won't investigate crimes by someone who is paying them off -- and that is what "spam licensing" would be, too.
You do realize that calculating spam-likelihood probabilities requires nonzero amounts of processing power/cpu time, right?
For what it's worth, email handling is not usually a CPU-limited activity. On small systems, hardware limits don't really enter into it -- a smallish site can handle a normal mail load nicely on a 486! -- and on larger systems, tends to be I/O-limited, by either the speed of the network interfaces or that of the disks. Since it isn't CPU-limited, increasing the CPU load involved a little bit, by adding filtering, won't have all that much impact on the throughput.
Of course, if I ever get around to writing my fully customizable MTA in Python, it may very well be CPU-limited... but that's just Python. ^.^;
SPAM WOULD DISAPPEAR IF BAYESIAN TECHNIQUES WERE APPLIED AT THE ISP LEVEL!!!!
Bayesian techniques depend on predicting which elements (usually, which words) are likely to indicate spam, and which are likely to indicate non-spam messages. This can vary highly from user to user, and so it should be done on a per-user basis.
For instance, I am a security administrator and receive a lot of legitimate mail about "antivirus software", and very little legitimate mail about "teenage lesbians." However, my girlfriend's crush, who is an activist lesbian, may well receive a lot of legitimate mail about "teenage lesbians" and only spam about "antivirus software." If we are on the same ISP, then it would be erroneous behavior for my reporting "teenage lesbians" as spam and "antivirus software" as nonspam to throw her spam-filtering out of whack, or vice versa. And yet it is a potential privacy violation for the ISP to be gathering statistics on which one of us gets virus bulletins, and which one is the lesbian.
(Moreover, there also isn't yet any standard mechanism for users to report spamminess or nonspamminess back to normal IMAP or POP mail hosts -- and Bayesian algorithms require sampling both spam and non-spam mail, not just spam reported to an abuse address.)
The filtering mechanisms that should be implemented on the server are general ones -- ones that do not rely on deep inspection into the content of the message. I don't really want ISPs to gather stats on common keywords in users' incoming mail -- do you? It is one thing to examine structural elements of the message, such as the IP address which sent it, or the presence of normal headers; or to statelessly scan the message for static patterns, such as virus signatures or "DISCOUNT HERBAL VIAGRA !!!" It would be quite another thing to gather the kind of data that Bayesian filters involve, for every user on a large end-user system.
Anyone else harking for the days of gopher and html 3.2?
Let me tell you about two services which no longer exist: DEC ftpmail, and anon.penet.fi.
I got on the Net when it was about half its current age, by this measure. Well, I wasn't on the Internet -- "the Net" meant Usenet much of the time then, and I had a dial-up shell account on a hobbyist system which had a UUCP news and mail feed from an Internet host. Mail and news came in once a day. The site I was on moved from bang paths to domainist email addressing that year.
(Bang paths were a style of email address which didn't rely on Internet DNS and MX records. You specified the path from machine to machine that the mail should take -- yes, those were open relays! -- separated by a ! character, like so: bigvax!smallhost!mybox!myname, where bigvax was a machine that "everyone" knew how to reach. Addressing got more complicated still if you wanted to email someone on BITNET, FidoNet, CompuServe, or another email network that gatewayed to the Internet somewhere.)
Since we didn't have a "real" Internet feed, and the sysop didn't let ordinary users request files by UUCP, we used a public service run by DEC. (Yes, they'd started calling themselves d|i|g|i|t|a|l, but nobody listened.) This was called "ftpmail", and the way it worked was that you sent email to a daemon on decwrl.dec.com, with the name of an FTP site to connect to, and a sequence of commands to issue. If you sent an ls, you'd get back a file listing... and if you sent a get, the daemon would email you back the file, chunked up and uuencoded.
There are very few ftpmail services still in existence. Gee, I wonder why.
Soon after I got on the Net, I discovered that it wasn't always a great idea to post things to Usenet in one's own name. Some people had better reason for anonymity than I, of course -- people posting about their experiences surviving sexual abuse, or how to grow marijuana, or things their employers might not want traced back to the office VAX.
So someone invented the anonymous remailer.
The first anonymous remailer was anon.penet.fi, run by Julf Helsingius. It was a rather clever system, really -- send email to alt.sex@anon.penet.fi and your message would be posted to alt.sex under an obvious pseudonym -- an12345@anon.penet.fi or some such. But the server retained a hash that allowed it to process responses -- if someone replied by mail to your post, it would come back to your real address, anonymized as well, and with Reply-to: set properly.
Once the spammers and the Scientologists got hold of it, the service was not long for this world. Even the next two generations of remailers -- the Cypherpunk "Type I" remailer and the Mixmaster -- seem to have vanished, under the profligacy of email accounts that people maintain these days, and the threat of spamming.
I'm not a spammer. I don't look like a spammer. The DUL doesn't do a damn thing to prevent spamming. It prevents legitimate email only.
And I didn't defend the DUL as a DNSBL; I think it's one of the less useful ones that exist (partly because it is secretive being commercial). Your ISP's choice to list its dial-ups with the DUL -- or to filter port 25 -- however, is its decision, not the decision of "zealots" or "anti spam fanatics" -- and your problem is with the ISP, not with "spam filtering systems" in general. Whining about generalities never solves problems; addressing specifics does.
FWIW, if you do not understand the history of the DUL then you are probably not going to reason very effectively about it. The DUL was created to combat a particular sort of spammer abuse which was common at the time -- namely, using "throwaway" dial-up accounts to send spam directly to victims' MX hosts. That is no longer a particularly common spammer tactic (partly as a result of the DUL's actions at that time).
Today, however, there's still a common sort of spam abuse which comes from end-user ISP client networks -- namely spam through open proxies on client systems. We have open-proxy lists (such as Blitzed or the Monkeys.com list) which pick up new open-proxy addresses, but they aren't terribly adequate against dynamic addresses.
I must admit to having less of a problem with DNSBLs than other types of RBL such as the open relays
It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.
For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.
There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.
You semiaddress the issue of accountability but not of secrecy. It's a fact that most services keep their lists secret until affectively revealed by dropped emails.
I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?
If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.
If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.
Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.
As an aside, I have personal experience of spending months trying to get a false entry in the DUL corrected.
Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.
Yahoo are saying they operate an Internet email system, but when I tried sending stuff to my own account on Yahoo from my static IP Earthlink DSL connection, my computer spent 3 days trying to send it before giving up because the MX host was unreachable. That means that, for these purposes, that service they claimed to be providing didn't exist. And it didn't exist because someone between me and Yahoo - maybe Yahoo, maybe Earthlink - had blocked an email.
I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.
Oh, but ok, I could have gotten it through if, at that moment, I'd used Earthlink's SMTP relay, but (a) WHY?
Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.
Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.
The end result of this is that legit email is blocked, spam (very clearly) still gets through (I already know how to enlarge my penis thank you very much), and so it's fair for me to say that the measures sysadmins are taking to block spam are not working, that they're interfering with legitimate use, that they're not actually ever going to be effective anyway, that they interfere with the communication of unconnected third parties.
It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)
It is mail users, it's not mail administrators, and this seems to be a distinction many in the pro-block camp fail to understand.
Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.
If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.
He's pointing out that current blacklisting systems are stupid. He's pointing out that the people who run the blacklisting systems are generally unaccountable (most lists are secret), that they do impose arbitrary blacklist entries against groups they disagree with, well outside of their advertised remits (such as MAPS blocking an ISP that had a handful of customers that sell spamming software), that ordinary bystanders are frequently the victims of over zealous blocking and that, per se, anyone relying on a third-party RBL based solution is making a huge mistake.
But, you see, those things he's "pointing out" are wrong. They just aren't so. They aren't the way the world works, and they aren't the way DNSBLs work.
DNSBLs are not secret or unaccountable. They can't be! They are accountable to those who use them (mail server operators), who are respectively accountable to their users. Individual DNSBLs have force solely because sites use them; a DNSBL nobody uses is a no-op. I use certain DNSBLs because I trust them to accurately do what they say they will. If a DNSBL that I use starts going haywire and listing things that it said it would not, then nobody will continue to use it -- and it will therefore be without force in the world. (Incidentally, anonymity or pseudonymity does not equal unaccountability -- but if you don't know that, get the fuck off the Internet, since we fought that one almost a decade ago, and St. Julf of Penet was right.)
MAPS screwed up, and was held accountable for it. That is why nobody who is serious about spam-fighting takes MAPS seriously any more. They fucked up, they fucked up bad -- and so today they are naught but a minor player. SPEWS, SBL, and ORDB are the big players in the world of DNSBLs, because they do what they say they will do, and they don't fuck around. (Note: That they do what they say they will do doesn't mean they do what you want them to do. You don't get to decide that except for your own mail server.)
There is no "overzealous blocking" problem. There just isn't. If you are thinking about SPEWS, keep in mind that sites which use SPEWS know what it does and want it to be doing that -- otherwise, they would quit using it. SPEWS doesn't force itself upon unwitting mail servers -- rather, operators have turned to it because it works, it works well, and because they and their users are sick and tired of putting up with ISPs which don't boot off their spammers. It isn't "overzealous" -- it is doing precisely what we want.
Using DNSBLs isn't a "huge mistake"; it's effective collaboration. Right now, DNSBLs represent the best means for sites to share information with one another about which IP addresses emit spam, or are open proxies, or belong to spam supporters. They are used not only by mail server operators, but also by IRC operators tired of proxy-borne abuse. They are effective -- and if they were not effective nobody would use them. If a better means comes along to do what DNSBLs do, then we will happily use it -- but it ain't here yet.
It is not mail users who want us to consider DNSBLs passe' or something to "move beyond". It is spammers who want us to give up our current most effective tool for collaborating to impede their crimes.
People spam because it WORKS. The only real way to stop it is to STOP BUYING SPAMMED PRODUCTS.
Not exactly. Besides being a theft of end-user and mail-site resources, spamming is also a scam perpetrated upon businesses. If you got spam advertising Joe's Naked Kinky Web Site, that probably isn't because Joe thought up the idea of spamming you all on his own. Most likely, a career spammer (let's call him Alan) convinced Joe that spamming was:
effective,
legal, and
everyone's doing it anyway, so why miss out?
Joe then paid the career spammer to spam for his naked kinky Web site. Since all three of Alan's claims are false, and he knows it, this means that Alan has defrauded Joe. He exploited the fact that Joe is probably neither an Internet expert nor a lawyer, but he does feel competition from other naked kinky Web sites, to convince him to pay for spamming.
(Yes, Alan the spammer told the news media that spamming is effective, too... and they believed him. He was lying there, as well -- but it got him, and spamming, free advertisement in the news!)
This scam does not rely on spamming actually being effective, so long as vendors still believe it might get them an edge over the competition. Thus, getting people to quit buying spamvertised products cannot (directly) affect it. Only when all vendors on the Internet -- yes, including naked kinky Web sites -- realize that spamming doesn't work, isn't legal, and that they can do just as well without it, will spamming go away.
How about a login/password box (and NOT using the antiquated HTTP method of authenication - for one, it has no way to "logout" a user).
Funny you should mention it. I installed Zope recently on one of my Debian boxen. I noticed it uses HTTP Basic Authentication, the "antiquated" (read: standard, universal) mechanism to which you refer. It also has a "Logout" button that works -- if you select "Logout", it returns a page with an authentication failure code, which a browser interprets as meaning that the (username, password) pair it is caching is invalid.
The fact that you, or your Web application developer, did not think of that indicates that the Zope people know HTTP better than you or s/he. It certainly doesn't indicate anything the matter with HTTP Basic Authentication. And there's a lot right with using the protocol's built-in authentication mechanism rather than writing your own: it is easier; it requires less code; it is standard and works everywhere, unlike JavaScript; and it is better tested than any new mechanism you invent, meaning that it is less likely to fail badly and let people crack your application.
Perhaps there is some confusion here. You can't use SPEWS directly; it is only available to the public via relays.osirusoft.com, and their servers return information that categorizes the kind of spam source or facilitator.
That's not quite true. SPEWS publishes a text-based list (warning: 800+ kB) which you can transform with a Perl script into whatever format your mail software needs. What Joe Jared at Osirusoft does is transform this into a DNSBL and make it available at spews.relays.osirusoft.com. This is why technical illiterates often accuse Joe of "being SPEWS" -- he republishes SPEWS' data in its most easily used form, though he doesn't have any editorial control over it.
Please take a look at http://www.antispews.org for more information before using SPEWS.
Actually, antispews.org is likely being operated by spammers, as the Osirusoft FAQ suggests. (If nothing else, they are spammers of USENET newsgroups, since they kiboze for references to "SPEWS" and troll in response, much as Serdar Argic once did with "Turkey".) Naturally, spammers are pissed off at SPEWS, because it is simply put the most effective tool presently in the field for denying spammers access to (1) victims, and (2) willing ISPs to host them. Innumerable spammers have been terminated as a result of SPEWS listings.
There is no conceivable informed controversy as to whether or not SPEWS is effective at getting spammers off the Net. Whether or not SPEWS is a good tool for your site to use as a tool for reducing your spam count is quite another question. In my personal experience (as a security and email administrator for my site, which is a research institution) SPEWS is extremely valuable. I read my mail logs and ascertain that SPEWS usage blocks spam, with a remarkably low incidence of false positives.
In the past week, our incoming mail server has blocked 969 messages on account of SPEWS, with zero reports of false positives from our users. (To be honest, we get about one such report a month, and we whitelist the offending IP address. It's usually in China; we have several Chinese researchers.) Our locally maintained blacklist blocks about twice as much spam, and our use of sbl.spamhaus.org blocks about five times as much -- but that is biased by the fact that we consult those lists before SPEWS, and there is a good deal of overlap between them.
I would not recommend that ISPs who offer email service to their users use SPEWS by default, though it would be a valuable optional service. The DNSBLs I would recommend everyone use are:
sbl.spamhaus.org, which lists only netblocks occupied by known repeat spam offenders
relays.ordb.org, which lists only open mail relays; and
proxies.relays.monkeys.com, which lists only open proxies.
These are all low-to-no-false-positives lists which I feel comfortable recommending to every ISP regardless of its stance on SPEWS.
A bridge will broadcast all ethernet broadcast packets to all hosts on the network.
Yup... and it won't stop my host from responding to one of those with a phony DHCP or ARP response. Hence, forgery; hence, the problem noted in the article.
The spec requires the CM CMTS system to act as a bridge. It is NOT hubbed.
Bull pickles. I recently got Adelphia cable modem service myself. First thing I did, practically, was to plug the cable modem into my Mac OS X box and run "tcpdump" on it, to see whether or not they had secured the local network against sniffing. Sure enough, I could not see any of the other customers' actual traffic -- but I certainly could see:
DHCP requests (but not responses)
ARP requests for the gateway's IP address
ARP requests by the gateway for customer IP addresses
IGMP
It seems pretty trivial that someone with the right mildly altered software could easily set themselves up as a DHCP server and hand out fake gateway information, or as an ARP-poisoning proxy. Good reason to check your network settings for suspicious things if you use DHCP.
The batteries in that APC are evil nasty horrible little beasts when it comes to disposal after they've reached the end of their life.
The week before Thanksgiving, I walked into our server room and found therein the instantly recognizable smell of hydrogen sulfide. Call it "rotten eggs" if you will; it always reminds me rather more of volcanic sulfur vents. (Perhaps that's because I've never been around rotten eggs in quantity.) Anyhow, ours is a science research institution that certainly handles its share of odd chemicals, so my first thought was the same as the server room manager's when I asked him about it:
"Oh, something must have gotten in the ventilation from the labs. It'll blow out."
After the twinge-inducing smell didn't go away for a day or so, I went to our boss -- a former chemist. He seemed to think it was worth a deeper investigation, and soon we were sniffing around the server room trying to locate the source of the smell.
"Seems to be coming from over here."
"From these UPSes?... y30w, this one's hot!"
Presently we opened the UPS cabinet and discovered (at this point to not a bit of surprise) a leaky battery, and a trail of nasty-looking rust along the chassis. Sulfuric acid plus iron yields hydrogen sulfide plus red iron oxide: 3H2SO4 + 8Fe = 3H2S + 4Fe2O3.
The terminal interface is the most efficent human interface designed to date for data entry.
A couple of weeks ago I had the unpleasant experience of going to the dentist four times in ten days. (Slashdotters note: this is what happens when you avoid going to the dentist for three years.) However, whilst sitting in the waiting room in terror over the prospect of being assigned the newbie of the two dentists, I observed a curious phenomenon in progress:
... the elder receptionist training a new hire in using the office automation system.
I was a little bit surprised when I noticed that this system wasn't made of Web forms -- though the systems on the desk were Wintel PCs, they weren't running Internet Explorer. Nor were they running a GUI front-end to a database, some PowerBuilder or MS Access widget conglomeration. No, the application running on those PCs was... an IBM 3270 emulator.
"There you go. Now move down to 10:00... now F10 that... and hit F6 to print."
From the dialogue between the two receptionists, I could tell several things about this application. First off, it certainly required and expected a certain amount training to use. To submit a form to the mainframe (located at a distant data center) required hitting F10, not clicking on a "Submit" button. There was no concession here to being "intuitive" -- the trainee simply had to learn that F10 means "submit form".
Yet this was consistent -- F10 always meant "submit form", at every stage of the workflow. (So much so that the elder had made "F10" into a verb, as you may have noticed above, meaning "to submit form".) No unexpected dialog boxes came up with panicky but unnecessary messages, needing to be clicked away. The application's behavior created a consistent, predictable, learnable workflow. The elder receptionist spoke with complete confidence about the system's behavior, though she was certainly not an "IT person" -- in however many years she had been using it, I suspect it had never failed her once. This was not an application that she expected might crash or do something stupid and eat an appointment. Nor had it been "upgraded" three times in the past year to a version with fancier and completely unrecognizable widgets.
Now, I work in IT. I spend all day with Unix, Windows, and Mac users. I also make a point of observing people's interactions with other data systems -- Windows-based supermarket cash registers, handheld card scanners at conferences, information kiosks at tourist attractions, and so forth. Rarely if ever do I hear the sort of quiet confidence in the computer's behavior which I've observed in end-users of mainframe applications.
This is not "computer as irascible demon, seeking to lash out at its summoner," like Windows. It isn't "computer as consistent and friendly but sometimes fumble-fingered servant," like the Mac OS. And it certainly isn't "computer as Necronomicon," like Unix.
It just works. So of course its users depend on it.
You don't want to tell us that the US government founded Microsoft, do you?
Microsoft is not a telecoms firm. It is chiefly a software firm. I have not studied the role that government action has played in the creation or maintenance of the Microsoft monopoly -- though I expect it would be largely confined to government adoption of incompatible Microsoft software, e.g. for the creation of government Web sites and the distribution of documents.
On that subject: I do not believe that governmental agencies have the right to demand that the public purchase software from a particular company in order to read laws. Government sites which can only be viewed in Internet Explorer are incompatible with the rule of law, as they place control over knowledge of the law in private hands.
Ya the Cato Institue only likes natural monopolies.
There's a reason that a "protect the status quo first, ask questions later" attitude in politics is called "reactionary", O my brothers. It might have something to do with reacting with one's gut rather than thinking with one's head.
Those who actually read the Cato paper "Unnatural Monopoly" will note that it contains substantial criticism of the doctrine of "natural monopoly" -- a criticism which the title reflects.
(The traditional economic argument is that a telephone system is a "natural monopoly", chiefly due to the costs of laying cable. What the Cato report reveals is that regardless of any inherent monopolistic tendency there might be in telecoms, it is government policy and not market action which created and sustained the monopoly.)
Beside its powers to regulate rates to ensure they were "just and reasonable," the FCC was also given the power to restrict entry into the marketplace. Potential competitors were, and still are required to obtain from the FCC a "certificate of public convenience and necessity." The intent of the licensing process was again to prevent "wasteful duplication" and "unneeded competition."
The point of the monopoly argument in my above post was not, however, to argue for the abolition of the FCC or telecoms regulation. (Indeed, I do not believe that the appropriate way to go from government monopoly to market is to simply turn the monopoly loose. In this, I disagree with what I take to be Cato's position.)
My point was, rather, to point out that insofar as telecoms "companies" are government-created monopolistic agencies, they cannot be given the full "rights" of a market participant. A government agency has only those rights that are granted it by the people; it is not permitted to fulfil its ends by whatever means it chooses. In the matter of personal records -- we do not permit the Internal Revenue to sell the contents of tax returns to financial companies to boost its income; similarly we cannot permit a government-spawned, regulation-protected telecoms agency to sell taxpayer records to "improve service."
but if the US had data protection laws like the EU...
As a libertarian myself, I feel the need to forestall an argument that some of my fellow libertarians might make: that such laws cannot be justly applied to the telecommunications market; that they are an improper restraint on legitimate trade, or free speech; etc. The fact of the matter is that the telecoms system as we know it is a construct of government regulation. Its "privatized" structure is merely a corporatized extension of national governments, like the old colonial "Companies" (think "British East India Company", etc.) which enriches investors whilst furthering government policy.
Free-market telecommunications have been systematically denied any chance to establish themselves. Most Americans believe that AT&T was a monopoly created by the market and dismantled by the government, for instance, but this is far from the case. The Cato report "Unnatural Monopoly" details the United States Federal Government's actions in creating the AT&T telephone monopoly, for various political and nonmarket purposes. In doing so, members of Congress went so far as to characterize market competition as "duplicative, destructive, and wasteful." (Many European nations did not even bother to allow private telecommunications systems, building them as government monopolies. In some cases, these were later "privatized" in such a way as to preserve the majority of their monopoly positions, while making money for rich investors. This is not a free market; it is state-capitalism.)
Much the same applies to radio, of course: the FCC and its ilk created an artificial scarcity of the radio spectrum, parceling out freedom of speech via radio as if photons were the government's own creation. Those who choose to speak without a government license to do so, it criminalizes as "pirates". Radio equipment is inexpensive and not difficult to maintain; it is radio licensing that reserves the medium as a playground for large corporations. Moreover, when the government has the power to license speech, it has the power to censor, say the courts: hence the countless "words you can't say on television" though you may speak them freely in a meeting-hall.
(Too US-centric for you? Here, try Panama, where the telecoms monopoly is using government threats to force ISPs to block competition in the form of voice-over-IP services.)
The telecommunications industry is not a free market; and its constructs are not private enterprises, no matter how many investors they may enrich (or bankrupt). They were created and empowered by regulation. Their markets are patrolled by censorship. They are firms granted the power to tax; government agencies granted stock-market symbols and an oligopolic pretense at competition. As such, they are no more entitled to sell data about their taxpayers (aka "customers") than is, say, the Internal Revenue Service.
I think we should change copyright law so that all copyrights last for 14 years
I'd like to suggest "chessboard copyright", as follows: The term of an unregistered copyright shall be five years. Thereinafter, the copyright must be registered. The registration fee shall be one dollar for the sixth year; two dollars for the seventh year; and so forth -- for each subsequent year, the fee doubles.
The rationale here is that the cost of copyright to society is not merely linear with each year -- rather, it increases exponentially, since it cuts off the creation of whole genealogies of derivative works. Imagine if derivative works of the first Linux distribution were forbidden -- we would not simply have been deprived of the second Linux distribution, but of all the diverse branches of that family tree.
Chessboard copyright permits the holding-out of copyright over works which are exceptionally profitable -- such as Mickey Mouse -- for around twenty-five years. (The registration fee for the twenty-fifth year is $2^19 = about half a million dollars, still quite safe for a media mogul's profit margins.) However, soon after that it becomes untenable and shortly exceeds the size of the world economy. This is, of course, intentional.
Tweaks to this system might include adjusting the duration of unregistered copyright, the base fee, the exponent coefficient, and whether or not these values are the same for all classes of works (e.g. books vs. software vs. audio). If unregistered copyright lasted ten years, and the base fee was a penny, then a forty year copyright would cost just over 5.3 million dollars in the fortieth year.
That might be about right.
Clarification: This is a thought experiment, intended to balance between highly profitable companies' desire to hold copyright and the public's demand for innovative derivative works. I consider copyright itself much more problematic than this "proposal" suggests.
Re:Why content filtering is not enough
on
As the Spam Turns
·
· Score: 2
Isn't this the same company that employed Skylarov. Were we all defending a mass Spammer?
Elcomsoft has indeed sold a number of products which are indefensible spamware, specifically a program IIRC called "Advanced Email Extractor", a Web spider that extracts email addresses from Web pages. Elcomsoft spamware is largely distributed through mailutilities.com which in many ways seems to be a front, and is certainly very circumspect. That site's policy states that they will refuse to provide technical support to those who use their software to spam... but it is easy to lie.
Are Elcomsoft products used to spam? Doubtless. Are they also used for other things? I don't know.
Does this mean that Dmitri Sklyarov is or was personally an author of spamware? We can't tell. I'm not sure how large Elcomsoft is, but it probably has several programmers, and Sklyarov may not have worked on these particular products. He certainly worked (works?) for a company that profited from spamming, though.
If Sklyarov wrote spamware, does that make him a criminal? Probably so in some jurisdictions; likely not in Russia. Does it make him crooked? By my count, yes: creating tools with the intent that they be used for lawless purpose is crooked behavior.
Does any of that justify his treatment by agents of the United States government? No.
Re:Some corrections and arguments.
on
As the Spam Turns
·
· Score: 2
WRONG!!! Alan Brown aka ORBS blocked commerical competition or ISPs that just pissed him off.
Aside from your "blocking"/"listing" mistake, which has already been pointed out, I'm not sure you're presenting the matter equitably. Yes, ORBS did list sites that did not spam. No, they didn't do so to "block competition".
As I understand it, ORBS showed up as a more effective rival to MAPS RBL at a point when MAPS was starting to go commercial. ORBS's techniques were also more controversial than MAPS's, in that they involved automatic testing of open relays -- a technique a small subset of spamfighters consider abusive. A number of MAPS proponents, including MAPS principal Paul Vixie and his ISP above.net, took offense at these tests and blocked them. ORBS responded by listing mail sites that blocked relay tests -- after all, it could not verify whether they were open relays or not, and like many security oriented systems it erred on the side of paranoia or caution.
It was above.net, and not ORBS, who took the step more regard as abusive and anticompetitive: it advertised a BGP null route for ORBS's IP space. That is to say, above.net's routers falsely claimed to be able to route traffic to ORBS -- and when they got such traffic, they dumped it in the bit bucket. This meant that sites which trusted above.net's routing announcements, notably above.net clients and peers, could not reach ORBS -- not for mail, not for DNS, not for anything.
Above.net, of course, claimed this was done to block ORBS' "abusive" relay tests.
Again, this was shortly before MAPS became a subscription-only service. While above.net and MAPS are officially distinct entities, they certainly had personnel with interests in common.
I don't know how that looks to you, but I am revolted by the idea that any ISP would destroy part of the Internet (which is what falsely advertising null routes does) in order to get at a rival.
Re:Why content filtering is not enough
on
As the Spam Turns
·
· Score: 2
If you stop the views, you slow the spam.
Good point. The appropriate "client-side filter" to accomplish this, though, is not to use an email client that takes network action at the behest of an email message.
Spam isn't the only sort of malicious mail that should caution us against allowing mail clients to go download stuff off the Net automatically. If someone wanted to DDoS a Web site inconspicuously, they could do pretty well by sending out spam that included an expensive dynamic page at that site in an IFRAME... or 100 such IFRAMEs per message.
Re:Why content filtering is not enough
on
As the Spam Turns
·
· Score: 5, Insightful
What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble. Of course many have closed their relays, but a lot still have open ones.
"If we close the open relays, spam will go away" is actually what a lot of spamfighters thought five years ago. A common opinion then was that spam was basically a technical problem, like a security hole or smurfing, and that applying the appropriate technical fix to mail servers would prevent it.
Unfortunately, that hasn't worked. First off, open relays are not the only technical problem that makes spamming easier. Open proxies are just as common today -- and worse, since they hide the tracks of spammers. (They're also used by all sorts of other abusers.) Moreover, open proxies are harder to get people to close down, since blocking access from them to mail servers doesn't usually affect their legitimate users -- and thus doesn't draw their attention.
Second, it has been increasingly realized by most spamfighters that spam is a social problem, not merely a technical one. The problem isn't just that there are abusable resources, but that there are people who are willing to abuse them for profit, and other people who are willing to aid and abet those abusers in order to reap a share of that profit.
As a parallel, consider burglary. Sure, it is good to employ technical means such as deadbolt locks and alarms to block or deter burglars -- but nobody thinks that burglaries are solely technical problems, and that we should pursue only better locks rather than the arrest of burglars. Burglary is a social problem; specifically, a problem caused by some people's willingness to violate others' rights. We call those kind of problems "crimes".
Spam is a particularly frustrating crime since anyone who considers the proprieties of the situation can recognize it as lawless, but few legislatures have chosen to formalize its criminality in statute. It's lawless because it defies the property rights of mail server owners, alienating their resources for the spammer's use without permission. That's often covered by statutes regarding theft of service, computer crimes, or various sorts of tort, and there have been a number of cases wherein spamming was recognized by judges and juries as such. However, in many jurisdictions there's no statute to point to that says "spamming is a crime".
Third, there's also an social-technical problem. There's a small number of crooks who can profit themselves greatly by finding means of sending spam. Each of them has a much greater incentive to locate these means than any individual spamfighter does. This is a social problem in a different sense: insofar as spamfighting relies on discovering paths for spam propagation and getting them shut down (e.g. closing open relays) the crooks are always going to be several steps ahead.
By targeting organizations and persons known to be sources of spam, rather than the victims they exploit to send that spam, we can get around that problem. The number of large-scale spammers is actually rather few. Steve Linford's ROKSO (Registry Of Known Spam Operations; same guy as the SBL) lists around 100 organizations which have been thrown off of ISPs three or more times for spamming.
Fundamentally, I agree with you that the problem is one of education. However, it is not merely the education of ISP technical staff that must take place. It's the education of everyone involved -- technical staff, their managers, mail software authors, spammers, the legal system, spam recipients, and businesses that might consider spamming. Everyone needs to wise up about spam.
Slashdot Mirror
If you don't know the difference between postal bulk mail and spam, you have not been studying either for very long. Postal bulk mail, at least in the United States, subsidizes first-class mail: although the rates are reduced, bulk mailers are required to pre-sort and bar-code their mail, which vastly reduces the cost to the Postal Service to handle it.
Spam, on the other hand, imposes additional costs on the email system and the recipient. A spammer may pay his own ISP (and sometimes not -- stolen credit cards are pretty damned common) but his actions don't subsidize the rest of the system that delivers his spam, namely the transit and the recipient's site. At most -- in the case of direct-to-MX spam in which there are no third party open relays or proxies involved -- the spammer is paying only half his costs, and forcing the other half on you. Usually, the spammer is also shoving his costs off on third parties, such as schoolchildren in South Korea.
ISPs report this consistently: spam runs up their costs. The largest email service under single management is America Online, which has also been the most frequent plaintiff against spammers. Yes, you read that right: AOL sues spammers. They also win, and they've been winning since 1996.
The Postal Service could not stay afloat solely on first-class and parcel-post mail: there just isn't enough of it. The email system would be doing much better and more reliably if it were not being clogged and slowly ruined by the theft called spam.
The government doesn't have the right to license you to spam me. It cannot rightly issue you a license to trespass upon my mail server and steal its resources for your advertisements ... any more than it can issue you a license to burgle my house, joyride in my car, or pick my pocket.
Theft is made illegal because it is wrong -- it's not wrong just because it's illegal. Likewise, spamming is wrong even in jurisdictions where it is not clearly illegal in statute. Government, in its position as an balancer and protector of rights, does not thereby have the authority to collude with some wrongdoers and agree not to enforce claims against them. We call that "corruption" when a police force won't investigate crimes by someone who is paying them off -- and that is what "spam licensing" would be, too.
] inventory
You are currently holding the following: a set of keys, a brass lantern, a case of Jolt Cola[tm], and no tea.
] look
You are in the Cubicle of the Mountain King, with passages in all directions.
A huge green fierce programmer bars your way!
] n
You can't get by the programmer!
You're in Cubicle of Mt. King.
A huge green fierce programmer bars your way!
] drop jolt
The programmer attacks the Jolt Cola[tm], and in an astounding fury rushes off to enter the International Obfuscated C Code Contest.
] n
You are in a low north/south hallway at a hole in the floor ....
Of course, if I ever get around to writing my fully customizable MTA in Python, it may very well be CPU-limited ... but that's just Python. ^.^;
Bayesian techniques depend on predicting which elements (usually, which words) are likely to indicate spam, and which are likely to indicate non-spam messages. This can vary highly from user to user, and so it should be done on a per-user basis.
For instance, I am a security administrator and receive a lot of legitimate mail about "antivirus software", and very little legitimate mail about "teenage lesbians." However, my girlfriend's crush, who is an activist lesbian, may well receive a lot of legitimate mail about "teenage lesbians" and only spam about "antivirus software." If we are on the same ISP, then it would be erroneous behavior for my reporting "teenage lesbians" as spam and "antivirus software" as nonspam to throw her spam-filtering out of whack, or vice versa. And yet it is a potential privacy violation for the ISP to be gathering statistics on which one of us gets virus bulletins, and which one is the lesbian.
(Moreover, there also isn't yet any standard mechanism for users to report spamminess or nonspamminess back to normal IMAP or POP mail hosts -- and Bayesian algorithms require sampling both spam and non-spam mail, not just spam reported to an abuse address.)
The filtering mechanisms that should be implemented on the server are general ones -- ones that do not rely on deep inspection into the content of the message. I don't really want ISPs to gather stats on common keywords in users' incoming mail -- do you? It is one thing to examine structural elements of the message, such as the IP address which sent it, or the presence of normal headers; or to statelessly scan the message for static patterns, such as virus signatures or "DISCOUNT HERBAL VIAGRA !!!" It would be quite another thing to gather the kind of data that Bayesian filters involve, for every user on a large end-user system.
Let me tell you about two services which no longer exist: DEC ftpmail, and anon.penet.fi.
I got on the Net when it was about half its current age, by this measure. Well, I wasn't on the Internet -- "the Net" meant Usenet much of the time then, and I had a dial-up shell account on a hobbyist system which had a UUCP news and mail feed from an Internet host. Mail and news came in once a day. The site I was on moved from bang paths to domainist email addressing that year.
(Bang paths were a style of email address which didn't rely on Internet DNS and MX records. You specified the path from machine to machine that the mail should take -- yes, those were open relays! -- separated by a ! character, like so: bigvax!smallhost!mybox!myname, where bigvax was a machine that "everyone" knew how to reach. Addressing got more complicated still if you wanted to email someone on BITNET, FidoNet, CompuServe, or another email network that gatewayed to the Internet somewhere.)
Since we didn't have a "real" Internet feed, and the sysop didn't let ordinary users request files by UUCP, we used a public service run by DEC. (Yes, they'd started calling themselves d|i|g|i|t|a|l, but nobody listened.) This was called "ftpmail", and the way it worked was that you sent email to a daemon on decwrl.dec.com, with the name of an FTP site to connect to, and a sequence of commands to issue. If you sent an ls, you'd get back a file listing ... and if you sent a get, the daemon would email you back the file, chunked up and uuencoded.
There are very few ftpmail services still in existence. Gee, I wonder why.
Soon after I got on the Net, I discovered that it wasn't always a great idea to post things to Usenet in one's own name. Some people had better reason for anonymity than I, of course -- people posting about their experiences surviving sexual abuse, or how to grow marijuana, or things their employers might not want traced back to the office VAX. So someone invented the anonymous remailer.
The first anonymous remailer was anon.penet.fi, run by Julf Helsingius. It was a rather clever system, really -- send email to alt.sex@anon.penet.fi and your message would be posted to alt.sex under an obvious pseudonym -- an12345@anon.penet.fi or some such. But the server retained a hash that allowed it to process responses -- if someone replied by mail to your post, it would come back to your real address, anonymized as well, and with Reply-to: set properly.
Once the spammers and the Scientologists got hold of it, the service was not long for this world. Even the next two generations of remailers -- the Cypherpunk "Type I" remailer and the Mixmaster -- seem to have vanished, under the profligacy of email accounts that people maintain these days, and the threat of spamming.
Sigh.
And I didn't defend the DUL as a DNSBL; I think it's one of the less useful ones that exist (partly because it is secretive being commercial). Your ISP's choice to list its dial-ups with the DUL -- or to filter port 25 -- however, is its decision, not the decision of "zealots" or "anti spam fanatics" -- and your problem is with the ISP, not with "spam filtering systems" in general. Whining about generalities never solves problems; addressing specifics does.
FWIW, if you do not understand the history of the DUL then you are probably not going to reason very effectively about it. The DUL was created to combat a particular sort of spammer abuse which was common at the time -- namely, using "throwaway" dial-up accounts to send spam directly to victims' MX hosts. That is no longer a particularly common spammer tactic (partly as a result of the DUL's actions at that time).
Today, however, there's still a common sort of spam abuse which comes from end-user ISP client networks -- namely spam through open proxies on client systems. We have open-proxy lists (such as Blitzed or the Monkeys.com list) which pick up new open-proxy addresses, but they aren't terribly adequate against dynamic addresses.
It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.
For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.
There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.
I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?
If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.
If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.
Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.
Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.
I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.
Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.
Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.
It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)
Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering ... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.
If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.
But, you see, those things he's "pointing out" are wrong. They just aren't so. They aren't the way the world works, and they aren't the way DNSBLs work.
It is not mail users who want us to consider DNSBLs passe' or something to "move beyond". It is spammers who want us to give up our current most effective tool for collaborating to impede their crimes.
Not exactly. Besides being a theft of end-user and mail-site resources, spamming is also a scam perpetrated upon businesses. If you got spam advertising Joe's Naked Kinky Web Site, that probably isn't because Joe thought up the idea of spamming you all on his own. Most likely, a career spammer (let's call him Alan) convinced Joe that spamming was:
- effective,
- legal, and
- everyone's doing it anyway, so why miss out?
Joe then paid the career spammer to spam for his naked kinky Web site. Since all three of Alan's claims are false, and he knows it, this means that Alan has defrauded Joe. He exploited the fact that Joe is probably neither an Internet expert nor a lawyer, but he does feel competition from other naked kinky Web sites, to convince him to pay for spamming.(Yes, Alan the spammer told the news media that spamming is effective, too ... and they believed him. He was lying there, as well -- but it got him, and spamming, free advertisement in the news!)
This scam does not rely on spamming actually being effective, so long as vendors still believe it might get them an edge over the competition. Thus, getting people to quit buying spamvertised products cannot (directly) affect it. Only when all vendors on the Internet -- yes, including naked kinky Web sites -- realize that spamming doesn't work, isn't legal, and that they can do just as well without it, will spamming go away.
Funny you should mention it. I installed Zope recently on one of my Debian boxen. I noticed it uses HTTP Basic Authentication, the "antiquated" (read: standard, universal) mechanism to which you refer. It also has a "Logout" button that works -- if you select "Logout", it returns a page with an authentication failure code, which a browser interprets as meaning that the (username, password) pair it is caching is invalid.
The fact that you, or your Web application developer, did not think of that indicates that the Zope people know HTTP better than you or s/he. It certainly doesn't indicate anything the matter with HTTP Basic Authentication. And there's a lot right with using the protocol's built-in authentication mechanism rather than writing your own: it is easier; it requires less code; it is standard and works everywhere, unlike JavaScript; and it is better tested than any new mechanism you invent, meaning that it is less likely to fail badly and let people crack your application.
That's not quite true. SPEWS publishes a text-based list (warning: 800+ kB) which you can transform with a Perl script into whatever format your mail software needs. What Joe Jared at Osirusoft does is transform this into a DNSBL and make it available at spews.relays.osirusoft.com. This is why technical illiterates often accuse Joe of "being SPEWS" -- he republishes SPEWS' data in its most easily used form, though he doesn't have any editorial control over it.
Actually, antispews.org is likely being operated by spammers, as the Osirusoft FAQ suggests. (If nothing else, they are spammers of USENET newsgroups, since they kiboze for references to "SPEWS" and troll in response, much as Serdar Argic once did with "Turkey".) Naturally, spammers are pissed off at SPEWS, because it is simply put the most effective tool presently in the field for denying spammers access to (1) victims, and (2) willing ISPs to host them. Innumerable spammers have been terminated as a result of SPEWS listings.
There is no conceivable informed controversy as to whether or not SPEWS is effective at getting spammers off the Net. Whether or not SPEWS is a good tool for your site to use as a tool for reducing your spam count is quite another question. In my personal experience (as a security and email administrator for my site, which is a research institution) SPEWS is extremely valuable. I read my mail logs and ascertain that SPEWS usage blocks spam, with a remarkably low incidence of false positives.
In the past week, our incoming mail server has blocked 969 messages on account of SPEWS, with zero reports of false positives from our users. (To be honest, we get about one such report a month, and we whitelist the offending IP address. It's usually in China; we have several Chinese researchers.) Our locally maintained blacklist blocks about twice as much spam, and our use of sbl.spamhaus.org blocks about five times as much -- but that is biased by the fact that we consult those lists before SPEWS, and there is a good deal of overlap between them.
I would not recommend that ISPs who offer email service to their users use SPEWS by default, though it would be a valuable optional service. The DNSBLs I would recommend everyone use are:
These are all low-to-no-false-positives lists which I feel comfortable recommending to every ISP regardless of its stance on SPEWS.
Yup ... and it won't stop my host from responding to one of those with a phony DHCP or ARP response. Hence, forgery; hence, the problem noted in the article.
Bull pickles. I recently got Adelphia cable modem service myself. First thing I did, practically, was to plug the cable modem into my Mac OS X box and run "tcpdump" on it, to see whether or not they had secured the local network against sniffing. Sure enough, I could not see any of the other customers' actual traffic -- but I certainly could see:
It seems pretty trivial that someone with the right mildly altered software could easily set themselves up as a DHCP server and hand out fake gateway information, or as an ARP-poisoning proxy. Good reason to check your network settings for suspicious things if you use DHCP.
The week before Thanksgiving, I walked into our server room and found therein the instantly recognizable smell of hydrogen sulfide. Call it "rotten eggs" if you will; it always reminds me rather more of volcanic sulfur vents. (Perhaps that's because I've never been around rotten eggs in quantity.) Anyhow, ours is a science research institution that certainly handles its share of odd chemicals, so my first thought was the same as the server room manager's when I asked him about it:
"Oh, something must have gotten in the ventilation from the labs. It'll blow out."
After the twinge-inducing smell didn't go away for a day or so, I went to our boss -- a former chemist. He seemed to think it was worth a deeper investigation, and soon we were sniffing around the server room trying to locate the source of the smell.
"Seems to be coming from over here." ... y30w, this one's hot!"
"From these UPSes?
Presently we opened the UPS cabinet and discovered (at this point to not a bit of surprise) a leaky battery, and a trail of nasty-looking rust along the chassis. Sulfuric acid plus iron yields hydrogen sulfide plus red iron oxide: 3H2SO4 + 8Fe = 3H2S + 4Fe2O3.
A couple of weeks ago I had the unpleasant experience of going to the dentist four times in ten days. (Slashdotters note: this is what happens when you avoid going to the dentist for three years.) However, whilst sitting in the waiting room in terror over the prospect of being assigned the newbie of the two dentists, I observed a curious phenomenon in progress:
I was a little bit surprised when I noticed that this system wasn't made of Web forms -- though the systems on the desk were Wintel PCs, they weren't running Internet Explorer. Nor were they running a GUI front-end to a database, some PowerBuilder or MS Access widget conglomeration. No, the application running on those PCs was ... an IBM 3270 emulator.
"There you go. Now move down to 10:00 ... now F10 that ... and hit F6 to print."
From the dialogue between the two receptionists, I could tell several things about this application. First off, it certainly required and expected a certain amount training to use. To submit a form to the mainframe (located at a distant data center) required hitting F10, not clicking on a "Submit" button. There was no concession here to being "intuitive" -- the trainee simply had to learn that F10 means "submit form".
Yet this was consistent -- F10 always meant "submit form", at every stage of the workflow. (So much so that the elder had made "F10" into a verb, as you may have noticed above, meaning "to submit form".) No unexpected dialog boxes came up with panicky but unnecessary messages, needing to be clicked away. The application's behavior created a consistent, predictable, learnable workflow. The elder receptionist spoke with complete confidence about the system's behavior, though she was certainly not an "IT person" -- in however many years she had been using it, I suspect it had never failed her once. This was not an application that she expected might crash or do something stupid and eat an appointment. Nor had it been "upgraded" three times in the past year to a version with fancier and completely unrecognizable widgets.
Now, I work in IT. I spend all day with Unix, Windows, and Mac users. I also make a point of observing people's interactions with other data systems -- Windows-based supermarket cash registers, handheld card scanners at conferences, information kiosks at tourist attractions, and so forth. Rarely if ever do I hear the sort of quiet confidence in the computer's behavior which I've observed in end-users of mainframe applications.
This is not "computer as irascible demon, seeking to lash out at its summoner," like Windows. It isn't "computer as consistent and friendly but sometimes fumble-fingered servant," like the Mac OS. And it certainly isn't "computer as Necronomicon," like Unix.
It just works. So of course its users depend on it.
Microsoft is not a telecoms firm. It is chiefly a software firm. I have not studied the role that government action has played in the creation or maintenance of the Microsoft monopoly -- though I expect it would be largely confined to government adoption of incompatible Microsoft software, e.g. for the creation of government Web sites and the distribution of documents.
On that subject: I do not believe that governmental agencies have the right to demand that the public purchase software from a particular company in order to read laws. Government sites which can only be viewed in Internet Explorer are incompatible with the rule of law, as they place control over knowledge of the law in private hands.
But that's another topic, isn't it?
There's a reason that a "protect the status quo first, ask questions later" attitude in politics is called "reactionary", O my brothers. It might have something to do with reacting with one's gut rather than thinking with one's head.
Those who actually read the Cato paper "Unnatural Monopoly" will note that it contains substantial criticism of the doctrine of "natural monopoly" -- a criticism which the title reflects.
(The traditional economic argument is that a telephone system is a "natural monopoly", chiefly due to the costs of laying cable. What the Cato report reveals is that regardless of any inherent monopolistic tendency there might be in telecoms, it is government policy and not market action which created and sustained the monopoly.)
The point of the monopoly argument in my above post was not, however, to argue for the abolition of the FCC or telecoms regulation. (Indeed, I do not believe that the appropriate way to go from government monopoly to market is to simply turn the monopoly loose. In this, I disagree with what I take to be Cato's position.)
My point was, rather, to point out that insofar as telecoms "companies" are government-created monopolistic agencies, they cannot be given the full "rights" of a market participant. A government agency has only those rights that are granted it by the people; it is not permitted to fulfil its ends by whatever means it chooses. In the matter of personal records -- we do not permit the Internal Revenue to sell the contents of tax returns to financial companies to boost its income; similarly we cannot permit a government-spawned, regulation-protected telecoms agency to sell taxpayer records to "improve service."
As a libertarian myself, I feel the need to forestall an argument that some of my fellow libertarians might make: that such laws cannot be justly applied to the telecommunications market; that they are an improper restraint on legitimate trade, or free speech; etc. The fact of the matter is that the telecoms system as we know it is a construct of government regulation. Its "privatized" structure is merely a corporatized extension of national governments, like the old colonial "Companies" (think "British East India Company", etc.) which enriches investors whilst furthering government policy.
Free-market telecommunications have been systematically denied any chance to establish themselves. Most Americans believe that AT&T was a monopoly created by the market and dismantled by the government, for instance, but this is far from the case. The Cato report "Unnatural Monopoly" details the United States Federal Government's actions in creating the AT&T telephone monopoly, for various political and nonmarket purposes. In doing so, members of Congress went so far as to characterize market competition as "duplicative, destructive, and wasteful." (Many European nations did not even bother to allow private telecommunications systems, building them as government monopolies. In some cases, these were later "privatized" in such a way as to preserve the majority of their monopoly positions, while making money for rich investors. This is not a free market; it is state-capitalism.)
Much the same applies to radio, of course: the FCC and its ilk created an artificial scarcity of the radio spectrum, parceling out freedom of speech via radio as if photons were the government's own creation. Those who choose to speak without a government license to do so, it criminalizes as "pirates". Radio equipment is inexpensive and not difficult to maintain; it is radio licensing that reserves the medium as a playground for large corporations. Moreover, when the government has the power to license speech, it has the power to censor, say the courts: hence the countless "words you can't say on television" though you may speak them freely in a meeting-hall.
(Too US-centric for you? Here, try Panama, where the telecoms monopoly is using government threats to force ISPs to block competition in the form of voice-over-IP services.)
The telecommunications industry is not a free market; and its constructs are not private enterprises, no matter how many investors they may enrich (or bankrupt). They were created and empowered by regulation. Their markets are patrolled by censorship. They are firms granted the power to tax; government agencies granted stock-market symbols and an oligopolic pretense at competition. As such, they are no more entitled to sell data about their taxpayers (aka "customers") than is, say, the Internal Revenue Service.
I'd like to suggest "chessboard copyright", as follows: The term of an unregistered copyright shall be five years. Thereinafter, the copyright must be registered. The registration fee shall be one dollar for the sixth year; two dollars for the seventh year; and so forth -- for each subsequent year, the fee doubles.
The rationale here is that the cost of copyright to society is not merely linear with each year -- rather, it increases exponentially, since it cuts off the creation of whole genealogies of derivative works. Imagine if derivative works of the first Linux distribution were forbidden -- we would not simply have been deprived of the second Linux distribution, but of all the diverse branches of that family tree.
Chessboard copyright permits the holding-out of copyright over works which are exceptionally profitable -- such as Mickey Mouse -- for around twenty-five years. (The registration fee for the twenty-fifth year is $2^19 = about half a million dollars, still quite safe for a media mogul's profit margins.) However, soon after that it becomes untenable and shortly exceeds the size of the world economy. This is, of course, intentional.
Tweaks to this system might include adjusting the duration of unregistered copyright, the base fee, the exponent coefficient, and whether or not these values are the same for all classes of works (e.g. books vs. software vs. audio). If unregistered copyright lasted ten years, and the base fee was a penny, then a forty year copyright would cost just over 5.3 million dollars in the fortieth year.
That might be about right.
Clarification: This is a thought experiment, intended to balance between highly profitable companies' desire to hold copyright and the public's demand for innovative derivative works. I consider copyright itself much more problematic than this "proposal" suggests.
Elcomsoft has indeed sold a number of products which are indefensible spamware, specifically a program IIRC called "Advanced Email Extractor", a Web spider that extracts email addresses from Web pages. Elcomsoft spamware is largely distributed through mailutilities.com which in many ways seems to be a front, and is certainly very circumspect. That site's policy states that they will refuse to provide technical support to those who use their software to spam ... but it is easy to lie.
Are Elcomsoft products used to spam? Doubtless. Are they also used for other things? I don't know.
Does this mean that Dmitri Sklyarov is or was personally an author of spamware? We can't tell. I'm not sure how large Elcomsoft is, but it probably has several programmers, and Sklyarov may not have worked on these particular products. He certainly worked (works?) for a company that profited from spamming, though.
If Sklyarov wrote spamware, does that make him a criminal? Probably so in some jurisdictions; likely not in Russia. Does it make him crooked? By my count, yes: creating tools with the intent that they be used for lawless purpose is crooked behavior.
Does any of that justify his treatment by agents of the United States government? No.
Aside from your "blocking"/"listing" mistake, which has already been pointed out, I'm not sure you're presenting the matter equitably. Yes, ORBS did list sites that did not spam. No, they didn't do so to "block competition".
As I understand it, ORBS showed up as a more effective rival to MAPS RBL at a point when MAPS was starting to go commercial. ORBS's techniques were also more controversial than MAPS's, in that they involved automatic testing of open relays -- a technique a small subset of spamfighters consider abusive. A number of MAPS proponents, including MAPS principal Paul Vixie and his ISP above.net, took offense at these tests and blocked them. ORBS responded by listing mail sites that blocked relay tests -- after all, it could not verify whether they were open relays or not, and like many security oriented systems it erred on the side of paranoia or caution.
It was above.net, and not ORBS, who took the step more regard as abusive and anticompetitive: it advertised a BGP null route for ORBS's IP space. That is to say, above.net's routers falsely claimed to be able to route traffic to ORBS -- and when they got such traffic, they dumped it in the bit bucket. This meant that sites which trusted above.net's routing announcements, notably above.net clients and peers, could not reach ORBS -- not for mail, not for DNS, not for anything.
Above.net, of course, claimed this was done to block ORBS' "abusive" relay tests.
Again, this was shortly before MAPS became a subscription-only service. While above.net and MAPS are officially distinct entities, they certainly had personnel with interests in common.
I don't know how that looks to you, but I am revolted by the idea that any ISP would destroy part of the Internet (which is what falsely advertising null routes does) in order to get at a rival.
Good point. The appropriate "client-side filter" to accomplish this, though, is not to use an email client that takes network action at the behest of an email message.
Spam isn't the only sort of malicious mail that should caution us against allowing mail clients to go download stuff off the Net automatically. If someone wanted to DDoS a Web site inconspicuously, they could do pretty well by sending out spam that included an expensive dynamic page at that site in an IFRAME ... or 100 such IFRAMEs per message.
"If we close the open relays, spam will go away" is actually what a lot of spamfighters thought five years ago. A common opinion then was that spam was basically a technical problem, like a security hole or smurfing, and that applying the appropriate technical fix to mail servers would prevent it.
Unfortunately, that hasn't worked. First off, open relays are not the only technical problem that makes spamming easier. Open proxies are just as common today -- and worse, since they hide the tracks of spammers. (They're also used by all sorts of other abusers.) Moreover, open proxies are harder to get people to close down, since blocking access from them to mail servers doesn't usually affect their legitimate users -- and thus doesn't draw their attention.
Second, it has been increasingly realized by most spamfighters that spam is a social problem, not merely a technical one. The problem isn't just that there are abusable resources, but that there are people who are willing to abuse them for profit, and other people who are willing to aid and abet those abusers in order to reap a share of that profit.
As a parallel, consider burglary. Sure, it is good to employ technical means such as deadbolt locks and alarms to block or deter burglars -- but nobody thinks that burglaries are solely technical problems, and that we should pursue only better locks rather than the arrest of burglars. Burglary is a social problem; specifically, a problem caused by some people's willingness to violate others' rights. We call those kind of problems "crimes".
Spam is a particularly frustrating crime since anyone who considers the proprieties of the situation can recognize it as lawless, but few legislatures have chosen to formalize its criminality in statute. It's lawless because it defies the property rights of mail server owners, alienating their resources for the spammer's use without permission. That's often covered by statutes regarding theft of service, computer crimes, or various sorts of tort, and there have been a number of cases wherein spamming was recognized by judges and juries as such. However, in many jurisdictions there's no statute to point to that says "spamming is a crime".
Third, there's also an social-technical problem. There's a small number of crooks who can profit themselves greatly by finding means of sending spam. Each of them has a much greater incentive to locate these means than any individual spamfighter does. This is a social problem in a different sense: insofar as spamfighting relies on discovering paths for spam propagation and getting them shut down (e.g. closing open relays) the crooks are always going to be several steps ahead.
By targeting organizations and persons known to be sources of spam, rather than the victims they exploit to send that spam, we can get around that problem. The number of large-scale spammers is actually rather few. Steve Linford's ROKSO (Registry Of Known Spam Operations; same guy as the SBL) lists around 100 organizations which have been thrown off of ISPs three or more times for spamming.
Fundamentally, I agree with you that the problem is one of education. However, it is not merely the education of ISP technical staff that must take place. It's the education of everyone involved -- technical staff, their managers, mail software authors, spammers, the legal system, spam recipients, and businesses that might consider spamming. Everyone needs to wise up about spam.