The simple fact though, is that "misdirected bounces", though well intentioned, make the problem of spam quite significantly worse.
I don't disagree that that scenario, and the similar ones caused by anti-viral warnings, act to amplify the effects. The problem is that a blanket "no bouncing, ever" policy destroys some useful features of the email system. Much as Spamcop would wish it, it isn't always possible to know during the SMTP transaction whether the message will ultimately bounce.
I think the RBL providers just need to be sued for loss of business...This is why we have courts, the next time I end up on an RBL for not spamming I think I will sue.
That would be a laugh, although not for yourself. Assuming you're not so naive as to believe you're the first cartoony to think of suing, you might want to consider why there haven't already been swathes of court decisions against RBL operators.
Do they send a weekly "You got spam from these addresses..." message?
What value, really, does such a notification have? I would say "little to none whatsoever". Most always, there will be no false positives listed, and that's assuming you can even be bothered to examine the weekly message. A notification that I didn't receive a spam, is itself spam. I simply don't care that messages were rejected, because false positives are so rare, and the payoff is so high, the tradeoff is unquestionably worth it. If you're going to go the trouble of sending notifications of rejected messages in order that a recipient can catch a false-positive, you may as well just deliver the original messages in the first place.
Erm, right, because this actually is about receiving, not "sending". Like I said. Before.
You seem to be hung up on the fact that (usually) , the intended recipient of a message doesn't receive notification that a message was rejected. But the sender will get a non-delivery report from their own local system. The onus is on the sender to decide what to do about non-delivery. How can any recipient be under any obligation to ensure the delivery completes? To be forced to accept anything? To relinquish the ability to decide which traffic enters their own, privately owned equipment? That's absurd.
Furthermore, notifications to the intended recipient are worse than useless : almost all of the time they will be spam rejection notices. A spam rejection notice in my inbox (or even filtered into a junk folder) is no different than the spam itself. (cf those braindead mail systems that notify intended recipients that a virus was not delivered; or even worse, those that send the same notification to the purported (spoofed) sender; or, the piece de resistance, the system that sends a non-delivery report to the spoofed sender, and includes a copy of the original, virus-infected message as well. The latter is ignorance bordering on negligence).
So we have to wait until blacklists become significantly harmful before we'll change our ways?
Actually, from my own experience and that of other postmasters I talk to, over the last few years RBLs seem to be holding up pretty well in terms of a benefit/harm ratio. If anything, the harm is decreasing as postmasters become increasingly clueful in the ways they implement them. My last true false-positive incident was almost two years ago. I'm never going to say that RBLs are any kind of solution to the wider problems we have with unsolicited bulk email; they're one more tool in the bag of tricks. But they do work at least as well as any other technique we currently have.
Some postmasters are piss poor, period. But I'm not one of those, so forget the hypothetical finger pointing and deal with the actuality : RBLs work, and work well, even though they're not maintenance-free, and they're not a panacea.
Have you ever found anyone that got hit in the expanding scope issue that still relies on RBL's?
So little of your post makes any rational sense, but this bit is particularly perplexing. What on earth are you on about?
Maybe I'm just missing your point. How exactly do the Safe Harbor provisions have any bearing?
Speaking of which, I'm glad I'm not one of your users.
I was going to respond that the feeling is mutual, but actually, that would be overstating my concern. Truth is, the only way you're likely to be a user on one of my systems is as an employee, in which case the question of whether you have any choice is moot.
What's way waaaay more critical than whether a system is using RBLs (or indeed any specific anti-spam technique), is whether you have a postmaster who is clueful. Someone who is responsive to what's happening on their system, both in terms of supporting their own users, and in dealing with external postmasters. I'm not going to pretend that I've never had to add a particular IP to my accept lists, if even only temporarily. There have been cases where, *gasp* yes, I had to speak to people on the telephone to resolve a particular situation. But those few cases are dwarfed by the enormous benefit and resource-saving RBLs provide.
And the answer to the question you're pondering, but would never ask unprompted, is "no, of course not".
If the collateral damage caused by RBLs were not insignificant compared to the benefit they provide, then they wouldn't be so widely used. They're not perfect, of course. But they are indisputably the single most effective tool we have today.
Certainly. The answer, unfortunately of course, is "it depends". It depends on what your own tolerance of false-positives is, and what your current level and nature of spam is (where "you" also includes the users of your system - there's a world of difference between an ISP with tens of thousands of paying customers, a small organisation with a hundred employees, and a personal family/friends server).
My best advice is to carefully examine the policies of the RBLs, and revisit that examination on a regular basis. Look at whether the process by which IPs are added to a list is automatic, or human-moderated. Are they using spamtraps? Do they allow just anybody to submit addresses for listing? Is the listing process openly specified, or a black box? What is the procedure for de-listing an address? Google around for others' experiences using the list. This Declude page is a useful starting point (I have no relation to Declude).
Currently, I see the least collateral damage with the Spamhaus lists. My top recommendation would be the sbl-xbl.spamhaus.org list, a composite list consisting of known spammers plus a pretty good list of compromised/trojanned systems.
On one extreme, SPEWS is hardcore - I would never recommend them to anyone who isn't very well aware of the implications of what they are doing. On the other end of the scale, open relay lists like relays.ordb.org and the like are very benign, but less useful, since there hardly are any more open relays these days. I used to really like Spamcop's lists, but I lost faith in them a couple of years ago when I experienced some inexcusable cock-ups. More recently, Spamcop changed listing policy and started listing systems that were sending "mis-directed bounces", which I personally find misguided (long story, see this discussion for a start). Also be careful about "multi-stage" or "multi-hop" lists. These can often end up listing major ISP servers, simply because one of their clients relayed a spam that way, typically caused by a trojan-type infection.
I've also had trustworthy results with
cbl.abuseat.org, and in a typical configuration I often also use relays.ordb.org (open relays) and list.dsbl.org.
I do think people should be forced to accept every email that I send.
Then you are no different than a spammer. And it's clear from the rest of your drivel that you really don't understand what happens when an RBL is in use. Hint : legitimate email suffering an RBL false-positive doesn't disappear into a black hole. That's one of the reasons why RBLs are so effective, even in an environment where some false-positives are inevitable. Or to put it another way, if the "collateral damage" from RBLs were anything other than insignificant, compared to the benefit they provide, then world+dog wouldn't be using them.
Actually, I *do* get paid. And typically, I specifically get paid to implement a range of measures, of which RBLs are just a piece. I explain the pros and cons to the client; I explain the listing policies of the RBLs I recommend, and the listing policies of those I do not recommend. And I also track how policies change over time (eg it's been some time now since I stopped recommending Spamcop). Sometimes, the client decides not to use RBLs. Most *do* use them to some extent (often weighted in with a number of other measures), simply because RBLs are currently very effective.
Your chest-beating about suing over dropped mail is so naive it's touching. Have you ever even read the contract you've entered into with your ISP? Good luck getting a clause in there that guarantees email delivery.
I totally agree that "chairperson" is clumsy. I much prefer simply "chair".
And I note that it is *you* that thinks this is a race issue. I just said that I didn't get the black=bad, white=good paradigm, (detour via caveman analogies notwithstanding). I never mentioned race (other than to note that others would shoot me down because they would jump to that conclusion).
As for the main point, as I pointed out in another post, on a practical level, "block list" and "accept list" are just much more meaningful in explaining what the lists do. Why would anyone choose to use alternatives that are less meaningful *and* may be be looked upon with distaste by some? The only reasons I can think of are (a) ignorance/laziness or (b) a deliberate "anti-PC" mentality. So which are you? Your surely won't attempt to claim that "blacklist" is more meaningful than "block list" will you?
[...hopelessly flawed analogy elided...] I read a comment from an "anti-spam" person and I think I'll be safer choosing to work that delete key.
Fine, that's your decision. But don't try and force me into that same decision. Or, more accurately, you can't stop me making my own decisions on this. All the whining in the world won't change that.
The people who are sqealing are not my users. In fact, my users are *delighted* at how effective my overall spam-prevention works (and of course, RBLs are but one element of that).
You have to read my post with your eyes closed to get your meaning from it.
Except that I have been listed. And I had to go through contortions to fix that situation, which did not occur because of anything I did. What were you saying about acting like a dick?
As I already said, yes, I do assume the role of telling people to fuck off on behalf of my users. And I'm accountable for that. If I choose lists with inappropriate policies, or continue to use a list after its policy has changed for the worst, then I deserve to have my users demand change or my removal. No-one is pretending that RBLs are a magic bullet, or even that that they're a "configure & forget" solution. Of course there will be false-positive listings, malicious smear attacks (which is what this case appears to have been) and so on. My experience is that the damage arising from such cases is minimal when compared to the benefit of using RBLs. Simply put, RBLs work more effectively than just about any other technique (for today, at least).
And frankly, on a practical level, what are you going to do about it? Do you think you can stop groups of people organising themselves and exchanging opinions on the activities of others?
How charming. Yet you would deny the users of RBLs the chance to say "Fuck Off" to spammers? Here's a free clue for you - I will decide who gets told to "fuck off" on my own system. Whine all you like, it's my decision.
I reserve the right to block (or accept) any mail I choose on my own system. I also make that decision on behalf of my users, weighing the pros and cons, and especially the listing policies, of any RBLs. If I get it wrong, then yes, my users won't be happy. I'm all for doing what makes my users happy. Blocklists do make my users happy. They work. The fact that there's sqealing about the effect shows that they work. I reject utterly the contention that I should somehow be forced to accept anything I don't want to receive
More like someone (ie you) RTFA but didn't understand it. Blocklists do not stop people sending. They are used on the receiving side. Receivers choose whether to use them or not. Of course, receivers need to understand the implications of that, and in particular, they need to understand what the policies of the particular list(s) are (and indeed, whether they have changed - Spamcop is a good example there).
I'd take all the SPAM anyday vs. not being able to send legitimate emails.
Except that blocklists don't stop you sending email, they merely allow others to decide whether to accept that mail. Or do you think other people should be forced to accept any and every email you send?
I've always been a little uncomfortable with the underlying assumptions white=good, black=bad. I prefer to describe such lists as "blocklists" and "accept lists"
Yeah, yeah, very PC of me; go ahead, shoot me down. Sometimes, these things *do* matter, and individuals have to stand up and say so.
Copyrights still have an important place in our society.
Copyrights have an important place in the wallets of the powerful few who want to own our very culture.
Or you don't believe that writers, musicians, actors, or programmers should be compensated for their work?
Copyright is a relatively recent development. Were there no actors or musicians in the centuries and millenia before then? There are plenty of ways that artists can be compensated, they just won't involve huge mark-ups for the *distributors* . As you said yourself, globally, the current copyright system is broken; more of the same ain't gonna fix it. Artists and society both require a system that does fairly reward creators.
With inconsistent laws, the enforcement of copyrights from country to country would be chaotic at best.
Absolutely right. We *should* have global consistency, and it would seem the only common denominator is abolishment of copyrights entirely. Some countries have already started !
In the EU, performers get 50 years copyright. 2005 minus fifty years is 1955, the dawn of the modern era of rock and pop. The late Elvis is the first big goose scheduled to stop laying golden eggs, but other huge ones loom over the next decade - the Beatles in particular.
No wonder the corps are pressing for extensions; why wouldn't they want indefinite copyrights? It's certainly in their interests, but it's most definitely not in the wider interestes of society at large. This proposal will do nothing to pomote the useful arts and sciences.
Slashdot Mirror
The simple fact though, is that "misdirected bounces", though well intentioned, make the problem of spam quite significantly worse.
I don't disagree that that scenario, and the similar ones caused by anti-viral warnings, act to amplify the effects. The problem is that a blanket "no bouncing, ever" policy destroys some useful features of the email system. Much as Spamcop would wish it, it isn't always possible to know during the SMTP transaction whether the message will ultimately bounce.
I think the RBL providers just need to be sued for loss of business...This is why we have courts, the next time I end up on an RBL for not spamming I think I will sue.
That would be a laugh, although not for yourself. Assuming you're not so naive as to believe you're the first cartoony to think of suing, you might want to consider why there haven't already been swathes of court decisions against RBL operators.
Do they send a weekly "You got spam from these addresses..." message?
What value, really, does such a notification have? I would say "little to none whatsoever". Most always, there will be no false positives listed, and that's assuming you can even be bothered to examine the weekly message. A notification that I didn't receive a spam, is itself spam. I simply don't care that messages were rejected, because false positives are so rare, and the payoff is so high, the tradeoff is unquestionably worth it. If you're going to go the trouble of sending notifications of rejected messages in order that a recipient can catch a false-positive, you may as well just deliver the original messages in the first place.
Perhaps "sending" isn't the right word to use
Erm, right, because this actually is about receiving, not "sending". Like I said. Before.
You seem to be hung up on the fact that (usually) , the intended recipient of a message doesn't receive notification that a message was rejected. But the sender will get a non-delivery report from their own local system. The onus is on the sender to decide what to do about non-delivery. How can any recipient be under any obligation to ensure the delivery completes? To be forced to accept anything? To relinquish the ability to decide which traffic enters their own, privately owned equipment? That's absurd.
Furthermore, notifications to the intended recipient are worse than useless : almost all of the time they will be spam rejection notices. A spam rejection notice in my inbox (or even filtered into a junk folder) is no different than the spam itself. (cf those braindead mail systems that notify intended recipients that a virus was not delivered; or even worse, those that send the same notification to the purported (spoofed) sender; or, the piece de resistance, the system that sends a non-delivery report to the spoofed sender, and includes a copy of the original, virus-infected message as well. The latter is ignorance bordering on negligence).
So we have to wait until blacklists become significantly harmful before we'll change our ways?
Actually, from my own experience and that of other postmasters I talk to, over the last few years RBLs seem to be holding up pretty well in terms of a benefit/harm ratio. If anything, the harm is decreasing as postmasters become increasingly clueful in the ways they implement them. My last true false-positive incident was almost two years ago. I'm never going to say that RBLs are any kind of solution to the wider problems we have with unsolicited bulk email; they're one more tool in the bag of tricks. But they do work at least as well as any other technique we currently have.
Some postmasters are piss poor, period. But I'm not one of those, so forget the hypothetical finger pointing and deal with the actuality : RBLs work, and work well, even though they're not maintenance-free, and they're not a panacea.
Have you ever found anyone that got hit in the expanding scope issue that still relies on RBL's?
So little of your post makes any rational sense, but this bit is particularly perplexing. What on earth are you on about?
Maybe I'm just missing your point. How exactly do the Safe Harbor provisions have any bearing?
Speaking of which, I'm glad I'm not one of your users.
I was going to respond that the feeling is mutual, but actually, that would be overstating my concern. Truth is, the only way you're likely to be a user on one of my systems is as an employee, in which case the question of whether you have any choice is moot.
What's way waaaay more critical than whether a system is using RBLs (or indeed any specific anti-spam technique), is whether you have a postmaster who is clueful. Someone who is responsive to what's happening on their system, both in terms of supporting their own users, and in dealing with external postmasters. I'm not going to pretend that I've never had to add a particular IP to my accept lists, if even only temporarily. There have been cases where, *gasp* yes, I had to speak to people on the telephone to resolve a particular situation. But those few cases are dwarfed by the enormous benefit and resource-saving RBLs provide.
And the answer to the question you're pondering, but would never ask unprompted, is "no, of course not".
If the collateral damage caused by RBLs were not insignificant compared to the benefit they provide, then they wouldn't be so widely used. They're not perfect, of course. But they are indisputably the single most effective tool we have today.
Certainly. The answer, unfortunately of course, is "it depends". It depends on what your own tolerance of false-positives is, and what your current level and nature of spam is (where "you" also includes the users of your system - there's a world of difference between an ISP with tens of thousands of paying customers, a small organisation with a hundred employees, and a personal family/friends server).
My best advice is to carefully examine the policies of the RBLs, and revisit that examination on a regular basis. Look at whether the process by which IPs are added to a list is automatic, or human-moderated. Are they using spamtraps? Do they allow just anybody to submit addresses for listing? Is the listing process openly specified, or a black box? What is the procedure for de-listing an address? Google around for others' experiences using the list. This Declude page is a useful starting point (I have no relation to Declude).
Currently, I see the least collateral damage with the Spamhaus lists. My top recommendation would be the sbl-xbl.spamhaus.org list, a composite list consisting of known spammers plus a pretty good list of compromised/trojanned systems.
On one extreme, SPEWS is hardcore - I would never recommend them to anyone who isn't very well aware of the implications of what they are doing. On the other end of the scale, open relay lists like relays.ordb.org and the like are very benign, but less useful, since there hardly are any more open relays these days. I used to really like Spamcop's lists, but I lost faith in them a couple of years ago when I experienced some inexcusable cock-ups. More recently, Spamcop changed listing policy and started listing systems that were sending "mis-directed bounces", which I personally find misguided (long story, see this discussion for a start). Also be careful about "multi-stage" or "multi-hop" lists. These can often end up listing major ISP servers, simply because one of their clients relayed a spam that way, typically caused by a trojan-type infection.
I've also had trustworthy results with cbl.abuseat.org, and in a typical configuration I often also use relays.ordb.org (open relays) and list.dsbl.org.
I'm with singletoned, and I think it's you that has a problem with understanding.
He(?) claimed that RBLs prevent people SENDING. He is wrong. If you agree with him that RBLs prevent sending, you are also wrong.
Reading the facts isn't enough, you need to be able to manipulate those facts and draw provable conclusions from them
Snicker. Donny Rumsfeld in da house!
I do think people should be forced to accept every email that I send.
Then you are no different than a spammer. And it's clear from the rest of your drivel that you really don't understand what happens when an RBL is in use. Hint : legitimate email suffering an RBL false-positive doesn't disappear into a black hole. That's one of the reasons why RBLs are so effective, even in an environment where some false-positives are inevitable. Or to put it another way, if the "collateral damage" from RBLs were anything other than insignificant, compared to the benefit they provide, then world+dog wouldn't be using them.
Actually, I *do* get paid. And typically, I specifically get paid to implement a range of measures, of which RBLs are just a piece. I explain the pros and cons to the client; I explain the listing policies of the RBLs I recommend, and the listing policies of those I do not recommend. And I also track how policies change over time (eg it's been some time now since I stopped recommending Spamcop). Sometimes, the client decides not to use RBLs. Most *do* use them to some extent (often weighted in with a number of other measures), simply because RBLs are currently very effective.
Your chest-beating about suing over dropped mail is so naive it's touching. Have you ever even read the contract you've entered into with your ISP? Good luck getting a clause in there that guarantees email delivery.
I totally agree that "chairperson" is clumsy. I much prefer simply "chair".
And I note that it is *you* that thinks this is a race issue. I just said that I didn't get the black=bad, white=good paradigm, (detour via caveman analogies notwithstanding). I never mentioned race (other than to note that others would shoot me down because they would jump to that conclusion).
As for the main point, as I pointed out in another post, on a practical level, "block list" and "accept list" are just much more meaningful in explaining what the lists do. Why would anyone choose to use alternatives that are less meaningful *and* may be be looked upon with distaste by some? The only reasons I can think of are (a) ignorance/laziness or (b) a deliberate "anti-PC" mentality. So which are you? Your surely won't attempt to claim that "blacklist" is more meaningful than "block list" will you?
Fine, that's your decision. But don't try and force me into that same decision. Or, more accurately, you can't stop me making my own decisions on this. All the whining in the world won't change that.
You have to read my post with your eyes closed to get your meaning from it.
Except that I have been listed. And I had to go through contortions to fix that situation, which did not occur because of anything I did. What were you saying about acting like a dick?
As I already said, yes, I do assume the role of telling people to fuck off on behalf of my users. And I'm accountable for that. If I choose lists with inappropriate policies, or continue to use a list after its policy has changed for the worst, then I deserve to have my users demand change or my removal. No-one is pretending that RBLs are a magic bullet, or even that that they're a "configure & forget" solution. Of course there will be false-positive listings, malicious smear attacks (which is what this case appears to have been) and so on. My experience is that the damage arising from such cases is minimal when compared to the benefit of using RBLs. Simply put, RBLs work more effectively than just about any other technique (for today, at least).
And frankly, on a practical level, what are you going to do about it? Do you think you can stop groups of people organising themselves and exchanging opinions on the activities of others?
Yeah. Whatever. Fuck off.
How charming. Yet you would deny the users of RBLs the chance to say "Fuck Off" to spammers? Here's a free clue for you - I will decide who gets told to "fuck off" on my own system. Whine all you like, it's my decision.
I reserve the right to block (or accept) any mail I choose on my own system. I also make that decision on behalf of my users, weighing the pros and cons, and especially the listing policies, of any RBLs. If I get it wrong, then yes, my users won't be happy. I'm all for doing what makes my users happy. Blocklists do make my users happy. They work. The fact that there's sqealing about the effect shows that they work. I reject utterly the contention that I should somehow be forced to accept anything I don't want to receive
Well, someone didn't RTFA.
More like someone (ie you) RTFA but didn't understand it. Blocklists do not stop people sending. They are used on the receiving side. Receivers choose whether to use them or not. Of course, receivers need to understand the implications of that, and in particular, they need to understand what the policies of the particular list(s) are (and indeed, whether they have changed - Spamcop is a good example there).
Would that be an editor that is modbombing this thread? I'd be flattered by the attention, if I had the slightest respect for them (-1 Flamebait)
Besides, isn't it african american, not black?
Who said anything about American?
On a practical level, "block list" and "accept list" are just much better descriptions of what such lists actually do.
I'd take all the SPAM anyday vs. not being able to send legitimate emails.
Except that blocklists don't stop you sending email, they merely allow others to decide whether to accept that mail. Or do you think other people should be forced to accept any and every email you send?
I've always been a little uncomfortable with the underlying assumptions white=good, black=bad. I prefer to describe such lists as "blocklists" and "accept lists"
Yeah, yeah, very PC of me; go ahead, shoot me down. Sometimes, these things *do* matter, and individuals have to stand up and say so.
Copyrights still have an important place in our society.
Copyrights have an important place in the wallets of the powerful few who want to own our very culture.
Or you don't believe that writers, musicians, actors, or programmers should be compensated for their work?
Copyright is a relatively recent development. Were there no actors or musicians in the centuries and millenia before then? There are plenty of ways that artists can be compensated, they just won't involve huge mark-ups for the *distributors* . As you said yourself, globally, the current copyright system is broken; more of the same ain't gonna fix it. Artists and society both require a system that does fairly reward creators.
With inconsistent laws, the enforcement of copyrights from country to country would be chaotic at best.
Absolutely right. We *should* have global consistency, and it would seem the only common denominator is abolishment of copyrights entirely. Some countries have already started !
In the EU, performers get 50 years copyright. 2005 minus fifty years is 1955, the dawn of the modern era of rock and pop. The late Elvis is the first big goose scheduled to stop laying golden eggs, but other huge ones loom over the next decade - the Beatles in particular.
No wonder the corps are pressing for extensions; why wouldn't they want indefinite copyrights? It's certainly in their interests, but it's most definitely not in the wider interestes of society at large. This proposal will do nothing to pomote the useful arts and sciences.
Bad software developers have built houses