The Fair Credit Reporting Act is your Friend. It is enforced by the FTC. Your employer has to get your consent to obtain the information. So refuse the consent. If they fire you, you might be able sue them for breach of contract, assuming they didn't tell you of the requirement prior to employment, or the requirement is unreasonable. You'll need a lawyer.
Here are some useful sites:
http://www.ftc.gov/os/statutes/fcra.htm
http://www.privacyrights.org/fs/fs16-bck.htm
http://www.pueblo.gsa.gov/cic_text/money/fair-cred it/fair-crd.htm
OSF/1 had after the end of the kernel main loop (one should never get there), that went similarly, "Shut her down Clancy, she a'pumpin mud."
I think that got cleaned up before release.
--Dean
I did not say that my goal isn't stopping spam. You made that up, which is something I've seen from you before, so I'm not surprised. So go back and read what I said. It's even in the title.
You said it in your reply to the paper, which I see you've since changed. However, not quite enough. And your goals can easily be seen by your actions.
My goal is not specifically to have no spam at any cost. Instead, my goal is to reduce or eliminate the cost associated with spam and attempts to deliver spam.
There is almost no cost associated with spam. Disks cost $150 for 80Gig. Bandwidth costs $50/Meg per month at the ISP level. Peering is cheaper still. Computing has been under $10/MIP for a while. Spam, indeed email of any sort, is almost free. Many places are offering email accounts for $2/mo or less. The problem is not the cost, but the annoyance. Its having to delete 50 messages to get at 10 you want.
At a very fundamental level, you either don't understand the problem, or you don't have the same goals, or both.
The open relay obscures the ability to block spam. It's either all permitted or all denied based on IP address.
This is just your broken filtering, which you insist on keeping broken. Your broken filtering isn't my problem. It is trivial to filter on the IP address in the Received Header. Even if the spammer inserts some additional forged headers, their real IP address is still there, and will be found on an IP address RBL.
The open relay obscures the ability to block spam. It's either all permitted or all denied based on IP address.
It doesn't obscure anything. There is no difference (Header-wise) between spam sent through the spammer ISP's closed relay or an open relay. The same headers are in the messages as there are when the spammer uses their ISP's closed relay. If you filtered on IP addresses in the Received Headers, it wouldn't matter what relay (open or closed) the spammer used. They could use any relay, anywhere in the world, and it wouldn't make any difference. The spam would still be blocked. Which is my goal.
But of course, as you have said in the past, it isn't your goal to block spam. This explains why you insist on simplistic filtering and your insistence on the "necessity" of blocking open relays.
Not all ISPs are willing to remove the spammer's connection. Of course we block those ISPs that do that. But because the spammer can get around it through open relays and open proxies, those get blocked, too
That doesn't mean you can't block spam. And this isn't my problem. I'm not responsible for some other ISP's policies. Their spammers still have IP addresses, just like everyone else. Those IP addresses go into Received headers, no matter what relay they use. Anonomizing relays and open proxies are a different problem, but can still be blocked by IP address, whether they use their ISP's closed relays, or some open relay.
And don't make threats against those who choose to not accept it. Then those who prefer to block only the open relays and not the whole network of the operator, can do so. It's the threats that I believe have resulted in most of the blocking of your entire net.
This is false. We are blocked in revenge because we block the relay testers. Also, we haven't made and 'threats' against anyone. We have successfully engaged the legal department of one ISP, after we learned of a credible threat to block our relays. The lawyers went head to head, and we won. Its not case law, but its clearly expert opinion. However, most ISP's don't block open relays. Very little of our email has ever been blocked. When it has, we've contacted the ISP, and the usual response is that they stop using the open relay list altogether. They could just whitelist us and keep using the open relay list. Instead, most people consider such blocking of legitimate mail, and entire ISP's inappropriate. They think the blacklist's goal is to block spam, and are usually quite unhappy to find out that isn't the case. And they're usually appreciative of the suggestion to use the IP address in the Received header, which improves their ability to block spam. Which is their goal, too.
As far as legal action goes, the end users of an ISP have an expectation of privacy. There are laws that protect that privacy. That precludes ISP's from joining boycotts of legitimate email. The users' email isn't a pawn to be played with at the whim of some admin. It belongs to the user, not the ISP.
Your message is very insightful, because it brings some clarity to the goals of the abusive blacklists, and highlights the differences between their goals and the goals of the mainstream anti-spam community and those of the vast majority of the
end users.
The `problem' as we see it is stopping spam without interfering with legitimate operations and legitimate email.
It is clear you disagree with that premise. However, this is problem that users are interested
in. The mainstream just wants spam stopped, but not at the expense of legitimate email.
The radicals see no expense as too great or too
unreasonable. That's what defines them as "radical".
Radicals want to damage ISP's they perceive as 'not doing enough', regardless of whether that perception has any basis in fact or reality. As Al Iverson (creator of MAPS RSS) said: "the blacklist operator feels power".
Radicals think they can do whatever they want without user consent. They think they don't need user consent. It is not surprising that end users and the mainstream disagree with that.
You say your goal isn't stopping spam. Thank you for being honest and forthright. We can see your goals are not the same as the rest of the anti-spam community, nor are they the same as the end-users. The rest of the email-using world isn't interested in collateral damage. Collateral damage isn't good business, and (as has been demonstrated) it isn't legal.
The abusive blacklists commit fraud on ISP's and end-users alike when they say or imply that their goal is stopping spam. Their goal isn't stopping spam. It has nothing to do with stopping ISP's from hosting spammers. Av8 Internet has never hosted a spammer, yet 130.105/16 is listed. The goal is, as you say, collateral damage.
I know that Spamcop has blocked Declan McCullagh's politech mailing list several times, in revenge against Rackspace.com. Only bad press has made them stop. Their blocks have had no effect on Rackspace. They have only created bad press.
Spamcop is just as bad as the others. However, it seems the users of such lists always think the list they are using isn't irresponsible. They often stop using the list when they learn of its irresponsibility. However, for some reason, this doesn't seem to motivate the blacklists to act responsibly.
RFC 2505 is a BCP (best common practice). Best common practices are "common practice". It is not a binding standard. It went through with very little comment. Also, RFC 821 is not obsolete.
There are reasons where open relays are necessary. Not every email-using entity is a residential dialup user, with a single ISP for both sending and receiving email. SMTP AUTH isn't standardized, isn't widely supported, and looks dead. This is why ISP's refuse to close open relays.
The spammer is the source of spam. No one else. The spammer can send via their ISP's relay, directly, or via an open relay. The only way to stop the spammer is to remove the spammer's connection, and the only entity that can do that is the spammer's ISP.
There is a huge amount of mis-information spread about open relays. Open relays can be protected from spammer abuse (volume, message signature, and scanning activity detected before use) just like closed relays. Perhaps better than closed relays. Open relays don't hide the spammers identity. Open relays don't prevent anyone from blocking spam.
One should be looking at the Received headers, which cannot be forged _after_ the spammer sends the email. So the spammer source IP address is _always_ in the message. Message signatures can detect when the source IP address changes. Blocking this way allows one to block spam regardless of whether it is sent directly, through a closed relay, or through an open relay. It also avoids collateral damage caused by blocking a relay. This is a good thing, unless it is your goal to cause collateral damage, in which case I have no sympathy for you.
Also, bonafide commercial spammers aren't the ones abusing open relays. Mostly KLEZ viruses and such abuse open relays. KLEZ is already illegal (it is a crime to break into a computer with a virus in the US). KLEZ is run by script kiddies whose goal is to harrass someone. Its already illegal in most cases, if anyone cared to organize the effort to track them down.
Slashdot Mirror
The Fair Credit Reporting Act is your Friend. It is enforced by the FTC. Your employer has to get your consent to obtain the information. So refuse the consent. If they fire you, you might be able sue them for breach of contract, assuming they didn't tell you of the requirement prior to employment, or the requirement is unreasonable. You'll need a lawyer. Here are some useful sites: http://www.ftc.gov/os/statutes/fcra.htm http://www.privacyrights.org/fs/fs16-bck.htm http://www.pueblo.gsa.gov/cic_text/money/fair-cred it/fair-crd.htm
OSF/1 had after the end of the kernel main loop (one should never get there), that went similarly, "Shut her down Clancy, she a'pumpin mud." I think that got cleaned up before release. --Dean
But of course, as you have said in the past, it isn't your goal to block spam. This explains why you insist on simplistic filtering and your insistence on the "necessity" of blocking open relays.
That doesn't mean you can't block spam. And this isn't my problem. I'm not responsible for some other ISP's policies. Their spammers still have IP addresses, just like everyone else. Those IP addresses go into Received headers, no matter what relay they use. Anonomizing relays and open proxies are a different problem, but can still be blocked by IP address, whether they use their ISP's closed relays, or some open relay. This is false. We are blocked in revenge because we block the relay testers. Also, we haven't made and 'threats' against anyone. We have successfully engaged the legal department of one ISP, after we learned of a credible threat to block our relays. The lawyers went head to head, and we won. Its not case law, but its clearly expert opinion. However, most ISP's don't block open relays. Very little of our email has ever been blocked. When it has, we've contacted the ISP, and the usual response is that they stop using the open relay list altogether. They could just whitelist us and keep using the open relay list. Instead, most people consider such blocking of legitimate mail, and entire ISP's inappropriate. They think the blacklist's goal is to block spam, and are usually quite unhappy to find out that isn't the case. And they're usually appreciative of the suggestion to use the IP address in the Received header, which improves their ability to block spam. Which is their goal, too.As far as legal action goes, the end users of an ISP have an expectation of privacy. There are laws that protect that privacy. That precludes ISP's from joining boycotts of legitimate email. The users' email isn't a pawn to be played with at the whim of some admin. It belongs to the user, not the ISP.
The `problem' as we see it is stopping spam without interfering with legitimate operations and legitimate email.
It is clear you disagree with that premise. However, this is problem that users are interested in. The mainstream just wants spam stopped, but not at the expense of legitimate email. The radicals see no expense as too great or too unreasonable. That's what defines them as "radical". Radicals want to damage ISP's they perceive as 'not doing enough', regardless of whether that perception has any basis in fact or reality. As Al Iverson (creator of MAPS RSS) said: "the blacklist operator feels power".
Radicals think they can do whatever they want without user consent. They think they don't need user consent. It is not surprising that end users and the mainstream disagree with that.
You say your goal isn't stopping spam. Thank you for being honest and forthright. We can see your goals are not the same as the rest of the anti-spam community, nor are they the same as the end-users. The rest of the email-using world isn't interested in collateral damage. Collateral damage isn't good business, and (as has been demonstrated) it isn't legal.
The abusive blacklists commit fraud on ISP's and end-users alike when they say or imply that their goal is stopping spam. Their goal isn't stopping spam. It has nothing to do with stopping ISP's from hosting spammers. Av8 Internet has never hosted a spammer, yet 130.105/16 is listed. The goal is, as you say, collateral damage.
I know that Spamcop has blocked Declan McCullagh's politech mailing list several times, in revenge against Rackspace.com. Only bad press has made them stop. Their blocks have had no effect on Rackspace. They have only created bad press.
Spamcop is just as bad as the others. However, it seems the users of such lists always think the list they are using isn't irresponsible. They often stop using the list when they learn of its irresponsibility. However, for some reason, this doesn't seem to motivate the blacklists to act responsibly.
RFC 2505 is a BCP (best common practice). Best common practices are "common practice". It is not a binding standard. It went through with very little comment. Also, RFC 821 is not obsolete. There are reasons where open relays are necessary. Not every email-using entity is a residential dialup user, with a single ISP for both sending and receiving email. SMTP AUTH isn't standardized, isn't widely supported, and looks dead. This is why ISP's refuse to close open relays. The spammer is the source of spam. No one else. The spammer can send via their ISP's relay, directly, or via an open relay. The only way to stop the spammer is to remove the spammer's connection, and the only entity that can do that is the spammer's ISP. There is a huge amount of mis-information spread about open relays. Open relays can be protected from spammer abuse (volume, message signature, and scanning activity detected before use) just like closed relays. Perhaps better than closed relays. Open relays don't hide the spammers identity. Open relays don't prevent anyone from blocking spam. One should be looking at the Received headers, which cannot be forged _after_ the spammer sends the email. So the spammer source IP address is _always_ in the message. Message signatures can detect when the source IP address changes. Blocking this way allows one to block spam regardless of whether it is sent directly, through a closed relay, or through an open relay. It also avoids collateral damage caused by blocking a relay. This is a good thing, unless it is your goal to cause collateral damage, in which case I have no sympathy for you. Also, bonafide commercial spammers aren't the ones abusing open relays. Mostly KLEZ viruses and such abuse open relays. KLEZ is already illegal (it is a crime to break into a computer with a virus in the US). KLEZ is run by script kiddies whose goal is to harrass someone. Its already illegal in most cases, if anyone cared to organize the effort to track them down.