[governance] Antispam practices

Vittorio Bertola vb at bertola.eu.org
Thu Sep 21 07:47:32 EDT 2006 

Hello,

I wanted to share the nasty experience I had today with anti-spam 
blacklists.

This morning I was working from home, connected through one of Italy's 
major ISPs via a DSL line. When I tried to send email as usual, the mail 
server of my own company started to reject them, as my IP address 
appeared in a couple of international anti-spam blacklists.

I checked the sanity of my systems - both my laptop and my Linux gateway 
to the world - and I checked the blacklists; it turns out that, 
yesterday, a previous user of the same IP (which is dynamically 
attributed each time you connect, and, given the quality of our copper, 
my gateway disconnects and reconnects relatively often) had been using 
it to spam (voluntarily or not).

So I go to the website suggested in the error message (cbl.abuseat.org), 
I try to delist my IP and... apparently, since it is a dynamic IP 
address, they would refuse to do so, or even if they accepted, according 
to their website, it is likely that the IP would be blacklisted again 
quite soon.

In this case, I was trying to connect with my company's mail server, so 
there were plenty of possible solutions. However, given the ridiculous 
policy of these people, I chose to disable these blacklists all at once. 
But if, by chance, I had been using my own gateway as outgoing mail 
server, something I often do, I would have been completely shut out of 
the Internet for what regards email, without having any chance to get 
this fixed, apart from finding patchy workarounds such as disconnecting 
and reconnecting to get another IP address (which could have been 
blacklisted as well).

Well, there is a "proposed" solution (which means, they unilaterally 
decide you have to do things that way) on the blacklist's website: stop 
using your own server and use your ISP's one. Now, you might have 
noticed that just yesterday, here in Italy, the head of security of the 
major national telco was arrested for illegally intercepting and 
recording phone calls and emails of thousands of people, so that does 
look like a sound suggestion, really. (While discussing this accident 
with a nerder friend involved in the anti-spam circles, he replied "but 
why do you care to be intercepted, if you don't have anything to hide". 
Oh well, you really got the point about privacy!) And what if my ISP 
didn't provide reliable mail servers, or didn't provide them at all? 
Should then I change ISP? And what else do you want to decide for me? 
The color of my shirt?

Practically, these people are suggesting that I should give up the basic 
principle of the Internet, and my right to set up my own servers and 
services at any public IP address, and pay someone else to send my mail, 
only because my IP address is dynamic. And I don't know about elsewhere, 
but here, many ISPs won't even sell you a fixed IP address, unless you 
are a corporate customer. Ah, sure, I forgot I should get the ISP they 
like, not I.

But what really gets me mad is that this policy, which indeed deeply 
affects what I can or cannot do with the Internet, was never discussed 
with me, meaning, the final users. I've been attending a good number of 
the existing Internet governance forums around, but where there ever was 
an open discussion and subsequent broad consensus on the correct 
policies for blacklisting and delisting? This policy affects me in deep, 
how can I influence it? Sure, there is a comment form on the CBL 
website, accompanied by the message: "WARNING! Comments are not read 
routinely and will not be responded to.". Thanks for the kindness.

Please don't misunderstand me. I realize the great service that 
blacklists provide, for free. I realize in full the technical difficulty 
of managing this situation, and of fighting spam with the current email 
protocols. But I do not support the idea that there can be 
self-appointed sheriffs of the Internet, that can in fact block (censor) 
your bits according to any policy they like. Sure, one could think that 
blacklisting won't be used if it's not reasonable, but if you're just an 
individual being unjustly blocked, which sysadmin will ever care to 
alter its default mail server configuration just because of you? And how 
do you ask for that, if you can't send email? And who ensures that, in 
the middle of ordinary spam blockings, there will not be networks or 
individuals that are being blocked for their opinions or for political 
judgements or to alter market competition?

I should have the right not to be blacklisted if I didn't do anything. 
If blacklist managers can't handle the operational requirements to do 
so, then please don't run a blacklist.

I hope we can have a fruitful discussion on this specific point at the 
next IGF in Athens. And volunteer for that, wholeheartedly.

Ciao,
-- 
vb.             [Vittorio Bertola - v.bertola [a] bertola.eu.org]<-----
http://bertola.eu.org/  <- Prima o poi...
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list