[governance] Re: Antispam practices

[Vittorio Bertola]

I'm glad I sparkled an interesting debate on such a specific and 
important policy issue, including (finally!) the technical level :)

So I'm not replying to you in particular, just getting into the stream:

Tapani Tarvainen ha scritto:
> Yes. Indeed, as I see it, the problem lies more with ISPs than with
> DNSBLs - after all, you can't really demand that the fact your IP is
> dynamic or that it belongs to a poorly-run ISP should be kept secret,
> nor that individual mail server admins that they should not use that
> information.
> 
> What follows, inevitably, is that as long as dynamic IPs and certain
> ISPs are big sources of spam, that they end up blocked, along with
> a number of innocent bystanders, like Vittorio.
> 
> Trying to solve that by forbidding blacklist maintenance or by
> forbidding their use is also very problematic from political point of
> view: it is like forbidding organizing consumer boycotts,  a rather
> radical restriction of freedom of expression.

To me, this does not look like boycott, since it is not that you are 
stopping to buy some ISP's products (something that affects only you and 
the company you are boycotting): you are actively shutting out of the 
network all customers of that ISP, by blocking their traffic. It does 
not affect only you and the company, but all customers of that company: 
in other words, you are forcing everyone else to boycott that company as 
well, and this goes well beyond your freedom of expression.

It looks to me (with due proportions) more like racism: since a certain 
number of members of a group did not behave well, we actively prosecute 
all members of that group, just because they are members of that group.

In some cases, it even gets down to plain assertions that "dumb users 
should not be allowed on the Internet" and so on - as if connecting to 
the Internet with a Windows machine (and all the 'security' that 
Microsoft allows), on a €20 dynamic DSL line, without understanding a 
word about technicalities, was a fault per se.

Also, I am very interested in the principle point about having users 
forced to go through their ISPs. Actually, ISPs love this perspective - 
it's the walled garden they are longing for. I'm sure that some of them 
are quite happy about these blacklisting attitudes and other Internet 
accidents, so that they can go back to their customers and say, "look? 
don't try to do things on your own, rely on us". I'm not sure that this 
is what we should promote.

> After all, nobody
> running a mail server is forced to use any blacklist, it is just
> information they can use or ignore - like a suggestion to boycott
> a manufacturer for whatever reason.

Sure, but, in practice, most mail servers come with blacklists enabled 
out of the box, and no sysadmin would care to remove them only because 
of some "collaterally damaged" users.

In the end, it all gets down to common sense. If everyone did not push 
things to the limit, the Internet would not break :)

> Philosophical points aside, ISPs are also an easier target for
> legislation or boycotts or indeed any measure you can think of
> than blacklist maintainers or mail servers using them.
> 
> So, I'd suggest it'd be more useful to try to get ISPs to behave,
> including providing static IPs without unreasonable extra cost,
> maintaining PTR records properly, not blocking ports without
> good reason, &c.

Certainly some regulation (or maybe, best practices) should be agreed 
for what regards ISP practices, but you can't force ISPs not to use 
dynamic IP(v4) ranges, can you? So the basic issue with blacklisting IP 
ranges just because they're dynamic will stay.

By the way - to add one more anecdote - there was an interesting 
discussion between my CEO and my sysadmin (we're a very small 
company...) earlier today. This is absolutely true, almost word by word 
(translated to English of course ;) ).

My CEO complained about not receiving a newsletter from the most valued 
Italian telco consultancy firm, of which we are good friends, so we even 
get it for free while others pay.

The sysadmin checked and replied: "It's correct you didn't receive it, 
since it is spam."

CEO: "Spam? What spam? People pay hundreds of euros per year to get it!"

SysOp: "It is spam, because it scored 4.192 points when being checked by 
SpamAssassin, and our threshold is 4."

CEO: "SpamWhat? I can tell you it's not spam, it's pretty important 
information!"

SysOp: "Let me check... It is spam because, even if the Bayesian check 
is -2.599, it fails these three tests:
-DATE_IN_PAST_12_24=1.247
-INVALID_DATE=2.193
-RCVD_IN_WHOIS_BOGONS=2.43"

CEO: "What the hell are you talking about?"

SysOp: "Well, there are these rules that define what is or is not spam, 
and these three rules define that this message is spam: the first 
problem is that the date of the message is 12 to 24 hours earlier than 
it was mailed..."

CEO: "Of course it is, they write it one day and send it the following 
morning!"

SysOp: "The second problem is that the date is invalid!"

CEO: "Invalid?"

SysOp: "Sure, it is, look here! You see? The header in the message says 
"Date: Mon, 25 Sep 2006 18.48.13 +0200", while the standard would 
require it to be "Date: Mon, 25 Sep 2006 18:48:13 +0200": it is using 
dots instead of colons to separate hours and minutes in the time!"

CEO (astonished): "And that turns its content into spam?"

SysOp: "Sure! And then there's the third problem, that here" - looks in 
the middle of a bunch of unreadable headers - "the IP address of the 
machine used to send it is 1.92.21.178, it is a forbidden address!"

CEO: "Forbidden?"

SysOp: "Yes, if you go to IANA..."

CEO: "I what?"

SysOp (looking annoyed): "IANA, the people who give the addresses... 
Anyway, this is a reserved network, no one can use it!"

CEO: "But why are they using it, then?"

SysOp: "Well, it means they're using Fastweb" - one of the biggest 
Italian ISPs - "Fastweb gives to all its customers private addresses, 
but this is wrong, they're using forbidden addresses!"

CEO: "So all the emails we receive from that million of people using 
Fastweb are marked as spam?"

SysOp: "Well, not marked, but there's this rule that gives them points 
that make it easier for them to be spam..."

CEO (laughing): "And does it make sense to you?"

SysOp: "Of course, Fastweb should not use those addresses, it's 
forbidden by standards!"

CEO (giving up): "So what can you do? Can you turn off these rules so 
that I can receive future installments of this newsletter?"

SysOp (looking shocked): "Of course not! We would accept spam, that's 
impossible!"

CEO: "But it always comes from the same email address, can you make it 
so that if it comes from this address, it can pass through and not be 
marked as spam?"

SysOp (looking more shocked): "No, I can't add a special rule just for 
that, you know, these rules are being developed for months with lots of 
powerful algorithms, you shouldn't mess with them, these rules are right 
by default!"

CEO (desperate): "So what should I do?"

SysOp: "Well, you should go and sell a consultancy to these marketing 
people that send the newsletter, since they definitely can't send email!"

CEO: "A consultancy?"

SysOp: "Of course! We should advise them on how to buy a new messaging 
software that creates the correct date headers, and also on how to 
switch ISP to another one, that does not use private addresses!"

CEO: "So they should pay us to allow us to receive a newsletter for 
which people usually pay?!?"

Needless to say, I had to calm down my CEO to prevent him from firing 
the sysadmin on the spot...

Ciao,
-- 
vb.             [Vittorio Bertola - v.bertola [a] bertola.eu.org]<-----
http://bertola.eu.org/  <- Prima o poi...
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance