[governance] Re: Antispam practices

tapani.tarvainen at effi.org tapani.tarvainen at effi.org
Thu Sep 28 01:42:53 EDT 2006 

On Tue, Sep 26, 2006 at 07:40:20PM +0200, Vittorio Bertola (vb at bertola.eu.org) wrote:
> I'm glad I sparkled an interesting debate on such a specific and 
> important policy issue, including (finally!) the technical level :)

I can get as technical as you like in this (probably more so,
all the way down to SpamAssassin or sendmail code and the like).
But I'll stay on a a bit more abstract level for now.

> >forbidding blacklist maintenance or by
> >forbidding their use is also very problematic from political point of
> >view: it is like forbidding organizing consumer boycotts,  a rather
> >radical restriction of freedom of expression.
> 
> To me, this does not look like boycott, since it is not that you are 
> stopping to buy some ISP's products (something that affects only you and 
> the company you are boycotting): you are actively shutting out of the 
> network all customers of that ISP, by blocking their traffic. It does 
> not affect only you and the company, but all customers of that company: 
> in other words, you are forcing everyone else to boycott that company as 
> well, and this goes well beyond your freedom of expression.

Who am I forcing to do what, if I refuse mail from some IP?

OK, I'm forcing those who want to send mail to me to find other means.
But I think I'm within my rights to do that.

For comparison:

A courier firm makes deal with US Post to handle packages destined
to Finland. They do it cheaply, but there's a catch: they charge
recipients, too - without telling senders about it.
(This has actually happened, by the way.)

May I now refuse to deal with that, and tell people they'd better
send packets to me some other way, and even boycott (as in not
buying stuff from) companies that insist on using it?

May I also publicise information about the courier company and
its annoying practices and suggest others boycott it, too,
along with all its clients, even if they had nothing to do
with the change and may not even know about it?

The comparison is apt: accepting email from spam-prone
address spaces is also expensive.

> It looks to me (with due proportions) more like racism: since a certain 
> number of members of a group did not behave well, we actively prosecute 
> all members of that group, just because they are members of that group.

It's not like racism because the group is not something you are born
into. And few people have deep feelings about their IPs.

Sure, sometimes there's not much choice in practice. If the only
job you can get is in a misbehaving company, you'll be hurt by
boycotts directed at the company, without much fault of your own.
Should we refraining from boycott because of that?

Sometimes "collateral damage" cannot be avoided.
In the present case, innocents will suffer also if
dynamic IPs are not blacklisted, indeed even more so:
dynamic IPs are *the* major source of spam today,
and spam can effectively make email useless to
even more innocent people.

> In some cases, it even gets down to plain assertions that "dumb users 
> should not be allowed on the Internet" and so on - as if connecting to 
> the Internet with a Windows machine (and all the 'security' that 
> Microsoft allows), on a €20 dynamic DSL line, without understanding a 
> word about technicalities, was a fault per se.

Which it of course isn't. But the only way to allow technically naïve
people to connect is by providing them safe email and other services by
someone, and easily - which in effect means ISP has to arrange it,
and make it automatic, default.

> Also, I am very interested in the principle point about having users 
> forced to go through their ISPs.

That is indeed bad in my book also. But setting it as default, so
that if you don't have the technical skill to manage your own mail
server or whatnot, is a different thing, as long as those who want
can get the ports open. (Yes, I understand very well why some
people prefer to run their own mail servers. I am one of them.)

Indeed, an ISP that took good care of their dynamic pool might be able
to keep it out of blacklists. But I can't think of any way to do that
other than restricting ports by default, open only on request.

Incidentally, I run my own mail server in my home, behind an ISDL line
that blocks incoming smtp port (but not outgoing, for some weird
reason). Now I am able to work around that by arranging relays using
non-standard ports, but I know that for some it would be prohibitively
expensive or otherwise effectively impossible.

> >After all, nobody
> >running a mail server is forced to use any blacklist, it is just
> >information they can use or ignore - like a suggestion to boycott
> >a manufacturer for whatever reason.
> 
> Sure, but, in practice, most mail servers come with blacklists enabled 
> out of the box,

I doubt that very much - do you have some statistics?
Tools to use them are generally easily available, though,
and commonly used, but not enabled by default, in my experience.

> and no sysadmin would care to remove them only because 
> of some "collaterally damaged" users.

The ones I use allow making user-specific exceptions.

> In the end, it all gets down to common sense. If everyone did not push 
> things to the limit, the Internet would not break :)

:-)

Unfortunately, common sense not common enough these days. :-(

> but you can't force ISPs not to use dynamic IP(v4) ranges, can you?

Actually, I think you could. I'm not arguing it'd be a good idea or
politically feasible, but technically it'd be possible and I can
imagine even political will to do it. (In effect it'd mean requiring
ISPs to maintain lists of their clients' MAC addresses and mapping
them to specific IPs. I know of one doing this so it's not impossible,
and it could be sold to politicians as means of making it easier to
catch criminals.)

> So the basic issue with blacklisting IP ranges just because they're
> dynamic will stay.

What would you do?
Make it illegal to publish information about which IPs are dynamic?
Make it illegal to filter mail on the basis of sender IP?

How about instead requiring ISPs to provide static IPs and/or open
ports to customers who request it, at no (significant) extra cost?
(Perhaps requiring signature on some kind of "I understand what
this means and take responsibility" -type paper would be OK.)
 
> By the way - to add one more anecdote - there was an interesting 
> discussion between my CEO and my sysadmin (we're a very small 
> company...) earlier today. This is absolutely true, almost word by word 

:-)

Language barriers between CEOs (or even lesser bosses) and sysadmins
are notorious. However:

> SysOp (looking more shocked): "No, I can't add a special rule just for 
> that, you know, these rules are being developed for months with lots of 
> powerful algorithms, you shouldn't mess with them, these rules are right 
> by default!"

I rather suspect the sysadmin was pretending here. 
Setting up exceptions to spam rules isn't that hard.

-- 
Tapani Tarvainen
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list