I am worried about the tools we are developing and deploying to control spam. Some of them are esentially centralsied methods of controlling Internet content. Paul's anti-spam feed for instance prevents users of some providers from seeing spam. The user has no choice; they cannot opt to receive spam other than by switching to another provider. Even worse: they may not even be aware that they are "missing" some content. Combatting spam is considered a Good Thing(TM) by almost everybody here, including myself. However the same technology could just as easily be used to do Bad Things(TM). Even worse: if it works it demonstrates that *centralised control* of the content of Internet services like e-mail is *feasible*. This will give some people ideas we may not like, and sometime in the future we may ask ourselves why we have done this. The end does not always justify the means. I hope that methods like the anti-spam feed will not be taken up widely. Please consider the consequences before you use them. I stress that I do not question the morality or good intentions of those involved. I am just concerned about the almost ubiquitous and apparently unreflected zeal that spam seems to evoke and the danger of it making us accept methods we would otherwise despise. I would prefer to see more work in technology that is less centralised and gives the users a choice of the content they wish to see. Yes this may be harder to do, but the consequences of deploying the easier methods may be just too severe. Waehret den Anfaengen (beware of the beginnings) Daniel PS: I hope this is more coherent than my contribution at the meeting yesterday when my brain failed due to jet-lag while my mouth was still working perfectly ;-).
Anyone else get mail from this idiot? Alan Bechtold (alanbechtold@sysop.com) @ 11/18/1998 12:48 - Original Problem Detail: Dear sir or madam -- It has come to my attention that your company utilizes the MAPS = BLACKHOLE list to block purported SPAMMERS from sending E-mail to your = system. While the idea might sound good I am writing to inform you that = you will be named in a Federal Lawsuit if you do not CEASE AND DESIST = use of this list IMMEDIATELY. Here is why: My company, BBS PRESS SERVICE, INC., designs and hosts Web sites. That's = all we do. We don't sell access to the Internet. We don't sell E-mail = accounts. Besides some E-mail accounts for our employees to use when = contacting our customers, and one E-mail account we use to send out a = weekly newsletter to our customers, we don't generally handle any E-mail = at all. I am anti-SPAM. I advise all of my 5,000+ clients against the use of = SPAM. Still, two have used it to promote sites we host for them. Naturally, this resulted in our receiving the usual barrage of E-mails = DEMANDING that we remove the Web sites of the offending parties. Our = attorneys have advised us that it is NOT in our best interest to do so. = Removing the Web site of anyone for something they did OUTSIDE of our = system, even if it was indeed PROMOTING a site hosted on our system, = would in fact expose my company to possible lawsuit from the SPAMMER! I understand many Web site design and hosting services stipulate in = their contracts that they reserve the right to pull any site if evidence = of SPAMMING is seen -- but my attorneys have also advised me that this = is completely unenforceable in court and wouldn't stand up to a court = challenge. I don't know about you but I am totally opposed to being REQUIRED to = take action against anyone for anything they've done outside of my = control. Do we also want to become liable for pulling Web sites held by = anyone who is convicted of a crime...any crime? Wouldn't this lead to = the requirement of background checks, to make sure a Web site customer = has never indeed beenconvicted of a crime? The ramifications are tremendous. Anyway -- I write to anyone complaining about SPAM from a client of mine = (and they do track down the Web site host even if we didn't originate = the SPAM) and inform them of my position. One person apparently forwarded my reply to MAPS. Even though my reply = states CLEARLY that I am OPPOSED to SPAM, the kind folks at MAPS decided = to add my company's IP to the list anyway. The problem is -- they won't = TALK about resolving the problem. Their "volunteer" hung up on me when I = called, after first being outright surly and rude with me. I tried = E-mailing Paul Vix to tell him to remove my company's IP from his list = but -- guess what -- my E-mail got REJECTED by his system because he = uses the list! I finally got a message through by going through another = provider. Meanwhile Paul Vix has not returned my urgent calls and hasn't = been available on the phone when I do call. This is causing my company irreparable harm. MAPS' whole attitude and = the way they create their so-called LIST is, because of my case alone, = entirely questionable. And he has left me little choice but to file suit = against Paul, MAPS and anyone associated with the LIST or using it in = their products or on their services. This is where you come in. I am writing to tell you right now -- cease = and desist from using the MAPS BLACKHOLE list on your service = IMMEDIATELY. I will be including anyone and everyone still using the = MAPS list in my lawsuit against MAPS. Period. You might also want to contact Paul Vixie and let him know the legal = jeopardy his methods have placed you in. By comparison, the SPAMMERS are = starting to look like the "good guys." I know they're not and you know = they're not but MAPS must end here and now. I would appreciate your comments and cooperation. [Mime entry text/html removed]
OK, given, this guy is a flaming moron, and the original message was completely out of line. HOWEVER, it seems to me he raises at least one valid objection. It seems to me, both from his allegations and from the phraseology of the "Best Practices for Being Permanently Added to the RBL", that web hosting services are being treated unfairly in the following circumstance: Company S(pam) has a web site, hosted on the servers of web-presence-provider Company P(rovider). Company S uses the services of Company X to send out massive loads of SPAM, with referencing the web site and even e-mail addresses hosted by Company H. Now, if I'm hearing what's being said on this list correctly, Company H is being expected to pull the website they host for Company S (or else be blackholed), _even though no illegal or spam-generating activity is being generated on their network_. Am I understanding this correctly?!? By this philosophy, it would seem that if I were to host the web pages of a company which engaged in unwelcome telemarketing (which I personally find much more offensive than SPAM, and which is no more or less illegal in most states), I would be under an obligation to cease providing service to that company! So, given the earlier threads about annoying UUNET marketing folks, let's blackhole all mail that comes from UUNET. Oh, and also mail that comes from anyone who peers with them. And of course any mail that has to be transported over those evil people's networks.....wait a sec, why's my inbox suddenly empty, where'd the internet go??? Maybe I'm misinterpeting the policies here, but I didn't hear anyone disputing the actual complaints of this guy, which can only lead me to believe that either A) This guy was actually treated unfairly, and has a valid complaint, or B) Nobody cares enough to say "hey, wait a minute, there's been a failure in communication, let's see if we can work this out." So, what's up, guys? I'd hate to think a great thing like the RBL is being abused to squash people who we just happen to find annoying. -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/IT/M/P/S d?- s+:- a17>? C++++$ UBLS++$>++++ P--- L++>+++ E---- W+++$ N- !o K? w@$ !O M-- V-- PS+++ PE Y+ PGP- t+ 5-(++) X+ R+ tv>! b+++ DI+++ D+ G++ e* h!*>++ r%>++ !y->$ ------END GEEK CODE BLOCK------
Warnings: 1) IANAL. 2) This is quote, interspersed with rebuttal. 3) Although it involves no directly technical issues, it is an operational issue none the less. If you doubt it, ask yourself this question: would you rather spend your time fixing network problems, or monitoring content and appearing in court? 4) This post is somewhat lengthy. David Stoddard wrote: <snip> > Based on these statements, I can only conlude you have a huge > problem with the capitalistic system, and that you favor the > elimination of private property in order to foster your "freedom". > That is the same argument Fidel Casto uses on the people he > suppresses, and was the common theme among communist countries > before the fall of the Berlin wall. Joseph Stalin shared your > views on private property. I don't. As a capitalist, I find > your ideas offensive and misguided. As a capitalist, here's something you should find even more offensive and misguided: Since you've volunteered to monitor content, the government is likely to require that you do. Read further. > > Paul Vixie and his team of "RBL finks" are to be commended on the > excellent job they have done in stopping the poisonous assult of > pornographic filth, fraud, and manipulation that spam brings to > people everyday. And for people that want to take the RBL even > further, we provide a list via autoresponder at spamlist@us.net > that blocks even more of this crud. And here is the best part -- > its up to the FREEDOM of the individuals that use these resources > to determine if and how they want to use them. > > There are no "inalienable rights and freedoms" that give spammers > unrestricted access to the Internet. Even the courts have upheld > the right of ISPs to block and filter spam -- see the URL > http://www.aclu.org/issues/cyber/updates/nov13clu.html#cyberpromo Of course they did. Think about it. You just volunteered to monitor content for an industry which the government is busy wringing its hands over. The intrinsic difficulty in analyzing packet-switched traffic for violations of the law has stymied law enforcement agencies ever since the Internet became an issue. That doesn't play well on the nightly news, when the blubbering-mother-of-the- week pisses and moans on TV about how her precious little Johnny got kidnapped, buggered, and slaughtered by some cretin "on the Internet" who knows how to use IRC and was able to give her kid a plane ticket while she was busy watching "Jerry Springer" reruns instead of asking what the hell her kid was doing on the computer. "Sorry, it just isn't possible to do anything about it, we don't have the capability to monitor it" isn't what the general public wants to hear, and the LEAs and politicians have been tying themselves up in knots over it. About this time, along comes a Crusade, one which is worthy of legend. On the one side is Spamford Wallace and his crew of misbegotten miscreants, and on the other, Paul Vixie and his band of righteous merry men. (I have chosen Spamford and Paul as the figureheads for their respective movements, actual history notwithstanding...) So Paul decides that, to battle the forces of Spam, he shall create a list of those who sin against the Internet at large, and propagate it to others. Both these points are important. If Paul wants to play God with his little corner of the Internet, no problem. Unfortunately, he's not going to be able to step down from that position on a whim. (Ain't that a bitch - Crusaders can't stop Crusading because their feet get tired or because they're getting shot at. Aww.) What does this mean? The next time something originating from or coming into Paul's network is deemed offensive, a waste of money/bandwidth/time/etc, unethical, or any other negative adjective, it will not be the U.S. Government who is put in the position of regulating it - it will be Paul. You see, Paul has assumed the position of "Being On Top Of It". Even if Paul doesn't feel that way, even if he feels that regulating that particular content will be detrimental to the Internet at large, even if he strenuously objects and says that "it's not his job", he will be put in that position, because _he volunteered for the job_. Precedent will have been set, and although IANAL, I know enough about the law to know that precedent is a bitch to break with. The government and regulatory agencies will simply allow and "encourage", through the promise of jail time, copious fines, and multimillion dollar civil lawsuits, "self-policing" of the Internet by the administrators, all the while wiping the sweat from their brow and congratulating each other on having dodged another bullet. In addition, when the system fails - and as I and all other sysadmins know, all systems fail - it won't be the U.S. Government on the hook for screwing it up. It'll be you, because _you volunteered for the job_. Oh yeah. The other important thing - pick up "Paul" and put down your first name, because everyone who subscribes to the RBL will be doing exactly the same thing. There's a reason that the phone companies are common carriers - it's because it relieves them of a massive amount of liability. The telcos do some things right on occasion, ya know. This is not to say that I believe that spam is a Good Thing, or that the RBL is a Bad Thing. I hate Spamford for what he has wrought, and I believe that the RBL is a natural and necessary response to it. I do, however, suspect that the trouble that Spamford and his ilk have caused, which has long since been dealt with, is nothing compared to the trouble which has now been assumed by the sysadmins and network operators. Congratulations. The Chinese have a saying about being careful what you wished for... > If you want to use your time and resources to foster and promote > the activites of people that prey upon society at large, go right > ahead -- that's "freedom", and it is your "right" to do so. I have > always found it interesting that the people the scream the loudest > about their rights do it in the context of denying others their > rights. As an ISP, I have the right to choose. And I choose not > to do business with spammers. I wonder if you'll be so cavalier when the blubbering-mother-of-the-week is busy suing your arse off for not protection her little kid from: a) pedophiles b) bomb-making instructions c) satanic song lyrics d) pork (the other white meat) e) Chevrolet f) anything else deemed offensive. Tell me, what would you "choose" to do should one of your customers send back, stapled to their usage contract, a list of content they find objectionable and ask you to filter it? Suppose you can't, don't, or won't? How about if you screw it up and some gets through? Power comes with responsibility. Responsibility carries with it liability. Are you prepared to assume the liability that comes with "choosing" to selectively block content? -- Szechuan Death, AKA Theron Bair, sysadmin, net tech, student, etc. sdeath@ackphft.matsu.alaska.edu
Paul A Vixie <paul@vix.com> writes + The RBL team and I are kind of wondering what to do about some spam + we got. Because blackholing NSI would be of operational concern to a + lot of you, I've decided to ponder this question out loud: + + >Technically, this is an opt-out customer-relationship spam. + > + > I think it is a special case, because _there is no where else to go_. + > + > 208.226.58.70 should be RBL'ed, IMHO. Help me. Mr. Vixie and his cohorts increasingly imagine themselves to be the final and ultimate arbiters in matters of Network integrity. Having them sit in judgement over the Black Holing of successive and alleged perpetrators violates numerous protections and freedoms all citizens It is my opinion that these activities have reached their zenith and something should be done to finally Black Hole Vixie/RBL should they continue on their renegade mission of uncontrolled and arbitrary censorship. Maybe it is time to pull the plug on the ultimate plug pullers, black hole the black holers! Bob Allisat Free Community Network _ bob@fcn.net . http://fcn.net http://fcn.net/allisat _ http://fcn.net/draft
BBBZZZTTT yourself. Blocking email is an interception under the ECPA (18 USC 2511 et al). It has been reported here previously that 1) The ECPA was amended to apply to email. 2) A US attorney has stated that ISP's who define their service to include mail filtering for their customers implicitly have their customers permission to do so, as required under the ECPA. Those who don't have permission would be in violation of the ECPA were they to block email. So as twisted as his writing and perhaps his thinking is, Bob is essentially right on that. You, as usual, are unequivocalably wrong. Perhaps you also can quit wasting our bandwidth. --Dean >*BBBZZZZTTT*, wrong answer,thank you for playing. Prevention of email >delivery is not interception. Nor is there reading of your private email, >or any of the other horrible crimes against humanity that so many envision. > Unlike the USPS, if you don't like your ISP's email policies, you are free >to go elsewhere. Your argument has no basis in legal, moral or ethical >theory. > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>I think if *everyone* stood up at once and declared that open relays >were bad for us all then there wouldn't be too much trouble because >there'd be nowhere for frustrated customers to jump to! ;-) Ya know, Greg, if everyone in China jumped off a 12 inch stool simultaneously it'd cause a tidal wave which would sweep over the entire United States. Or maybe not. But it's not worth losing sleep over. I'm not really trying to be too sarcastic, but I think your world-view of what the net has become is anachronistic and the idea that some project like ORBS is going to harass every open-relay in the world, every workstation capable of forwarding mail for example, into behaving better is at this point in time kinda like the Chinese footstool tidal wave (is that from Dr Strangelove? whatever.) No, we need a legislative approach, with some technical support to help increase the likelihood that spammers who break the law will get caught. But first it has to be illegal, or else it's all for naught. Put it this way: I consider my house locked up even if I do have glass windows, and even if glass is rather easy to break. If it were legal for a person of ill intent to break the glass to get into my house to rob me the first approach would not in my mind be to board up all the glass unless I really lived in some mad max anarchy. I'd first want to see it made illegal to break into my property. Then, with reasonable diligence, I can enjoy the sunshine and spend my time and money on more important things than trying to engineer it so it's impossible to break in. Or at least I can do the cost/benefit analysis from the situation where it's illegal to break in, rather than just a stupid cat and mouse game as we're currently playing with spammers most of the time. The Walrus and the Carpenter Were walking close at hand; They wept like anything to see Such quantities of sand: "If this were only cleared away," They said, "It would be grand!" "If seven maids with seven mops Swept for half a year, Do you suppose," the walrus said, "That they could get it clear?" "I doubt it," said the Carpenter, And shed a bitter tear. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Hi, My name is Sabri. I'm just another dude involved in internetworking and I work for a small isp in The Netherlands. I am concerned. Concerned about people and companies who think they are in the position to be net.gods and for political reasons destroy the free character of the internet. In the history of the internet, people have been trusting each other. On the lower technical levels, great things like peering have been developed. At the various IX'es, commercial and non-profit companies exchange information about each others routes using BGP4 and various other routing protocols. In my opinion, announcing a netblock using BGP4 is making a promise to carry traffic to a destination within that netblock. If you feel that parts of that network are against your ethics or AUP, you should not be announcing such a netblock. If you do so, you will make a promise which you do not forfill. That is not a nice thing to do in a world which is based on trust and agreements between parties. I was shocked to find out that one of the larger transit providers (which the company I work for buys transit from) is actively violating the trust it has been given by the internetworld. Above.net is blocking a host in UUnet IP space. After finding out about this we notified Above.net in The Netherlands and asked what it was about and requested them to stop announcing the netblock if they would continue to nullroute the host involved. After various contacts about this matter, Above.net answered with the following statements (according to the salesdroid it came from Paul Vixie himself): > 194.178.232.55/32. --> this tester is part of a /16 belonging to > uunet, and sends traffic which is in violation of our AUG. we > complained to uunet without any effect. if we have blocked access > from this /32 to our backbone, we are within our rights. After this mail, we contacted Above.net again. They basically told us it was for our own protection because that traffic from that host does not comply to their AUP. We specifically told them we really don't mind them blackholing that host but *announcing* a route for it. So far no response. More information and logs on http://www.bit.nl/~sabri/above/ -- /* Sabri Berisha * * CCNA, BOFH, Systems admin Linux/FreeBSD */
> Subject: Re: net.terrorism > Date: Tue, 09 Jan 2001 04:37:37 -0800 > From: Paul A Vixie <vixie@mfnx.net> > [...] > why are we discussing this on nanog? Well, it sounds like an operational issue. As described in the original post, a group is disrupting Internet connectivity to some destinations to achieve certain policy objectives. This has a number of adverse implications. o Policy-based "disconnectivity", like any other source of connectivity problems, makes the Internet appear less reliable and less predictable to the end user. Only a relatively sophisticated end user can differentiate broken connectivity caused by policies from other sources of connectivity problems. Adding yet another cause of difficult-to-diagnose connectivity problems hardly seems like a good thing. o Whatever the official marketing literature may say, the effectiveness of routing-based disconnectivity is generally based to a large extent on inflicting pain on third parties. That is, if the policy-based disconnectivity causes enough pain to enough people, then the originating network or ISP will have an incentive ("be forced") to remove the activity that violates the policy. This basic strategy hardly seems like a good thing. o Policy-based disconnectivity techniques would appear to set a bad precedent. That is, this activity tends to legitimize the use by ISPs of black-hole routing to enforce various acceptable use policies. To the extent that the network community endorses black-hole routing as an acceptable tool for enforcing anti-spam policies, the technique is more likely to be applied in the enforcement of other policies. For example, French courts could conceivably decree a policy-based disconnectivity solution to protect users in France from auction sites selling Nazi memorabilia (i.e., Yahoo). (After all, if the technique is acceptable for relatively minor social ills like spam, then surely it is acceptable to use it for more significant social problems). German courts could conceivably require German ISPs to black-hole foreign "hate" sites. (By the way, I believe that a number of prominent organizations have taken stands against the filtering based on content of certain foreign sites by some totalitarian countries. I don't think these organizations are are saying that it is wrong to filter based on political content, but OK to filter on, for example, less-political content such as spam. ) I believe that legitimizing the use of "disconnectivity" techniques (whether they are routing-based or filter-based and whether they are "voluntary" [voluntary to whom?] or mandatory) to further policy objectives is a really bad thing. It is not altogether obvious to me that the cure is not worse than the disease in this case. -tjs
|