----- Original Message ----- > From: "William Herrin" <b...@herrin.us>
> Interesting. I want to abstract and restate what I think you just said > and ask you to correct my understanding: > > Making a service accessible to the public via the Internet implicitly > grants some basic permission to that public to make use of the > service, permission which can not be revoked solely by saying so. That's correct; did you think it wasn't? The offer is *in the presence of a standard service on a standard port*; if I put a SMTP receiver on tcp/25, you are, yes, implicitly permitted to try to use it to send me email. There *is no place* to put "saying permission is revoked", so where would someone look, even if their daemon wanted to look. > If that's the case, what is the common denominator? What is the > standard of permission automatically granted by placing an email > server on the internet, from which a particular operator may grant > more permission but may not reasonably grant less? Put another way, > what's the whitelist of activities for which we generally expect our > vendor to ignore complaints, what's the blacklist of activities for > which a vendor who fails to adequately redress complaints is > misbehaving and what's left in the gray zone where behavior might be > abusive but is not automatically so? If there are specific things you want people not to do, *make it impossible for them to do those things* (ssh authentication, for example). Above that, I suppose that rate limiting failures is expected of a connecting client... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274