Re: SORBS Contact
william> In the way you describe it any spam filter is bad any spam william> filter manufacturer should go to jail... Manufacturer? No. It is perfectly permissible for a recipient to run a filter over his own mail if he wishes. Jail? Not what I said. I said postal workers couldn't get away with this behavior. The laws governing email are different. BUT: They aren't as different as is generally believed. Go read the ECPA sometime. Being legal isn't the same thing as being moral. The world would be a better place if people started worrying about doing what is right rather than only avoiding what will get them in jail. If I seem testy about this it is because I am. A friend of mine with cancer died recently. I learned later she sent me email befoe she died. It did not reach me because some arrogant fool thought he knew better than me what I wanted to read. And it isn't the first time or the only sender with which I have had this problem. I have had plenty of users with the same complaint as well. I have in the past considered this antispam stuff "ill advised" or "something I oppose". Expect me to fight it tooth and nail from now on.
Re: SORBS Contact
Derek> I'm gonna hold up the "I call bullshit" card here. Recipients Derek> most certainly *can* get it wrong. Sorry I wasn't very clear. The results in the hotmail example were where the users said it wasn't spam but hotmail insisted it was. It is possible for a user to indentify non-spam as spam. But if a user says it isn't spam then it isn't no matter how much it might look like it might be. I have had this happend to me personally. Some of my fellow admins at the time insisted some of my incoming mail was spam. As it happened the mail (offering some telephone products) was specifically requested.
Re: SORBS Contact
Todd> There are simple solutions to this. They do work in spite of Todd> the moanings of the few who have been mistakenly blocked. So it is OK so long as we only defame a few people and potentially ruin their lives? Todd> In the meantime my patience with email "lost" in the sea of Todd> spam not blocked by blacklists, etc. is growing thin. Hmm. Let me think a minute. Nope not buying it. I have already given two simple solutions that don't involve potentially dropping job offers, wedding invitations, letters from old sweethearts, and other such irreplaceable email. Certainly it is impossible to guarantee all mail gets delivered. But to intentionally make it worse by deliberately deleting other people's email is arrogant and immoral. On the other side what do we have for those falsely defamed? I suppose we could psychically contact them to tell them their mail was deleted. Certainly email won't be reliable enough after these guys are done with it. If they worked for the post office these guys would be in jail.
Re: ISP wants to stop outgoing web based spam
Barry> I assume you were about to provide us with one great legal Barry> case cite. Don't be shy, go right ahead. The law is online in several places. Feel free to go read it.
Re: SORBS Contact
Matthew> so would you consider as it is my network, that I should Matthew> not be allowed to impose these 'draconian' methods and Matthew> perhaps I shouldn't be allowed to censor traffic to and Matthew> from my networks? If you want to run a network off in the corner by yourself this is fine. If you have agreed to participate in the Internet you have an obligation to deliver your traffic. At LISA a couple of years ago a Microsoftie got up at the SPAM symposium and told of an experiment they did where they asked their hotmail users to identify their mail messages as spam or not. He said the users got it wrong some small percentage amount of the time. I was stunned at the arrogance and presumption in that comment. You can't tell from looking at the contents, source, or destination if something is spam because none of these things can tell whether the message was requested or is wanted by the recipient. The recipient is the only person who can determine these things. There are simple solutions to this. They do work in spite of the moanings of the hand wringers. In the meantime my patience with email "lost" silently due to blacklists, etc. is growing thin.
Re: SORBS Contact
Laurence> End users ought not to have the functionality of email Laurence> destroyed because originating SP's won't show due Laurence> diligence in preventing abuse of the network. This is crisis mongering of the worst sort. Far more damage has been done to the functionality of email by antispam kookery than has ever been done by spammers. I have one email address that has: Existed for over a decade. Been posted all over Usenet and the Web in unmangled form. Only three letters so it gets spam from the spammers that send copies to every possible short address. All blacklisting turned off because that was causing too much mail to go into a black hole. In short it should be one of the worst hit addresses there is. All I have to do to make it manageable is run spamassassin over it. That is the mildest of several measures I could use to fix the "spam problem". If it became truly impossible I could always fall back to requiring an address of the form "apoindex+" and blocking all the one's that don't match the password(s). That would definitely fix the problem and doesn't require any pie in the sky re-architecting of the entire Internet to accomplish. For almost a decade now I have listened to the antispam kooks say that spam is going to be this vast tidal wave that will engulf us all. Well it hasn't. It doesn't show any sign that it ever will. In the meantime in order to fix something that is at most an annoyance people in some places have instigated draconian measures that make some mail impossible to deliver at all or *even in some case to know it wasn't delivered*. The antispam kooks are starting to make snail mail look good. It's pathetic. The functionality of my email is still almost completely intact. The only time it isn't is when some antispam kook somewhere decides he knows better than me what I want to read. Spam is manageable problem without the self appointed censors. Get over it and move on.
Re: ISP wants to stop outgoing web based spam
> John Levine <[EMAIL PROTECTED]> writes: Allan> I would let any ISP I use make this mistake once. After that Allan> the individuals responsible would be up on ECPA charges. John> I suppose any ISP foolish enough not to disclaim ECPA John> confidentiality gets what it deserves. The ECPA doesn't provide any mechanism to explicitly disclaim responsibility under it. Even if it did such a disclaimer would undermine any claim to anything like common carrier status for an ISP This would make the ISP vulnerable to such things as libel based on user's content. This strikes me as jumping out of the spam/virus frying pan into the defamation fire.
Re: ISP wants to stop outgoing web based spam
Michael> We use the standard SpamAssassin, ClamAV setup both on Michael> ingress and egress. On egress we set the detection levels Michael> and divert and save anything that is marked as Spam rather Michael> than sending it on with headers and subject modifications. I would let any ISP I use make this mistake once. After that the individuals responsible would be up on ECPA charges.
Re: FW: The worst abuse e-mail ever, sverige.net
Steven> OK, now let's make it more in line with modern practice: Steven> Say a protocol more or less completely lacked server-server Steven> authentication, or a way to distinguish between client and Steven> server, and that then every day, for ten years, hundreds and Steven> [...] Steven> after accepting the submissions, rather than rejecting at Steven> submission time. Oh, and outbound connections aren't Steven> expected from the vast majority of those hosts. Are you saying that since you have never had to lock your door before you shouldn't be required to install one now? Steven> Yes, I think this a reasonable response to use everything at Steven> our disposal to refuse the majority of the unwanted Steven> submissions. Wouldn't "everything at our disposal" include developing and installing locks? Wouldn't that be an obvious first step? Would your first reaction to finding your house burgled be to phone all the builders of houses in your neighborhood and demanding they make it impossible for anyone else to leave their house? Steven> thousands of professional criminals used weaknesses in the Steven> monopoly OS to plant software completely under their control Steven> on fifty million (or so) of these vulnerable hosts, For email viruses the monopoly OS is not the only cause of blame (although its manufacturer helped a lot in other ways). If one allows someone to use an MUA that executes code in Turing complete languages one has already essentially done what our hapless hypothetical sysadmin did with authenticationless SSH. The only difference is that our hypothetical sysadmin will have implemented an interactive system whereas such MUAs will have implemented a batch system with an awkward JCL called MIME. Viruses (of the email type that is) spread so easily because we have not made it clear enough that using one of these MUAs has the same security implications as letting any user start an anonymous telnet server. Yet here too all sorts of strange recommendations are made[1]. Suggestions that would never even be considered if a sysadmin was actually faced with a user running an anonymous telnet server. Suggestions which by and large avoid doing what we all would do in an instant if we were faced with this problem in its telnet guise: requiring authentication. Does your security policy allow users to implement authenticationless command servers? If not do you prohibit the batch command servers that many MUAs have become? - [1] Suggestions like "we will filter mail for viruses". If an employee was running anonymous telnet at your place of business would your response be to attempt to write a filter that would delete any "bad scripts"? I'm pretty sure at most places the employee would be forced to stop.
Re: FW: The worst abuse e-mail ever, sverige.net
Daniel> The only responsible thing to do is filter port 25,
Daniel> smarthost for your users, and inform them about using the
Daniel> alternate submission port with authenticated SMTP in order
Daniel> to work with enterprise mail servers - or IPSec VPNs, for
Daniel> that matter. This is simply the best practice, at this point
Daniel> in time. Using humans ("dedicated staff person") to stop
Daniel> spam isn't scalable - automated processes are sending this
Daniel> stuff, we need systematic ways to fight it - black/white
Daniel> lists, SPF, port 25 filtering, bayesian filtering and other
Daniel> tools.
Let's put this in perspective. Say a hypothetical sysadmin were to
disable any and all authentication on his SSH server. And that
someone then used SSH from your network to run code that sysadmin
didn't like on that machine. Would you then consider it reasonable if
the sysadmin proposed:
The only responsible thing to do is filter port 22, smarthost for
your users, and inform them about using the alternate submission
port with authenticated SSH in order to work with enterprise SSH
servers - or IPSec VPNs, for that matter. This is simply the best
practice, at this point in time.
For that matter would anyone take seriously someone who then proposed
as a solution to the "breakin"[1] that:
we need systematic ways to fight it - black/white lists, SSH
Permitted From, port 22 filtering, bayesian filtering and other
tools
in order to filter out "harmful commands" while allowing anything else
to get through without ever once suggesting enabling passwords or SSH
keys?
If you don't want to accept mail from anyone and everyone then make
them use a password or a key to send mail to you. There are several
ways to do this right now. (For example, procmail is your friend.)
If you don't like something that arrives in your house figure out a
way to put a lock on your door. Don't insist everyone else is at
fault because they wouldn't put bars over their own.
-
[1] A curious term since it's hard to imagine a way to leave the door
open much wider than our hapless hypothetical sysadmin has.
