Rich Kulawiec wrote: FYI. ---Rsk > From: Cindy Cohn Saw this earlier today. My reply to Dave and Cindy Cohn is below. Hi I saw this post on the IP list, which I felt deserves a reply from what Ms.Cohn seems to perceive as "them" instead of "us" - the ISPs. As an intro, I am the postmaster / abuse desk admin at a rather large webmail ISP, one which has a reputation for somewhat aggressive spam filtering. My comments are inline. > From: Dave Farber > ------ Forwarded Message > From: Cindy Cohn > > I participated on a panel on Blacklists and announced EFF's efforts to work > with noncommercial e-mail mailing lists to develop a set of principles and > best practices for listowners, ISPs and various anti-spam forces including > blacklists (they apparently prefer the term "blocklists," but I'll stick > with the term that was used by the FTC) aimed to ensure that noncommercial I will, if you don't mind, avoid the term "blacklist", with its associated baggage of McCarthy-ist imagery. These lists are blocklists, as they block smtp access from internet protocol addresses, rather than persons. The same person who gets his mail blocked by a blocklist can send mail using any other smtp server he has access to, that is not being blocked by an ISP that uses spamfilters (which may include its own filters, and/or one or more blocklists). > e-mail lists aren't snared by anti-spam measures. I mentioned that you had > told me that you operated the first e-mail list and that you experienced > ongoing problems with delivery of the IP List. Whether the mail is commercial or not has nothing to do with the issue. Spam is Unsolicited Bulk Mail (which may or may not be commercial). A US congressman who grabs a list of addresses from god knows where and sends "vote for me" solicitations to British citizens is, therefore, placed on the same footing as the thousands of "herbal viagra" sellers out there. Tarring each and every blocklist and spam filter with the same brush is just not the right way to go. There is no single "blocklist" - just as there is no single "antispam community". If Dave's list gets rejected because a corporate "content filter" software takes exception to words or phrases it sees in an IP post, please do blame the software vendor for the false positive. If moveon's surveys / online petitions got rejected by an ISP for no valid reason, then yes, that ISP should be approachable and the block can be lifted without much trouble at all. > I concluded that when e-mail becomes unavailable as a tool for broad > political organizing and informal mailing lists, we've broken something > fundamental and it's time to try to fix it. Email was, is and will remain a tool for this. And for person to person communication. However, without ISPs filtering mail, the average user will drown in a sea of spam that he wants no part of. Some months back, we had to take down most of our spam filters for several hours, in order to do some server maintenance. The incoming spam to our users skyrocketed. Our mailservers nearly went down - and started crawling under high load - with the sudden spurt in spam that got through. Our support accounts got swamped with mail from users who bitterly complained about all the spam that got into their inboxes. > 2. At the same time, I'm sympathetic to what many in the anti-spam movement > are trying to do. Most of them care deeply about the health of the Internet > and are sincerely trying to do the right thing. EFF is very supportive of > tools that give users the ability to filter and control their mail. We're > supportive of tools used by ISPs that don't tread into censorship. Censorship implies that the ISP cares about "content". Consent is the issue that we are more concerned about - the consent of the user to receive mail in his mailbox. We are also concerned with the health of our servers. A list operator who follows irresponsible list management procedures such as the ones cited below will definitely run the risk of being blocked till such time as he takes steps to resolve these issues. 1. Extremely high send rates, frequent retries (to the point where several hundred connections a minute get made to the receiving ISP's servers) 2. Poor bounce management (bounces don't get accepted by the sending server at the same enthusiastic rate at which the bulk mail is sent out, and the bounces that are accepted are not processed to weed out nonexistent / bouncing users) 3. Lack of confirmed optin (closed loop optin) system - This system is one in which the user has to signup to ask for list mail and has to confirm that he has signed up. Most modern listservers support this technique. Those lists that don't follow this are now vulnerable to accusations of spam because someone accidentally or maliciously signs up an address that is not his own. In fact, similar to mailbombs, there are now several automated tools that do "listbombing", signing up someone to thousands of unconfirmed optin / optout mailing lists. 4. Lack of a proper unsubscribe mechanism in lists so that the user cannot remove himself from the list even if he wishes to. In the case of optout or unconfirmed optin lists, a user should not be forced to remove himself if he did not sign up for the list in the first place, but still wound up on the list. Factors #1 and #2 directly affect the health of an ISP's mailservers, and impact delivery of all email (irrespective of whether the mail was solicited or unsolicited). Factors #3 and #4 are easier to determine from the user's perspective, but when an ISP postmaster notices these are the case with lists that also meet the first and second criteria above, then he is much more likely to block the list. > supportive of litigation where appropriate (BTW, the spammer paid every > penny). It seems that many of the problems arise when a third party, be it > your ISP or some entity used by your ISP, tries to determine which of your > mail you want to receive and which you do not. Would you care to see what happens to a large mail system serving millions of users when "a third party" - especially an ISP which devotes considerable time, staff and money to keeping their mail systems running and serving mail, does not do any filtering on its own, and leaves it to their users to click "block sender" each time? > 3. In trying to figure out how to approach this, I started with thinking > about what the analysis would be if the government was deciding which of > your mail you received and which you did not. From that perspective, the > problems become are easy to see and articulate. The government? An ISP is not a government (so the first amendment would definitely not apply here). Nor is it a common carrier, obligated to carry all traffic. > a. Lack of transparency. It was telling that none of the > Blacklists on the panel would reveal which ISPs use them and only one ISP > in the audience spoke up that he used a Blacklists. At least one major blocklist on the panel - the SBL - was, and is, facing a lawsuite from "emarketersamerica.org", an association of bulk mailers whose stock in trade seems to be penis enlargement and herbal viagra. Mark Felstein, the lawyer from emarketersamerica.org (and apparently a principal in at least one of the entities that form emarketersamerica.org), was apparently under the impression that he could make his task of discovery in the lawsuit easier by asking questions to the SBL representative at the forum, live on TV. He was also, apparently, trying to pin an assault charge on other people attending the conference - and almost ended up slugging Comissioner Swindle of the FTC. Would you, given these circumstances, in the place of the SBL representative there, answer a question about the people who used your blocklist? Only one ISP admitted that they used blocklists. Lots of ISPs do use them - as do lots of corporations. For what it is worth, we use not one but several blocklists, in addition to an extensive set of other filters, documented at http://spamblock.outblaze.com/spamchk.html People who see their mail blocked by us for whatever reason get a URL like http://spamblock.outblaze.com/10.0.5.4 or whatever the IP is that is blocked. In other cases, the sender will get an error code like http://spamblock.outblaze.com/AMM6738 if his sending domain (in this case, sexoptions.net) is blocked. > b. Overbreadth -- the techniques block more than just spam. The > worst problem here, after just plain errors in anti-spam tools, is the > blocking of other customers of an ISP because one of the customers is > accused of spamming. I agree that blocklists do this. However, there are two reasons for this - 1. Some ISPs tend to issue one IP after another to the spammer at the drop of a hat. So, when the spammer sees his mail getting blocked from a set of IPs, he just switches to a new set of IPs - sometimes only a few dozen IPs away on the same ISP, and resumes spamming. I take it you have never spent the whole night at work, in a freezingly cold server room, watching a spammer hop from IP to IP as and when he saw blocks coming up to catch his previous IPs. 2. Spammers are the online equivalent of a rapidly spreading epidemic. So, spam filtering of a larger netblock, which may well include non-spam users, can be compared to some extent with quarantining a disease hit area till such time as the disease dies out and/or the patient is declared cured. > c. Lack of due process for those accused of spamming. Few > anti-spam measures give any warning beforehand and there seems to be a > general failure to respond quickly to mistakes. This is on the part of the ISPs that get blocked as well. > d. Misuse of anti-spam processes for non-spam related purposes. > I mentioned Moveon.org's suspicion that their messages are being marked as > spam by those who disagree with their political message and the Could you please give me a cite on this? And are you absolutely sure that this organization's mail was censored because of a political agenda? > well-publicized incidents of anti-spam folks blocking each other due to > competitive and personal disputes. Those that do this are a very small minority indeed. And there was one such major case in the past - where Alan Brown of ORBS was accused of "spite listings" such as those you mention. ORBS no longer exists these days, if you will take the trouble to notice. Again, please stop tarring the entire "antispam community" with the same brush. Your making such sweeping generalizations make your arguments lose a great deal of the crediblity and validity that they have. The antispam community is kind of like any other large community in the world - it has its sane and moderate people - and it also has vocal and outspoken extremists. > e. "Whack a mole" problem. The current situation has an > everchanging number of individuals and groups acting as > decisionmakers. This has happened to EFF many times -- we just get removed > from the Razor database to learn that somehow we've ended up on someone > else's bad list. It often takes serious investigative time even to figure > out who has blocked us, much less why (see transparency, above). This > situation makes it very difficult for small listowners. The current proliferation of blocklists has come into being because of the proliferation of spammers, and the huge explosion in volume of spam over the past few years. The razor database is a "peer to peer" blocking system as you are aware. If one of your subscribers managed to break his filters sufficiently to tag incoming mail from the EFF as spam, then I would suggest blaming the subscriber, instead of the tool. > I concluded that if this was a case against the government for delivery of > regular mail, it would be a slam dunk. I, for one, am glad that the government is not an ISP. > Now obviously there are important differences when the entities doing the > filtering are private, not governmental, but having considered the issue > from that perspective, I believe that the long history of law developed > around governmental censorship can aid us in looking at where the current > systems are going wrong and what they could do to make things better. I would be interested in seeing your conclusions. However, please keep in mind that - 1. ISPs, and the antispam community, are not a bunch of right wing pro censorship McCarthy witch hunters. They are trying to solve the same problem you are - the problem of spam. 2. Spam, and the spam situation, has far more to it than just censorship. In fact, censorship is definitely not the intent of most if not all the blocklists in existence, for censorship would imply a focus on "content". The focus here is "consent". As you yourself acknowledge, people must not be prevented from getting mail they want. 3. There are other factors (such as poor list management) involved as well. So, just looking at the censorship angle is like the old poem about the six blind men of Indostan who, finding an elephant, each declared that it was "a wall", "a spear", "a rope" etc. http://www.wordfocus.com/word-act-blindmen.html > And so these men of Indostan > Disputed loud and long, > Each in his own opinion > Exceeding stiff and strong, > Though each was partly in the right, > And all were in the wrong! regards --srs