[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Asrg] RE: 2a. Blacklists, collateral damage and anonymity

To: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Subject: [Asrg] RE: 2a. Blacklists, collateral damage and anonymity
From: Matt Sergeant <msergeant at startechgroup.co.uk>
Date: Wed, 5 May 2004 20:46:32 +0100 (BST)
Cc: "'Matt Sergeant'" <msergeant at messagelabs.com>, "'Barry Shein'" <bzs at world.std.com>, ASRG list <asrg at ietf.org>
In-reply-to: <C6DDA43B91BFDA49AA2F1E473732113E5DBC2C@mou1wnexm05.vcorp.ad.vrsn.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-admin at ietf.org

On Wed, 5 May 2004, Hallam-Baker, Phillip wrote:

> > This is a really tough issue. There's really only one DNSBL that I 
> > support in terms of its collateral damage policy and that is the SBL. 
> > They will escalate a listing from the IP addresses sending 
> > spam to the 
> > corporate mail servers of the ISP in question if they are 
> > unable to get 
> > action from that ISP in removing the spammer. They do not do this 
> > lightly - only after making numerous attempts to contact the ISP both 
> > via email and telephone calls. Note the fact that the 
> > escalation is not 
> > to the entire ISP - just to the corporate mail servers of the ISP.
> 
> This is action against the ISP and not a third party. I would have no 
> objection to that type of activity, it does not raise the issues of 
> contract interference.
> 
> There could still be an issue of course if the reason for the listing
> was simply malicious but that would be no different from listing the
> spammer.

And would be a violation of the BCP. Good, that's progress.

> > We did not wish to prevent anonymity in the BCP because it provides 
> > useful protection to the people who run these services. This 
> > has become 
> > necessary not because what they are doing is illegal, but because the 
> > cost of even a failed lawsuit in the US is too much for the 
> > creators of the blocklists to bear.
> 
> I don't believe in anonymous reputation services.
> 
> If blacklists are going to demand accountability they must accept
> accountability - from all parties they affect, not just the ones they
> choose.
> 
> I believe in the democratic rule of law, no exceptions. If the legal
> system is broken then it has to be fixed. There are plenty of blacklists
> that operate in the open. Spamhaus operates in a legal regime wrt libel
> that is far more hostile than the US.
> 
> I do not believe that it should be legal for a public service ISP to
> use any anonymous blacklist service to filter customer's mail.

Spamhaus is a good example here. I'm glad you used it. Steve Linford is
currently suffering massive financial loss because of the fact that
spamhaus are a public resource. We stand to lose spamhaus because of this.  
I do not think that will happen because they will start charging for zone
transfers of the SBL. Something they've talked about doing for a while.
This will cover the costs of being DoS'd out of existance and hopefully
enough to pay a small pitance to the hard working spamhaus helpers (who
currently work for free).

This will not work for all blacklists. Not even all good blacklists.

If the spammers were all nice people I would agree with you whole 
heartedly that all blacklists should be accountable. You should hear some 
of the things that Steve has been sent in the post from these nice 
friendly spammers. I truly believe that his situation would have been made 
impossible had he been living in the US (i.e. where the spammers are). I 
would hate to see the same thing happening to the guy who created the CBL.

> > Do I wish that these blocklists could all be public facing and not 
> > anonymous? Absolutely! But the reality of your litigious society has 
> > ensured that this is becoming more and more difficult.
> 
> When we started VeriSign nobody else dared to run a public service
> CA because they feared the liability issues. Today the liability
> issue is considered irrelevant by many CAs and CA customers (heh,
> they got a surprise comming). The reason is that VeriSign did such
> a good job of anticipating the legal issues and pre-empting them.

VeriSign has a lot of money to protect itself. It's certainly not managed 
to keep itself clear of litigation, but can afford to deal with the issue 
when it arises.

> The blacklist I am currently looking to establish will probably not
> block any spam at all, it will block less than 1% of the web sites 
> mentioned in spam, hopefully though it will block 80%+ of a certain
> type of fraud.
> 
> I want the blacklist to be used near universally, therefore I want 
> to make it practically impossible for a false positive to occur -
> even though people will clearly attempt to engineer them.

That is good. I'm sure it will comply with the concepts raised in this 
BCP.

Matt.

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- [Asrg] RE: 2a. Blacklists, collateral damage and anonymity
  - From: Hallam-Baker, Phillip

Prev by Date: RE: [Asrg] draft-irtf-asrg-bcp-blacklists-00
Next by Date: Re: [Asrg] RE: 2a. Blacklists, collateral damage and anonymity
Previous by thread: Re: [Asrg] RE: 2a. Blacklists, collateral damage and anonymity
Next by thread: Re: [Asrg] RE: 2a. Blacklists, collateral damage and anonymity
Index(es):
- Date
- Thread