See inline comments please
On Tue, 4 Mar 2003 18:33:37 -0800, Brad Templeton wrote:
The draft I proposed allows open relays for those who wish to use
them, though they can't run mailing lists from them. So I suggest
it is not inherent that open mail relays must be closed.
I have consulted with the experts on Spam-L and my conclusion from
the vigorous response there is that they have to be closed, for
reasons noted below.
Plus it's an interesting precedent. For example, if you run MS
Windows as found on the CD, your machine can be invaded and used
as a base for DDOS. Should you be sued over this?
Yes if your negligence produced injury; it is a tort and you
are subject to civil suit to recover damages. There have already
been suits like this, quite properly. If you (as the negligent
party) had a legal duty of care, e.g. a hospital administrator,
and your negligence resulted in death, you could conceivably
face criminal charges. If my mother died because some idiot
hospital sysadmin was runnin Win98 on DSL without a firewall, you
can be sure I'd be in the public prosecutor's office the day after
the funeral. (So would you, I expect.)
Should Microsoft?
Their lawyers too clever. Read the shrinkwrap license: you waive
all your legal rights.
What about after patches become available?
Depends on the facts establishing the degree of negligence.
It's messy.
Only the facts of particular cases. The law is clear.
Anyway, the point is the open relay operators are not doing things
deliberately.
Latest stats show over 200,000 open relays. Most exist through
negligence, stupidity, laziness and the like. (Basically, unwillingness
to RTFM.)
They don't want to relay spam.
The drunk drivers don't want to kill people but they still do and
they still go to prison for it.
They are spammer's
victims.
I'm glad you're not a Judge!
If possible, we should try to help them. Forcing them
all to close is something to be done only if we have exhausted all
ways to solve the problem.
Forcing them to close is the first thing to do. See
<http://www.camblab.com/nugget/spam_03.pdf>
Plus there are "open" relay operators who state they have put in
throttles which stop spammers (or anybody untrusted) from sending
large volumes of mail through the relay.
I have queried Spam-L experts about this. One of the top technical
people on that list states:
"I have seen more than one "rate limited" open relay being hit badly
by spam - the spammer just throttles down his mailing speed through
the relay. Throttling a mailserver so badly that spam will definitely
not get through will also throttle a lot of legit mail going through
that relay."
Yet the blacklist relay
testers don't test a large volume, they test a single message, and
blacklist the relay even though it is not practical for spammers
to use it.
I have verified from Spam-L that many/most open-relay testers only
test whether a sending IP address is an open relay after getting a
spam in hand. However there are indeed open-relay testers that
test routinely without provocation, apparently as a self-defense
measure.
The question therefore becomes whether there is ANY reason to have
an open relay, even a rate-limited one. Is there any way to
preserve functionality for legitimate relay users while denying
access to strangers? Yes, one can password-protect access. There
are other ways to (e.g. whitelisting only certain accessing IP
addresses).
The question therefore becomes, given that there is need for relays
and that there is a simple method of access control, why are there
any relays, intended to serve legitimate users, which are still
open?
The answer from a famous Spam-L poster:
"Lack of competence"
If you believe this analysis is incorrect I will be pleased to replay
your reply over there, or you can show up yourself. Please don
flame-resistant suit first; there is a very low tolerance on Spam-L
for fuzzy and wishful thinking. The general attitude toward spammers
and enablers is "heads on pikes" :)
Jeffrey Race
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg