In
<CE541259607DE94CA2A23816FB49F4A301AE2361(_at_)vhqpostal6(_dot_)verisign(_dot_)com>
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:
I finally got the revision of my paper 'A Plan for No Spam' through
legal and posted to the VeriSign Web Site. It is in PDF (sorry no HTML or
plaintext version).
http://www.verisign.com/resources/wp/spam/no_spam.pdf
Vernon and others have pointed out other errors/problems that I agree
with, including the mis-characterization of DNSBLs. However, I will
elaborate on the problems with your discussions of DNSBLs.
First, you inaccurately use inflammatory words to describe DNSBLs.
For example, instead of using the term "vigilante" to mean "taking the
law into your own hands", you define "vigilante" as being
"unaccountable". Since there are very few laws in the area of spam,
it is hard to claim that anyone is taking the law into their own
hands. Moreover, vigilantism generally has the connotation of a mob
force. You claim that DNSBLs are being coercive ("*forcing* to act or
think in a certain way"), and as a censor ("some sort of
official/authority that defines objectionable material").
DNSBLs can not force anyone to do anything and any authority given to
them is by consensual users of the DNSBL. DNSBLs are opinions about
the standards of conduct of email coming from certain IP addresses and
domains. DNSBLs are no more coercive than requiring the sending MTA
to connect at the right port (25), send syntactically valid SMTP
commands, provide a return path that can be resolved, having
sufficiently few "spammy" type keywords in the email body, have a
sufficiently low Velocity Indicator, have an e-stamp, etc.
All of the above requires are standards of conduct set by the
receiving MTA in order for email from the sending MTA to be accepted.
All can create false positives, all have secondary effects and all can
be abused.
Secondly, as Vernon points out, "the section about blacklists in the
document describes actions by minor blacklists such as attempted
extortion as if they were representative. They are not."
Your statement that "Blacklists can only work as long as the Internet
community generally can have confidence in the way they are run." is
exactly right. Their widespread use indicates that many receivers of
email have confidence in at least some DNSBLs. Yes, senders of email
may not agree, but email senders can no more "force" receivers to
accept their email than receivers can "force" senders to conform to a
standard of conduct. When senders and receivers don't agree, they
don't transfer email.
You claim that "Unfortunately the majority of blacklist operators
appear to consider themselves beyond accountability." DNSBL operators
do not *NEED* to be accountable to anyone other than people who use
them, and those people can freely choose to stop using a DNSBL if they
want.
You claim that "None of the blacklist maintainers describe a dispute
resolution procedure; most do not even provide a contact address."
This is certainly not true for most of the major blacklists, the only
exception that I can find is SPEWs. The following are the DNSBLs that
I use in one form or another: ORDB, DSBL, SBL, relays.osirusoft, RFCI,
bondedsender, OPM, NJABL, SpamCop and habeas (HIL and violators).
They all publish removal procedures and contact addresses.
You claim that "In one recent incident one of the blacklists listed
the entire nation of China. Another blacklist listed UUNET, one of the
largest ISPs in the US including all its customers in an attempt to
force UUNET to shut down a Website run by a UUNET customer." You have
made these claims before, but you have never documented them in any
way. There are certainly DNSBLs that block all of china (and many
other regions of the world, for that matter), but the only ones I know
are very explicit about what they are doing. For example,
cn-kr.blackholes.us is clearly a DNSBL that blocks both China and
Korea. Without some documentation, you are just spreading FUD about
DNSBLs.
Thirdly, in the "BEST PRACTICES" section, you talk about creating some
sort of "common agreement on best practices for blacklists setting out
criteria for issues such as notice to the listed parties, appeals
processes and the acceptability of `collateral damage'." This is both
unnecessary and undesirable.
It is unnecessarey because DNSBLs can not force anyone to do anything,
their only authority comes from others who freely choose to use them.
Any DNSBL that does not do a good enough job of either spelling out
what standards of conduct are required to not be listed, or do not
adhere to the standards they claim to certify will probably not be
widely used.
It is undesirable since different organizations have different
priorities about what standards of conduct they want to require for
senders of email, you *want* a wide variety of DNSBLs.
Finally, you include DNSBLs as part of your overall spam solution.
You say that it is better to use them as one factor in the filtering,
rather than a straight accept/deny system, and I can agree with that.
However, that choice is really up to the organization receiving email
to decide. I find it very strange that you would spread so much FUD
about DNSBLs and then turn around and say that they are part of the
solution.
-wayne
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg