On Fri, Apr 30, 2004 at 03:23:10PM +0100, Matt Sergeant wrote
Our aim with the BCP was not to fit it around _all_ current practices,
but to fit it around best practices. If you have good reasons for
going against the guidelines please state them and we can consider
the modification of the BCP.
The BCP document assumes that people are nice, or at least polite. If
they were, there wouldn't be a need for DNSbl's in the first place. In
a "kinder gentler" world, paragraph 2.6 MUST-have-a-contact requirement
would make sense. However, in real life, spammers aren't nice. Consider
the following...
- MAPS was sued into uselessness by a bunch of dot-coms flush with
cash from IPO's who engaged in the lawsuit equivalent of a gang-rape
- Felstein and company left a bunch of people out of pocket thousands
of dollars in legal fees, even though the civil complaints were
dropped and the case never got to trial
- Scott Richter is currently suing SpamCop
Unlike British Commonwealth countries (Britain, Canada, Australia,
etc) the USA does *NOT* have an automatic "loser pays" clause for
lawsuits. The USA gave the world SLAPP. Would you care to provide
multi-million dollar funds in escrow to defend against such lawsuits and
pay off any stupid judgements awarded by juries?
And it's not merely a case of money. I wouldn't be surprised if the
mobsters behind some of the spammers resorted to contract killings to
shut down impediments to their "bizniss". In a climate like this, I
understand why the principals behind SPEWS seek anonymity. Please
understand that we're dealing with a bunch of thugs, hooligans, and
criminals. If we get into a streetfight against them whilst restricting
ourselves to Marquis of Queensbury rules, we're guaranteed to lose.
If I sound passionate, it's because DNSbls help keep my email usable,
which gives me a personal stake in the success/failure of DNSbls. If
they go under, I'll either switch to whitelist-only, or possibly give up
on email altogether.
In terms of improvements to this BCP, I have an idea that would render
the rest of the BCP moot...
====================================================================
Paragraph 0
Internet Service Providers who provide inbound email service to the
public *MUST* allow individual customers to select which DNSbls and/or
filters are applied to their incoming email, except as listed below.
The only exceptions shall be...
1) When an incoming email is reliably confirmed to be a virus by a
scanner, it may be either rejected at the SMTP stage with a 5xx message
or diverted into a quarantined folder or dropped. It *MUST NOT* trigger
a DSN to the alleged sender of the email, because email source info
(both From: and Envelope-Sender) is usually forged by viruses.
2) IP addresses which launch Denial-Of-Service attacks or dictionary
attacks on the ISP may be ignored by the mailserver or firewalled or
null-routed or blocked via other purely defensive measures.
====================================================================
The real problem is ISPs who use the one-size-fits-all approach, and
use the same DNSbl(s) for all their clients. Allow people to use which
ever DNSbls they want, and the bad DNSbls lose users, and fade away.
DNSbls with good reputations would have lots of users. This would also
provide ISPs some protection against lawsuits by spammers, because the
ISP would not be responsible for an individual user's choice of blocking
criteria.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg