ietf-asrg
[Top] [All Lists]

[Asrg] RE: 2a. Blacklists, collateral damage and anonymity

2004-05-05 12:25:31
I get the feeling you're happy with certain blacklists.

I believe it is possible to run a blacklist for certain very narrow
purposes in a legal, useful and acceptable fashion. I do not think
it is remotely possible to stop spam through blacklists.

It's two issues 
[*] you feel stuck on: 1) Collateral damage and 2) anonymity. So I'll 
try to address those.

Collateral Damage
-----------------

This is a really tough issue. There's really only one DNSBL that I 
support in terms of its collateral damage policy and that is the SBL. 
They will escalate a listing from the IP addresses sending 
spam to the 
corporate mail servers of the ISP in question if they are 
unable to get 
action from that ISP in removing the spammer. They do not do this 
lightly - only after making numerous attempts to contact the ISP both 
via email and telephone calls. Note the fact that the 
escalation is not 
to the entire ISP - just to the corporate mail servers of the ISP.

This is action against the ISP and not a third party. I would have no 
objection to that type of activity, it does not raise the issues of 
contract interference.

There could still be an issue of course if the reason for the listing
was simply malicious but that would be no different from listing the
spammer.


Anonymity
---------

We did not wish to prevent anonymity in the BCP because it provides 
useful protection to the people who run these services. This 
has become 
necessary not because what they are doing is illegal, but because the 
cost of even a failed lawsuit in the US is too much for the 
creators of the blocklists to bear.

I don't believe in anonymous reputation services.

If blacklists are going to demand accountability they must accept
accountability - from all parties they affect, not just the ones they
choose.

I believe in the democratic rule of law, no exceptions. If the legal
system is broken then it has to be fixed. There are plenty of blacklists
that operate in the open. Spamhaus operates in a legal regime wrt libel
that is far more hostile than the US.

I do not believe that it should be legal for a public service ISP to
use any anonymous blacklist service to filter customer's mail.

Do I wish that these blocklists could all be public facing and not 
anonymous? Absolutely! But the reality of your litigious society has 
ensured that this is becoming more and more difficult.

When we started VeriSign nobody else dared to run a public service
CA because they feared the liability issues. Today the liability
issue is considered irrelevant by many CAs and CA customers (heh,
they got a surprise comming). The reason is that VeriSign did such
a good job of anticipating the legal issues and pre-empting them.


The blacklist I am currently looking to establish will probably not
block any spam at all, it will block less than 1% of the web sites 
mentioned in spam, hopefully though it will block 80%+ of a certain
type of fraud.

I want the blacklist to be used near universally, therefore I want 
to make it practically impossible for a false positive to occur -
even though people will clearly attempt to engineer them.


                Phill



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg