On Wed, 5 May 2004, Hallam-Baker, Phillip wrote:
This is a really tough issue. There's really only one DNSBL that I
support in terms of its collateral damage policy and that is the SBL.
They will escalate a listing from the IP addresses sending
spam to the
corporate mail servers of the ISP in question if they are
unable to get
action from that ISP in removing the spammer. They do not do this
lightly - only after making numerous attempts to contact the ISP both
via email and telephone calls. Note the fact that the
escalation is not
to the entire ISP - just to the corporate mail servers of the ISP.
This is action against the ISP and not a third party. I would have no
objection to that type of activity, it does not raise the issues of
contract interference.
There could still be an issue of course if the reason for the listing
was simply malicious but that would be no different from listing the
spammer.
And would be a violation of the BCP. Good, that's progress.
We did not wish to prevent anonymity in the BCP because it provides
useful protection to the people who run these services. This
has become
necessary not because what they are doing is illegal, but because the
cost of even a failed lawsuit in the US is too much for the
creators of the blocklists to bear.
I don't believe in anonymous reputation services.
If blacklists are going to demand accountability they must accept
accountability - from all parties they affect, not just the ones they
choose.
I believe in the democratic rule of law, no exceptions. If the legal
system is broken then it has to be fixed. There are plenty of blacklists
that operate in the open. Spamhaus operates in a legal regime wrt libel
that is far more hostile than the US.
I do not believe that it should be legal for a public service ISP to
use any anonymous blacklist service to filter customer's mail.
Spamhaus is a good example here. I'm glad you used it. Steve Linford is
currently suffering massive financial loss because of the fact that
spamhaus are a public resource. We stand to lose spamhaus because of this.
I do not think that will happen because they will start charging for zone
transfers of the SBL. Something they've talked about doing for a while.
This will cover the costs of being DoS'd out of existance and hopefully
enough to pay a small pitance to the hard working spamhaus helpers (who
currently work for free).
This will not work for all blacklists. Not even all good blacklists.
If the spammers were all nice people I would agree with you whole
heartedly that all blacklists should be accountable. You should hear some
of the things that Steve has been sent in the post from these nice
friendly spammers. I truly believe that his situation would have been made
impossible had he been living in the US (i.e. where the spammers are). I
would hate to see the same thing happening to the guy who created the CBL.
Do I wish that these blocklists could all be public facing and not
anonymous? Absolutely! But the reality of your litigious society has
ensured that this is becoming more and more difficult.
When we started VeriSign nobody else dared to run a public service
CA because they feared the liability issues. Today the liability
issue is considered irrelevant by many CAs and CA customers (heh,
they got a surprise comming). The reason is that VeriSign did such
a good job of anticipating the legal issues and pre-empting them.
VeriSign has a lot of money to protect itself. It's certainly not managed
to keep itself clear of litigation, but can afford to deal with the issue
when it arises.
The blacklist I am currently looking to establish will probably not
block any spam at all, it will block less than 1% of the web sites
mentioned in spam, hopefully though it will block 80%+ of a certain
type of fraud.
I want the blacklist to be used near universally, therefore I want
to make it practically impossible for a false positive to occur -
even though people will clearly attempt to engineer them.
That is good. I'm sure it will comply with the concepts raised in this
BCP.
Matt.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg