Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07
2011-01-20 00:53:14
On 1/19/2011 4:28 PM, David Nicol wrote:
On Wed, Jan 19, 2011 at 3:00 PM, Chris Lewis<clewis(_at_)nortel(_dot_)com>
wrote:
[2.2.5] be changed? It looks okay to me, as long as we are painfully,
explicitly clear that the "users" are sys-admins and not end-users.
I think it is, isn't it?
I don't know if it is nor not in the draft BCP document, but it's
crazy muddled in this discussion.
Really? I don't think end-user came up at all, and the BCP doesn't talk
about it. It's quite clear in the BCP that it's talking about
list-users and list-owners, not end-users.
And is the system working as designed, "protecting" the recipients
from alleged annoyance. Does the BCP draft have a section advising
the consumers of the lists, as well as the providers of the lists?
Yes. List-owner vs list-user distinctions are covered in the draft BCP
quite substantively in a number of areas.
Recommending that a list consumer provide per-recipient configuration
WRT protection by the various ones --- some of the people on the
qpsmtpd list discuss their per-recipient configuration database hacks,
I don't know what the general state of the practice is in 2011.
Recipient filtering policy, mechanisms and implementation are well out
of scope for this document _except_ where they directly relate to DNSBLs.
I've been wanting to write a more general BCP on filtering from the
receiving perspective, but it'd probably be quite hard to achieve
something reaching consensus without diluting it so far that it doesn't
mean anything. There are strong feelings in a number of different
directions. It may more end up as a series of scenarios enumerating
pros and cons of each.
[Aside:
As an educated guess (and knowing that we're not entirely atypical ;-),
most sites will have the same filtering for everyone. Many do provide a
recipient-adjustable whitelist-by-sender knob and either a
blacklist-by-sender knob or a TiS button, but seldom more than that.
Commercial offerings (esp. 3rd party MX-handlers) tend to not have much
per-user configurability beyond sender whitelisting. Not because it's
hard (it isn't), but because few are asking for it, hence it's not worth
implementing.
There are some practitioners who wax quite extreme on substantive
per-recipient configurability (eg: some of those on the qpsmtpd list
;-), but the reality is that the number of people who'd actually _use_
such knobs would be extremely small, and still fewer who could adjust it
effectively. If they had such knobs, after the bombardment, experience
suggests that they'd usually turn it right back on again (pushing the
knobs too far ;-) and/or scream we should be filtering _that_ crap. Or
sue. Or the admins get arrested[+]. Sigh. :-(
Corporates, and GOV sites generally do not have end-user configurability
at all except for perhaps individual sender partial whitelisting.
Audit/CorpSec tend not to like people potentially turning off A-V or
policy-imposed "not on our equipment!" filtering (which may or may not
fit the definition of spam).
Our filtering is across the board. We have the ability to whitelist
senders (in any of a variety of ways) or bypass filtering for specific
recipients. End-users can ask for such, but they can't set it
themselves. Each request is checked. Things causing false positives
with business operation are dealt with routinely - it's part of the
filtering process _itself_ - our filtering is good enough that these are
rare. Similarly with most non-business related stuff (we have a pretty
liberal policy about reasonable personal use - many corps don't). Full
blown bypass every filter sender whitelisting is almost never done (I
can count the number of instances on one hand, most of them are on
anti-spam/anti-virus mailing lists that either I or the virus team lead
are on). There's only two recipients that don't get filtering - our
filter FP handling contact address and our registration contact address.
In 13 years of filtering, we've only had three people (peak user
population: 120,000) ask to get out from behind filtering. We said no.
It's not that big an issue if you do sender-signalling on rejects
and/or provide methods for receivers to find out what was blocked and
how to deal with it.
As I understand it, govs (particularly LE) often don't have any
whitelisting/filter bypass capabilities whatsoever and/or refuse to use
them by policy. It's awesomely annoying sometimes when you can't get
them a sample of what they asked for, even if via a mailing list
intended for the purpose.
end of aside]
Of course if it became known that the BBB accepted bribes for
delisting, that would hurt their reputation. I think attempting to
mandate the mechanics of reputation will be futile, maybe 2.2.5 could
be weakened to be strictly descriptive, yet provide advice for the
reputation-mechanically-impaired?
This is the same argument as saying "we don't need a law against X,
because it won't stop people from doing X". Well of course. So what?
Without it, you don't know that X is bad, and you have no way to deal
with people who did X anyway. A BCP does the former. Obviously, a BCP
can at most wave a "bad boy!" wand (is that non-violent enough? ;-) over
the latter. But that's important too.
[+] Read your sexual harassment in the workplace legislation sometime.
If it's anything like what we have, the admins can go to jail, there is
no "corporate shield" on that bit.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, (continued)
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, John Leslie
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, Chris Lewis
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, David Nicol
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, Chris Lewis
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, David Nicol
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, Chris Lewis
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, David Nicol
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07,
Chris Lewis <=
- Re: [Asrg] knobs and dials, was please review draft, John Levine
- Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, Douglas Otis
Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07, David Nicol
|
|
|