Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07

On 1/19/2011 4:28 PM, David Nicol wrote:
> On Wed, Jan 19, 2011 at 3:00 PM, Chris Lewis<clewis(_at_)nortel(_dot_)com>  
> wrote:
>
> > > [2.2.5] be changed?  It looks okay to me, as long as we are painfully,
> > > explicitly clear that the "users" are sys-admins and not end-users.
> > I think it is, isn't it?
> I don't know if it is nor not in the draft BCP document, but it's
> crazy muddled in this discussion.
Really?  I don't think end-user came up at all, and the BCP doesn't talk 
about it.  It's quite clear in the BCP that it's talking about 
list-users and list-owners, not end-users.
> And is the system working as designed, "protecting" the recipients
> from alleged annoyance.  Does the BCP draft have a section advising
> the consumers of the lists, as well as the providers of the lists?
Yes.  List-owner vs list-user distinctions are covered in the draft BCP 
quite substantively in a number of areas.
> Recommending that a list consumer provide per-recipient configuration
> WRT protection by the various ones --- some of the people on the
> qpsmtpd list discuss their per-recipient configuration database hacks,
> I don't know what the general state of the practice is in 2011.
Recipient filtering policy, mechanisms and implementation are well out 
of scope for this document _except_ where they directly relate to DNSBLs.
I've been wanting to write a more general BCP on filtering from the 
receiving perspective, but it'd probably be quite hard to achieve 
something reaching consensus without diluting it so far that it doesn't 
mean anything.  There are strong feelings in a number of different 
directions.  It may more end up as a series of scenarios enumerating 
pros and cons of each.
[Aside:

As an educated guess (and knowing that we're not entirely atypical ;-), 
most sites will have the same filtering for everyone.  Many do provide a 
recipient-adjustable whitelist-by-sender knob and either a 
blacklist-by-sender knob or a TiS button, but seldom more than that.
Commercial offerings (esp. 3rd party MX-handlers) tend to not have much 
per-user configurability beyond sender whitelisting.  Not because it's 
hard (it isn't), but because few are asking for it, hence it's not worth 
implementing.
There are some practitioners who wax quite extreme on substantive 
per-recipient configurability (eg: some of those on the qpsmtpd list 
;-), but the reality is that the number of people who'd actually _use_ 
such knobs would be extremely small, and still fewer who could adjust it 
effectively.  If they had such knobs, after the bombardment, experience 
suggests that they'd usually turn it right back on again (pushing the 
knobs too far ;-) and/or scream we should be filtering _that_ crap.  Or 
sue.  Or the admins get arrested[+].  Sigh. :-(
Corporates, and GOV sites generally do not have end-user configurability 
at all except for perhaps individual sender partial whitelisting. 
Audit/CorpSec tend not to like people potentially turning off A-V or 
policy-imposed "not on our equipment!" filtering (which may or may not 
fit the definition of spam).
Our filtering is across the board.  We have the ability to whitelist 
senders (in any of a variety of ways) or bypass filtering for specific 
recipients.  End-users can ask for such, but they can't set it 
themselves.  Each request is checked.  Things causing false positives 
with business operation are dealt with routinely - it's part of the 
filtering process _itself_ - our filtering is good enough that these are 
rare.  Similarly with most non-business related stuff (we have a pretty 
liberal policy about reasonable personal use - many corps don't).  Full 
blown bypass every filter sender whitelisting is almost never done (I 
can count the number of instances on one hand, most of them are on 
anti-spam/anti-virus mailing lists that either I or the virus team lead 
are on).  There's only two recipients that don't get filtering - our 
filter FP handling contact address and our registration contact address.
In 13 years of filtering, we've only had three people (peak user 
population: 120,000) ask to get out from behind filtering.  We said no. 
 It's not that big an issue if you do sender-signalling on rejects 
and/or provide methods for receivers to find out what was blocked and 
how to deal with it.
As I understand it, govs (particularly LE) often don't have any 
whitelisting/filter bypass capabilities whatsoever and/or refuse to use 
them by policy.  It's awesomely annoying sometimes when you can't get 
them a sample of what they asked for, even if via a mailing list 
intended for the purpose.
end of aside]

> Of course if it became known that the BBB accepted bribes for
> delisting, that would hurt their reputation.  I think attempting to
> mandate the mechanics of reputation will be futile, maybe 2.2.5 could
> be weakened to be strictly descriptive, yet provide advice for the
> reputation-mechanically-impaired?
This is the same argument as saying "we don't need a law against X, 
because it won't stop people from doing X".  Well of course.  So what? 
Without it, you don't know that X is bad, and you have no way to deal 
with people who did X anyway.  A BCP does the former.  Obviously, a BCP 
can at most wave a "bad boy!" wand (is that non-violent enough? ;-) over 
the latter.  But that's important too.
[+] Read your sexual harassment in the workplace legislation sometime. 
If it's anything like what we have, the admins can go to jail, there is 
no "corporate shield" on that bit.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg