ietf
[Top] [All Lists]

Re: Race's BCP/blacklist Proposal (was Re: Principles of Spam-abatement)

2004-03-03 10:30:24
On Wed, 3 Mar 2004, Nathaniel Borenstein wrote:

The problem with this kind of proposal is that it punishes too many of 
the wrong people.   I myself was the victim of a blacklist for most of 
last year; my ISP was blacklisted by another ISP, and they spent 6 
months arguing about it, during which time all my email to users of the 
other ISP was blocked (although they kept helpfully telling me that I 
could always switch to using *them* as my ISP).

And this should not happen, agreed.  But Jeff's proposal doesn't suggest
that we get into "ISP wars" between pairs of competing ISPs.  It
suggests that an offending ISP be cut off from EVERYBODY, and only AFTER
a carefully prescribed due process involving collected complaints and a
lack of action resolving those complaints.  Not just any complaints,
either -- complaints of actions that violate AUAs of networks upon which
the SP-generated traffic is carried.

If your ISP >>is<< a hotspot for spammers and viruses and its managers
tolerate the abuse, well, the rest of the people in the network don't
want to be abused.

This isn't really punishing the innocent -- it is punishing poorly run
and marginal businesses (the SPs).  They will have to very rapidly
change their ways and become responsive and police their clients.  In
MOST cases their clients have choices in the marketplace, and if they
choose to leave their SP for another that polices their networks well,
that's business.  If it drives marginal SPs out of business, that too is
the way it goes.  Don't run and ISP business unless you can afford to
keep it reasonably clean and still make money.

In essence, a blacklist cuts users off from some subset of the Internet 
based on the conclusions of some ISP or other "authority" with which 
the user has no relationship at all.  At best, this says that users are 

This is not true.  The entire Internet is stitched together by
acceptable use agreements NOW.  If you are a user of ANY network service
provider, you a) have an AUA with them, even if you aren't aware of it;
and b) you have an AUA with them whether or not they have one of their
own because THEY have an AUA with THEIR PoP(s), all the way back to the
backbone providers.  IIRC, "all" of these AUA's have inheritance clauses
that make you subject to them even if you don't know it, and most of
them tightly regulate network abuse with disconnection as a clearly
spelled out option.

The problem is that over time many networking authorities have become
appallingly sloppy about enforcing AUAs.  In part this is because AUAs
while universal are not uniform, in part because while commerce of a
variety of sorts is permitted and even encouraged, the lines between
permissible use and non-permissible use has gotten very sloppy.  It
isn't always easy to differentiate between "free speech" (something the
Internet openly encourages and enables) and "violating privacy"
(something the Internet de facto enables along with that freedom of
expression).  Finally, the network has grown to where the most religious
of enforcers (the toplevel backbone networks) simply don't have the
resources to police SPs connected to networks connected to networks
connected to networks connected to the backbones (with money and
contracts involved at lots of the levels in between).

Consequently you have individual SPs making unilateral
blacklist/whitelist decisions without an associated due process and
possibly motivated by reasons drawn from the marketplace and not abuse
at all.  You also have networks like yahoo.com that live in more or less
perpetual abuse of AUAs prohibiting spam and requiring a degree of
self-regulation being left alone because they are so BIG, with so many
clients, that disconnecting them is unthinkable.

I disagree -- I think that it is both thinkable and the ONLY thing short
of otherwise-punitive legislation that will make them change their ways.
Disconnection hurts an SP in the only place they really care about --
their pocketbook.  It is a ticket to instant bankruptcy if they don't do
WHATEVER IT TAKES to clean up their act, up to and including altering
their fundamental business model.

I think Jeff's proposal is to make this process formal and consistent
and to get back to ENFORCING AUAs at the SP juncture as a means of
arm-twisting SPs to a) communicate AUA requirements to their own
clients; and b) to police those clients individually, lest the rest of
the network police the SP itself collectively (effectively driving it
out of business).

One man's blacklist is another's denial-of-service attack.  Denial of 
service is not the answer in a world where it's so hard to assure that 
the correct people are being punished.  -- Nathaniel

Sure, but take your own example seriously.  Surely if a newspaper were
being printed in the blood of children (or whatever it was) there would
be simple objective tests that would validate this assertion.  In fact,
there might well be a chief of police, or an association of newspaper
publishers, that collected reports of people whose newspapers' ink
tested positive for human blood factors and investigated whether or not
they are true. 

In a sane universe, if it were TRUE that this were occurring, or that
the newspaper were being run by the mob, or that the newspaper
constantly ran advertisements featuring ritual human sacrifices of naked
persons (or engaging in ANY behavior deemed collectively to be
antisocial and/or illegal) it would be perfectly reasonable to shut the
paper down and arrest the owner, or arrange for a boycott of the
newspaper, or remove the paper's "credentials" from the association of
newspaper publishers (said credentials required for the newspaper to be
delivered as the paper is delivered for free by PUBLIC servants who
won't deliver trash).

Would this "punish" the subscribers?  Not at all.  There are other
papers to subscribe to.  Perhaps they'd miss some featured columnist.
Maybe they LIKE getting newpapers printed with the blood of children.
However, it's reasonable to deny them access to public resources to
deliver those papers if those public resources clearly state that they
don't accept messages in which children or animals were harmed in the
printing process.

   rgb

-- 
Robert G. Brown                        http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     
email:rgb(_at_)phy(_dot_)duke(_dot_)edu







<Prev in Thread] Current Thread [Next in Thread>