From: John Glube
Sent: Wednesday, June 16, 2004 2:04 PM
This post is in response to the comments
of both Lars and Seth concerning defining Spam.
On the issue of a Spam definition, Spam can
cover more than merely unsolicited bulk email.
That appears to be true for some user bases, but others are perfectly
satisfied with that definition.
Unfortunately, Spam has become an elastic term,
so that one person's spam may be another
person's valuable communication.
<...>
One of the issues with the Spam definition found
at http://www.spamhaus.org/definition.html
Is that SpamHaus calls for a closed loop
verification process for solicited bulk emailings.
Precisely. I personally applaud that policy. It is hard to imagine what
legitimate activity that process would disadvantage.
This is fine, but in a world where domain holders
have published an SPF record, I am not certain
whether this standard is required.
I really don't see what designated senders for a domain has to do with
receiving mountains of unsolicited bulk mail, a privilege that I have to pay
for. SPF will probably not reduce spam. It will add accountability to
senders. We are all hoping that senders who continue to send unsolicited
bulk email will end up blacklisted quickly enough that we can prevent their
theft of our bandwidth and hardware resources. Maybe we can even look ahead
to a time where the U.S. joins the rest of the civilized world in requiring
opt-in permission and enforcing the laws we currently have on the books.
Also, this is
a higher standard than outlined in rfc3098.
Perhaps, but has that RFC materially affected the volume of spam?
Unfortunately, higher standards seem to be in order. The behavior of a few
"bad actors" has made the village commons unusable for the rest of us. The
unfortunate consequence is that rules will have to be made that put some
limits on all of our freedom so that we can, once again, use the village
commons.
However, there is another problem. The moment we start
talking about UBE, verified opt-in, confirmed
opt-in or unconfirmed opt-in, various interest
groups will pop up.
These interest groups may oppose the
implementation of the newSPF on the basis it
restricts their behaviour, even though we
all know UBE is abusive.
SPF has nothing to do with defining spam. We just happen to be talking
about it on this list. Last time I looked, the draft spec didn't define
spam and barely mentioned it, except to say that SPF wouldn't be sufficient
to solve the spam problem!
I really don't think we should concern ourselves with what direct marketers
think. The good thing about SPF is that, being a technical initiative, it
doesn't require any laws to be passed to get it adopted. The fact that the
direct marketing industry have politicians on their payroll really isn't
going to help them in this case. They've had their chance and their vision
for the future is clearly embodied in the CAN SPAM Act, which specifically
pre-empts every state law on UBE passed to date. Unfortunately for them,
very few people outside their industry share that vision.
<...>
Please don't misunderstand my comments. Ideally,
one wants all Internet access services to state:
Want to transmit email to or from our domain? You
cannot use our services to send UBE and you need
to be sender authenticated.
This would be the easiest and quickest way to
stop abusive behaviour, providing Internet access
services honour the commitment.
An excellent idea, and I fully support it. So do most responsible ISP's.
However, if the people supporting SPF enter this
debate, one may move from having the newSPF
easily accepted and implemented and enter into an
entirely different debate, including issues of
sender reputation and accreditation.
For example, what happens if someone who has
published a text record does send UBE?
They will get blacklisted, hopefully very quickly, so that their abuse of
the network can be stopped while it is still in progress.
How do you determine whether the person has or
has not sent UBE?
What objective standard do you settle upon?
Verified opt-in as advocated by SpamHaus and
others or confirmed opt-in as advocated by the
IETF?
Each blacklist has their own criteria for what constitutes sufficient
evidence. Each system operator can choose which blacklists, if any, operate
in a way that helps them meet the needs of their users.
What process is implemented to allow the sender
to defend his, her or its interests against
complaints?
That's up to each blacklist. If a system operator doesn't like their
policies, they won't use the list.
Do you blacklist before or after the sender has
had a chance to respond?
I've never heard of a blacklist that waits for spammer to respond when there
is evidence in hand. If you believe that system operators would prefer to
use a list with that policy, I encourage you to start one. The market has
done an excellent job of expressing what people want, and it does not seem
to include "spammers' rights".
Who makes decisions?
The operators of each blacklist decide the list policy. The operators of
each mail system decide which blacklists, if any, meet their needs. It's
the epitome of a free market, where no one is compelled to do anything.
Some very good solutions have come out of that system.
I am not saying all these issues can't be sorted
through. They need to be sorted through.
While it may possible, in theory, to get everyone to agree on what a
reasonable blacklisting policy would be, it would be a lot like trying to
herd cats. Don't get me wrong, I would find such a debate fascinating and
we would all learn a great deal from it. From a practical viewpoint,
though, if it ain't broke, don't fix it.
The question is whether people want to get
involved in this debate, while at the same time
sorting through the various implementation
issues, especially with the FTC throwing its
weight behind sender authentication.
We all appreciate the FTC's support. That doesn't mean we can't
individually state in public that we hate spam and the spammers that send
it. In fact, if there's any single issue this diverse and sometimes ornery
group could agree on, that would probably be it! It has absolutely nothing
to do with SPF, however.
Yes, I appreciate, respect and agree with the
sentiment of not wanting one big company to deal
with issues of reputation and accreditation.
Yes, that's absolutely the issue. No one but the employees and stockholders
of said companies want that.
However one proceeds, there is a need for settled
standards which have widespread backing and a
requirement for significant oversight to ensure a
fair and open process.
I don't really care if spammers or the companies who profit from them don't
like the current "closed" system of blacklisting. No one gave them the
right to steal my bandwidth. Blacklists are not governmental entities, they
are not enforcing laws, and therefore the concept of due process does not
apply. No one forces anyone to use a blacklist to do anything. People use
them because they block spam and very little, if any, legitimate mail. I
can't see how having "settled standards" would improve the situation. Once
SPF is in place, the lists will work even better, as definitive evidence
will be easier to obtain.
If spammers don't like that, they should consider finding an honest line of
work. If legitimate bulk mailers don't like what spammers do, they are free
to pool their money and start suing them out of existence. Instead, they
spent their money lobbying for the CAN SPAM Act. Money talks, and theirs
spoke volumes.
To date these standards don't exist. One place to
start may be to build on the work done by the
Eprivacy Group, which has developed the Trusted
Email Open Standard:
http://www.eprivacygroup.net/teos/
It's a rather late and somewhat disingenuous of this organization to start
talking about fair and open standards. While said large companies were busy
making money from spamming at both ends of the channel, a lot of dedicated
individuals experimented with a number of different models for how to fight
it. Many of them lost large amounts of money and time in the process. As a
result of their unselfish efforts, we now have a fairly efficient,
decentralized system of blacklists that have a variety of policies to choose
from. They seem to suit users' needs quite well and most of them are
low-cost or free. Why should we even consider handing the keys to the
castle over to a group of corporations whose combination of actions and
inaction created the problem in the first place? To summarize it in a
phrase, "we don't need what they're selling".
--
Seth Goodman