[Gllug] Re: www.spews.org - spamming blacklist

Mike Brodbelt mike at coruscant.demon.co.uk
Wed Jun 4 01:27:52 UTC 2003 

On Tue, 2003-06-03 at 09:59, Jason Clifford wrote:
> On 3 Jun 2003, Mike Brodbelt wrote:

> > SpamAssassin demonstrates quite well that netblock lookups are an
> > unnecessary blunt instrument. Content based filtering and Bayesian
> > analysis can remove spam more effectively, and under the user's control.
> 
> And may well be illegal for ISPs, employers and others to use. Privacy 
> laws mean that your ISP, employer etc are not permitted to peak into your 
> private communications.

That's easy to get round if you're an ISP though - simply have your
customers opt in via a web page, and then simply scan all the mail
destined for users who've opted in.

> In such cases the ISP/employer is then forced to pick up the increased 
> bankwidth costs as you have to accept the whole message before you can 
> filter on content. RBLs allow you to refuse the message immediately upon 
> exchange of SMTP headers so you don't waste such resources.

I'd have thought that the annoyance factor/time wastage of spam is more
important than bandwidth costs of it these days for an ISP. Surely one
user with Kazaa can dwarf the bandwidth used by spam. I haven't run an
ISP though, so I'd be interested to know if you feel bandwidth really
makes a significant cost difference to the provider.

> Some of the anti-spam/virus solutions now allow per user configuration. 
> I'm investigating a couple for UKFSN (and UKPOST) at the moment and this 
> is one of the things that will swing my decision.

That's the way it should go. It should be pretty trivial to hook a mail
filter into a delivery queue based on a db lookup for opt-in.

> Mike, you are simply wrong on this one. They do no such thing. As 
> objectionable as I find SPEWS to be (and I very much do!) the truth is 
> that they are a passive operation. Where a site uses SPEWS it is the 
> decision of the site operators and they are the ones you need to address 
> your concerns to.

This is an interesting argument. Much as SPEWS et. al. have put forth
this idea, I'd say that in cases like this the provider of the tools
bears at least partial responsibility for the use to which those tools
are put, and I don't think the "but we don't press the button, we just
sell the bombs" argument is really a good enough get out clause. If
their service was multiple use, yes - but it isn't really, and they know
when they provide it that as a result of this provision, innocent users
will have legitimate mail blocked.

Although you are of course right that they don't actually turn it on at
any particular site, when you take an action that has a known
consequence, I believe you bear at least partial responsibility for that
consequence. I'll admit that this is a contentious issue in plenty of
areas other than just mail though, and worth serious debate.

Mike.



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list