Race's BCP/blacklist Proposal (was Re: Principles of Spam-abatement)

[Nathaniel Borenstein <nsb@xxxxxxxxxxxxx>]

The problem with this kind of proposal is that it punishes too many of 
the wrong people.   I myself was the victim of a blacklist for most of 
last year; my ISP was blacklisted by another ISP, and they spent 6 
months arguing about it, during which time all my email to users of the 
other ISP was blocked (although they kept helpfully telling me that I 
could always switch to using *them* as my ISP).

In essence, a blacklist cuts users off from some subset of the Internet 
based on the conclusions of some ISP or other "authority" with which 
the user has no relationship at all.  At best, this says that users are 
guilty until their ISP is proven innocent.  At worst, it is -- as I 
suspect it was in my example last year -- a weapon for nasty 
competition among ISP's, with one ISP using blacklists to try to lure 
customers away from another by denying them services and blaming their 
ISP.

An analogy: Imagine you live in a town with two newspapers A and B, and 
you subscribe to newspaper A.  Newspaper B announces that newspaper A 
is doing something really bad (say, murdering children to use their 
blood as ink) and starts going around town picking up all of A's 
newspapers as soon as they are delivered, on the grounds that they are 
"bad communications" and deserve to be blocked.  Newspaper A denies all 
charges, and you believe them, but you still can't receive newspaper A, 
and you're not very amused by newspaper B's attempts to get you to 
subscribe to their paper as a replacement.

I understand that part of the motivation of this approach is precisely 
to enlist a rogue ISP's own users to convince it to clean up its act.  
As the draft says, "some abusive managements listen attentively to 
their own customers while serenely ignoring the shrieks of their 
victims."  But any scheme that distributes judgment and enforcement 
(the "who is a rogue" question) to each individual ISP so lacks 
accountability as to empower each ISP to act as a vigilante, denying 
due process to the allegedly-offending ISP while punishing the 
certainly-innocent users of that ISP.

One man's blacklist is another's denial-of-service attack.  Denial of 
service is not the answer in a world where it's so hard to assure that 
the correct people are being punished.  -- Nathaniel

On Mar 2, 2004, at 11:30 PM, Dr. Jeffrey Race wrote:

> John, your summary distils a lot of hard work but is deeply troubling,
> because it is constructed entirely on a "make the victims pay"
> foundation.  As long as that is your stance, then sure it is so that
> "Spam . . . will remain a long-term battleground".   However it is
> just NOT so if the community will change its stance to that which
> society uses (successfully) in every other area of human interaction
> beside the internet: make the perpetrator pay.    A number of us have
> given this a lot of thought to come up with a practical solution which
> requires no new technology and no new legislation.   It has been
> proven to work within hours.
>
> Those interested may view an interim document (comments welcome) at
>
>  <http://www.camblab.com/misc/univ_std.txt>
>
>    based on
>
>  <http://www.camblab.com/nugget/spam_03.pdf>
>
> I grind my teeth every time I read a summary like yours because while
> the lemmas are true, the conclusions are contrary to reality and
> contrary to everything known about human behavior.
>
> Jeffrey Race
>
>
> On Tue, 2 Mar 2004 19:32:00 -0500, John Leslie wrote:
> >   I'm planning to post a summary to the MARID-planning list mentioned
> > elsewhere in this thread -- hopefully before 5:00 pm Korea time.
> > I expect there will be a proto-WG mailing list declared by the close 
> > of
> > the MARID BoF at 11:30 Thursday (Korea time). I recommend the 
> > discussion
> > continue there.
> >
> >   The current draft of what I will post follows:
> >
> > =============================== cut here 
> > ===============================
> > On the <ietf@xxxxxxxx> mailing list there has been discussion of
> > Principles of Spam Abatement. This is a brief summary of principles
> > which _may_ have consensus of that list. I accept full responsibility
> > for editing errors and misunderstandings.
> >
> > - All communications must be by mutual consent.
> >
> > - The spam problem starts with freely accepting mail from strangers.
> >
> > - Spam is and will remain a long-term battleground and it needs 
> > serious
> >  effort to counter.
> >
> > - Every mail message carries a practically unforgeable token: the IP
> >  address of the SMTP client.
> >
> > - It is pointless to erect some expensive Maginot Line and pretend it
> >  will solve the problem.
> >
> > - There is not and can never be a hoop low enough to pass all human
> >  strangers but exclude spammers' computers.
> >
> > - If you want more of something, subsidize it; if you want less, tax 
> > it.
> >
> > - Spammers need scale because they get a very low return. Therefore,
> >  part of the solution should be to deny scalability to spammers.
> >
> > - If we can communicate to the sender (without adverse side effects)
> >  that a message is discarded, then occasional false positives aren't
> >  as much of a problem.
> >
> > - If you reject the message during the SMTP session you don't need to
> >  generate a bounce message, the other side will do this.
> >
> > - Errors returned after the close of the SMTP transaction are likely
> >  to go to an innocent party; and should be deprecated for any email
> >  identified as spam.
> >
> > I also recommend perusing the summary of principles expressed on the
> > Next-Generation Mail <mail-ng@xxxxxxx> list at:
> >
> > http://www.cs.utk.edu/~moore/opinions/user-visible-email-ng-goals.html
> >
> > --
> > John Leslie <john@xxxxxxx>