[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ian Jackson, please get me the hell off your blacklist.



On Mon, Apr 03, 2000 at 12:56:11AM +0100, Ian Jackson wrote:
> I think you are being hypocritical.  You complain when other people
> post their opinions and discussions of this topic with you, yet you
> post your own diatribes here.  Since your request to keep the
> discussion to private email seems insincere I shall answer you here.

I've explained why I posted the first message in this thread -- I wasn't
sure I could successfully send mail to your machine.

Since then, I have merely followed up other people's remarks, if I felt
they misunderstood my position.

It is you who felt compelled to CC our argument to the submitter of every
bug I closed, an act I consider more intrusive than CC'ing a mailing list.

The people who submitted those bugs needed to know why I closed them.

They did not particularly need to hear you lecture me about your mail
system.

> Also, I object to your misleading characterisations of my position and

I don't recall that I have done so; please cite a reference.

> highly tendentious phrasings in your complaints.  They are not helpful

Perhaps "tendentious" bears a connotation of which I am not aware, but I do
not see how making remarks that are consistent with my perspective are
particularly problematic.

> for constructive debate and I respectfully suggest that you tone it
> down.  As I said in private email, I understand that you're angry, but
> please stop acting out.

I'm less angry about SAUCE being sassy with my mail now then I was before,
but since you continue to resort to logical fallacies to proclaim the value
of the DUL, I can't say that I'm distinctly less upset.

To wit:

"Paul Vixie approves of the DUL" is not a valid reason for adopting it.
Last I checked, Paul Vixie handled the MAPS project generally but delegated
management of DUL to Gordon Fecyk (IIRC).  We can presume that Paul Vixie
approves of DUL on principle, but because someone may be an expert in cron
and name service doesn't necessarily translate to a similar level of
expertise in good mail transport practice.

"Lots of other people use DUL" is not a valid reason for adopting it,
unless DUL's value is derived *solely* from the fact that other people
uses, and thus promotes interoperability.  In fact, DUL is designed to
reduce spam, not to be popular, and it actually has detrimental effects on
some hosts that follow various RFC's regarding SMTP connections.

"Statistics show that DUL generates few false positives" is not a valid
reason for adopting it unless these statistics are available for analysis
and critique, and we know that the data were gathered under well-controlled
conditions.  Jason Gunthorpe's statistics for the Debian mailing lists --
while I don't know how well they were controlled -- seemed to indicate that
the number of false positives was indeed signifcant.  So it is possible to
make statistical conclusions that cut both ways with respect to the
efficacy of DUL -- and that means that we either need better statistics, or
must abandon quantitative analysis as a means of determining the value of
DUL.

For an explanation of why the above are invalid logical arguments, I refer
the reader to any introductory level book on rhetoric or critical thinking.

> The problem is caused by the existence of spam, because it means that
> there are people who are trying to send mail to us whose mail we
> definitely want to exclude - and these exclusions are essentially
> political rather than technical and sometimes have false positives or
> mean that certain kinds of apparently harmless behaviour end up
> forbidden.  This leads to the kinds of heated debates we've seen here.

I don't understand why you feel the need to qualify "harmless" with
"apparently".  Is it your position that the sending of non-spam mail from a
dialup host is in fact harmful?  If so, please support that position with
an argument that doesn't refer to DUL (to do so would be circular
reasoning).

> It seems obvious to me that we should try to balance the negative
> effects of spam (and other kinds of abusive or broken mail) and the
> inconvenience of people having to change mail configuration or
> whatever to make the mail get through.

To achieve a "balance" acceptable to the corpus of the project is likely
going to require some kind of democratic approach, and involve compromise.
I have seen no evidence that DUL advocates are willing to compromise.

There might not be much in the way of middle ground to reach on this issue;
there are people who believe it is acceptable to deliberately impede the
transmission of e-mail that isn't spam, and there are those who don't.

It is well and good for each person to make this decision for his or her
own mailbox -- but blacklists are typically configured at the MTA level,
which means that people can unwittingly become subject to blacklists that
they wouldn't otherwise employ.

> Instead, we should argue each issue on merits in a constructive way,
> in terms of its costs, benefits etc.

Keep in mind that bounced non-spam mails are a special kind of cost that
directly detract from the benefit.  It is not an auxiliary cost, like CPU
cycles or RAM consumed -- but rather a "cost" that reduces the bottom line
benefit directly.  It is, in effect, like a shopkeeper deliberately turning
business away; it is not like his utility bills or payroll expenses.

> It seems to me that the case for the MAPS RBL and the MAPS RSS are
> pretty well established; they have very low false positive rates, and
> are generally careful about who they include.  With the RBL, of
> course, you could even say that it's unethical to financially support
> a spam-haven ISP.  It's true that being (or mailing via) an open relay
> - the criterion for RSS - is not necessarily evil in itself, but it
                                               ^^^^
> makes it very hard to distinguish legitimate from spam mail, and in
> general we are all I think agreed that in today's Internet open relays
> are a problem which needs to be removed.

Where did "evil" come into this?  I thought you were going to do an
economic cost/benefit analysis, not a moral one.  Otherwise you're not
really making much of an improvement over the folks shouting about
"rights", a tactic you identified as counter-productive.

> I won't go into the DUL here, because that's a very contentious issue
> and would be too much to talk about in this one message.  I'll send
> another message with my view on the DUL.

Well, where's the cost/benefit analysis?  It's not in the other message,
either.  Just the three logical fallacious I described earlier.

> Branden's complaint is about the fact that for the first three hours
[...]
> the `450' message and became upset.

I suppose you're hashing through all this again on the mailing list because
of my inflammatory subject line.

So, for those keeping score, either in private mail to iwj or to this
mailing list, I:

1) Acknowledged that a bounce message was not received;
2) Acknowledged that the mail was ultimately delivered;
3) Acknowledged that I overreacted when closing the bugs from senders at
chiark: "I plead guilty to behaving somewhat inappropriately, albeit in a
fundamentally non-damaging and reversible way.  If you think I should be
somehow disciplined for this action, you know who to talk to." (iwj
reopened the bugs, except for one that had been fixed for years anyway, and
so stayed closed).

What do you want, a retraction?  Fine:

Ian Jackson, I'm sorry I said I was on your blacklist when I wasn't.  I
misunderstood and overreacted.

Though I won't be surprised if before long I end up in your killfile. :-/

> Branden claims:
>  Individual users must twist themselves into [a] pretzel [...]
>  to satisfy SAUCE [.]
> This is simply false.  Individual users have to do nothing at all.

You're right.  Let's s/individual users/system administrators/ and
restore what you eliminated with brackets:

"System administrators must twist themselves into one pretzel to satisfy
the DUL, another to satisfy ORBS (where you can be blacklisted by
association, not for doing anything wrong on your own box), a third to
satisfy SAUCE (where the concept of blacklisting has been turned on its
head and you must qualify for a "whitelist" before it deigns to listen to
you).  I'm sure the list will continue to grow as certain individuals find
the measures of all of the above insufficient."

If they don't have to do anything special to avoid being rejected by SAUCE,
fine.  They still may fall victim to blacklists *despite no spam mails ever
having been originated or relayed by their machine*."  That is the
phenomenon to which I object.  That is why I agree with your statement (far)
above that said we should get some standards in place.  A mail
administrator needs to know what to expect, if his SMTP connections are to
be turned away and he *knows* he's not contributing to the Internet's spam
problem.  If we absolutely have to hack away at the poor unwashed
unfortunates on dialup and/or dynamic IP's by refusing to let them send mail
generally, then let's get it in an RFC.  Tell them they can't do it in an
accepted standards document.  You and Craig Sanders think ORBS is
reckless, someone else in Debian (maybe it was Hamish Moffatt) doesn't.
Obviously people who are deeply concerned about spam can have differing
opinions.  This is fine until they impose their differing opinions on other
people in such a way as you can't be sure ahead of time who you're going to
be able to connect to on port 25.

In thinking about this, I have to wonder if it wouldn't be a bad idea to
advertise what anti-spam measures are in place in the response to the HELO
(or EHLO) command, along with the other extensions.  If a host can figure
out what blacklists it is on, MTA's would thus be able to generate their
own bounces without bothering to try and send the mail message.  You might
think this is redundant since real bounces would be sent anyway, but if the
MTA furthermore keeps track of what hosts blacklist it, you can actually
collect statistics about how much mail is being blackholed from the
*sending* site.  What would this accomplish?  It would give us those lovely
statistics on false positives that are so troublesome to otherwise
determine.

After all, the RBL and DUL don't bother to look inside the mail sent from a
host and see what it is -- spam or otherwise.  The *sending* host is in a
much better position to track the information about false positives.

I've snipped most of the rest of Ian's critique of me because I figure he
feels the need to joust back at me and re-establish his place in the Debian
dominance hierarchy.  Okay, Ian, I give.  You can belittle people better
than I can.  Uncle.  Since I've now acknowledged the fact that I
overreacted multiple times, once privately and once publically, please let
me know when you're done.  By the way, the time you've spent compelling me
to slink away like a whipped cur I could have spent writing up that
proposal for a Debian Procedures manual.  Since you know I'm a
pathologically defensive person, why not leave me alone for a bit and let
me get back to work? :)

> (The message `Irritated' does really mean something here.  It's to do
> with SAUCE's teergrube function.  If SAUCE needs to issue an SMTP
> error response, it will pause for a little before actually sending the
> error response.  It remembers for each calling IP address how many
> errors it has been sending recently, compared to successful responses
> and successful message deliveries, and calculates a delay for each
> error response - or in extreme cases each response of any kind -
> according to a complicated formula.  This has a number of benefits.
> For example it prevents address-testing/harvesting by spammers.  Some
> sending systems will immediately retry the same failed request, and it
> prevents these infinite loops from spinning out of control.)

The subjective issue of humor aside, do you suppose there is *any* possible
non-anthropomorphic term that could communicate the same message?  Do we
*have* to have "cute" messages like "ecstatic", "pleased", "irritated",
"angry", and "furious"?  Is SAUCE freely licensed?  Maybe I could package
it for you and replace these words with terms more descriptive for people
like myself with thick skulls and thin skins...

Finally, I note that your teergrube appears weighted towards negative
assessments -- unless there's another "happy" state you haven't mentioned?

-- 
G. Branden Robinson            |    A celibate clergy is an especially good
Debian GNU/Linux               |    idea, because it tends to suppress any
branden@ecn.purdue.edu         |    hereditary propensity toward fanaticism.
roger.ecn.purdue.edu/~branden/ |    -- Carl Sagan

Attachment: pgp8t1q5W2sZy.pgp
Description: PGP signature


Reply to: