Spam Control Considered Harmful

I am worried about the tools we are developing and deploying to control

Some of them are esentially centralsied methods of controlling Internet
content.  Paul's anti-spam feed for instance prevents users of some
providers from seeing spam.  The user has no choice; they cannot opt to
receive spam other than by switching to another provider.  Even worse:
they may not even be aware that they are "missing" some content. 

Combatting spam is considered a Good Thing(TM) by almost everybody here,
including myself.  However the same technology could just as easily be
used to do Bad Things(TM).  Even worse: if it works it demonstrates that
*centralised control* of the content of Internet services like e-mail is
*feasible*.  This will give some people ideas we may not like, and
sometime in the future we may ask ourselves why we have done this.  The
end does not always justify the means.  I hope that methods like the
anti-spam feed will not be taken up widely.  Please consider the
consequences before you use them. 

I stress that I do not question the morality or good intentions of those
involved.  I am just concerned about the almost ubiquitous and
apparently unreflected zeal that spam seems to evoke and the danger of
it making us accept methods we would otherwise despise.  I would prefer
to see more work in technology that is less centralised and gives the
users a choice of the content they wish to see.  Yes this may be harder
to do, but the consequences of deploying the easier methods may be just
too severe. 

Waehret den Anfaengen (beware of the beginnings)


PS: I hope this is more coherent than my contribution at the meeting
yesterday when my brain failed due to jet-lag while my mouth was still
working perfectly ;-).

luser of the day award!

Anyone else get mail from this idiot?

Alan Bechtold ( @ 11/18/1998 12:48 - Original Problem Detail:

Dear sir or madam --

It has come to my attention that your company utilizes the MAPS =
BLACKHOLE list to block purported SPAMMERS from sending E-mail to your =
system. While the idea might sound good I am writing to inform you that =
you will be named in a Federal Lawsuit if you do not CEASE AND DESIST =
use of this list IMMEDIATELY.

Here is why:

My company, BBS PRESS SERVICE, INC., designs and hosts Web sites. That's =
all we do. We don't sell access to the Internet. We don't sell E-mail =
accounts. Besides some E-mail accounts for our employees to use when =
contacting our customers, and one E-mail account we use to send out a =
weekly newsletter to our customers, we don't generally handle any E-mail =
at all.

I am anti-SPAM. I advise all of my 5,000+ clients against the use of =
SPAM. Still, two have used it to promote sites we host for them.

Naturally, this resulted in our receiving the usual barrage of E-mails =
DEMANDING that we remove the Web sites of the offending parties. Our =
attorneys have advised us that it is NOT in our best interest to do so. =
Removing the Web site of anyone for something they did OUTSIDE of our =
system, even if it was indeed PROMOTING a site hosted on our system, =
would in fact expose my company to possible lawsuit from the SPAMMER!

I understand many Web site design and hosting services stipulate in =
their contracts that they reserve the right to pull any site if evidence =
of SPAMMING is seen -- but my attorneys have also advised me that this =
is completely unenforceable in court and wouldn't stand up to a court =

I don't know about you but I am totally opposed to being REQUIRED to =
take action against anyone for anything they've done outside of my =
control. Do we also want to become liable for pulling Web sites held by =
anyone who is convicted of a crime...any crime? Wouldn't this lead to =
the requirement of background checks, to make sure a Web site customer =
has never indeed beenconvicted of a crime?

The ramifications are tremendous.

Anyway -- I write to anyone complaining about SPAM from a client of mine =
(and they do track down the Web site host even if we didn't originate =
the SPAM) and inform them of my position.

One person apparently forwarded my reply to MAPS. Even though my reply =
states CLEARLY that I am OPPOSED to SPAM, the kind folks at MAPS decided =
to add my company's IP to the list anyway. The problem is -- they won't =
TALK about resolving the problem. Their "volunteer" hung up on me when I =
called, after first being outright surly and rude with me. I tried =
E-mailing Paul Vix to tell him to remove my company's IP from his list =
but -- guess what -- my E-mail got REJECTED by his system because he =
uses the list! I finally got a message through by going through another =
provider. Meanwhile Paul Vix has not returned my urgent calls and hasn't =
been available on the phone when I do call.

This is causing my company irreparable harm. MAPS' whole attitude and =
the way they create their so-called LIST is, because of my case alone, =
entirely questionable. And he has left me little choice but to file suit =
against Paul, MAPS and anyone associated with the LIST or using it in =
their products or on their services.

This is where you come in. I am writing to tell you right now -- cease =
and desist from using the MAPS BLACKHOLE list on your service =
IMMEDIATELY. I will be including anyone and everyone still using the =
MAPS list in my lawsuit against MAPS. Period.

You might also want to contact Paul Vixie and let him know the legal =
jeopardy his methods have placed you in. By comparison, the SPAMMERS are =
starting to look like the "good guys." I know they're not and you know =
they're not but MAPS must end here and now.

I would appreciate your comments and cooperation.

[Mime entry text/html removed]

Re: Lawsuit threat against RBL users

OK, given, this guy is a flaming moron, and the original message was
completely out of line. HOWEVER, it seems to me he raises at least one
valid objection. It seems to me, both from his allegations and from the
phraseology of the "Best Practices for Being Permanently Added to the
RBL", that web hosting services are being treated unfairly in the
following circumstance:

Company S(pam) has a web site, hosted on the servers of
web-presence-provider Company P(rovider). Company S uses the services of
Company X to send out massive loads of SPAM, with referencing the web
site and even e-mail addresses hosted by Company H. Now, if I'm hearing
what's being said on this list correctly, Company H is being expected to
pull the website they host for Company S (or else be blackholed), _even
though no illegal or spam-generating activity is being generated on
their network_.
Am I understanding this correctly?!?
By this philosophy, it would seem that if I were to host the web pages
of a company which engaged in unwelcome telemarketing (which I
personally find much more offensive than SPAM, and which is no more or
less illegal in most states), I would be under an obligation to cease
providing service to that company!

So, given the earlier threads about annoying UUNET marketing folks,
let's blackhole all mail that comes from UUNET. Oh, and also mail that
comes from anyone who peers with them. And of course any mail that has
to be transported over those evil people's networks.....wait a sec,
why's my inbox suddenly empty, where'd the internet go???

Maybe I'm misinterpeting the policies here, but I didn't hear anyone
disputing the actual complaints of this guy, which can only lead me to
believe that either A) This guy was actually treated unfairly, and has a
valid complaint, or B) Nobody cares enough to say "hey, wait a minute,
there's been a failure in communication, let's see if we can work this

So, what's up, guys? I'd hate to think a great thing like the RBL is
being abused to squash people who we just happen to find annoying.

Version: 3.12
GCS/IT/M/P/S d?- s+:- a17>? C++++$ UBLS++$>++++ P--- L++>+++ E----
W+++$ N- !o K? w@$ !O M-- V-- PS+++ PE Y+ PGP- t+ 5-(++) X+ R+ tv>!
b+++ DI+++ D+ G++ e* h!*>++ r%>++ !y->$

Re: Lawsuit threat against RBL users

1)  IANAL.
2)  This is quote, interspersed with rebuttal.
3)  Although it involves no directly technical issues, it is an operational issue
none the less.  If you doubt it, ask yourself this question:  would you rather
spend your time fixing network problems, or monitoring content and appearing in
4)  This post is somewhat lengthy.

David Stoddard wrote:

>         Based on these statements, I can only conlude you have a huge
>         problem with the capitalistic system, and that you favor the
>         elimination of private property in order to foster your "freedom".
>         That is the same argument Fidel Casto uses on the people he
>         suppresses, and was the common theme among communist countries
>         before the fall of the Berlin wall.  Joseph Stalin shared your
>         views on private property.  I don't.  As a capitalist, I find
>         your ideas offensive and misguided.

As a capitalist, here's something you should find even more offensive and
misguided:  Since you've volunteered to monitor content, the government is likely
to require that you do.  Read further.

>         Paul Vixie and his team of "RBL finks" are to be commended on the
>         excellent job they have done in stopping the poisonous assult of
>         pornographic filth, fraud, and manipulation that spam brings to
>         people everyday.  And for people that want to take the RBL even
>         further, we provide a list via autoresponder at
>         that blocks even more of this crud.  And here is the best part --
>         its up to the FREEDOM of the individuals that use these resources
>         to determine if and how they want to use them.
>         There are no "inalienable rights and freedoms" that give spammers
>         unrestricted access to the Internet.  Even the courts have upheld
>         the right of ISPs to block and filter spam -- see the URL

Of course they did.  Think about it.  You just volunteered to monitor content for
an industry which the government is busy wringing its hands over.  The intrinsic
difficulty in analyzing packet-switched traffic for violations of the law has
stymied law enforcement agencies ever since the Internet became an issue.  That
doesn't play well on the nightly news, when the blubbering-mother-of-the- week
pisses and moans on TV about how her precious little Johnny got kidnapped,
buggered, and slaughtered by some cretin "on the Internet" who knows how to use
IRC and was able to give her kid a plane ticket while she was busy watching
"Jerry Springer" reruns instead of asking what the hell her kid was doing on the
computer.  "Sorry, it just isn't possible to do anything about it, we don't have
the capability to monitor it" isn't what the general public wants to hear, and
the LEAs and politicians have been tying themselves up in knots over it.

About this time, along comes a Crusade, one which is worthy of legend. On the one
side is Spamford Wallace and his crew of misbegotten miscreants, and on the
other, Paul Vixie and his band of righteous merry men.  (I have chosen Spamford
and Paul as the figureheads for their respective movements, actual history

So Paul decides that, to battle the forces of Spam, he shall create a list of
those who sin against the Internet at large, and propagate it to others.  Both
these points are important.  If Paul wants to play God with his little corner of
the Internet, no problem.  Unfortunately, he's not going to be able to step down
from that position on a whim.  (Ain't that a bitch - Crusaders can't stop
Crusading because their feet get tired or because they're getting shot at.  Aww.)

What does this mean?  The next time something originating from or coming into
Paul's network is deemed offensive, a waste of money/bandwidth/time/etc,
unethical, or any other negative adjective, it will not be the U.S. Government
who is put in the position of regulating it - it will be Paul.  You see, Paul has
assumed the position of "Being On Top Of It".  Even if Paul doesn't feel that
way, even if he feels that regulating that particular content will be detrimental
to the Internet at large, even if he strenuously objects and says that "it's not
his job", he will be put in that position, because _he volunteered for the job_.
Precedent will have been set, and although IANAL, I know enough about the law to
know that precedent is a bitch to break with.  The government and regulatory
agencies will simply allow and "encourage", through the promise of jail time,
copious fines, and multimillion dollar civil lawsuits, "self-policing" of the
Internet by the administrators, all the while wiping the sweat from their brow
and congratulating each other on having dodged another bullet.

In addition, when the system fails - and as I and all other sysadmins know, all
systems fail - it won't be the U.S. Government on the hook for screwing it up.
It'll be you, because _you volunteered for the job_.

Oh yeah.  The other important thing - pick up "Paul" and put down your first
name, because everyone who subscribes to the RBL will be doing exactly the same
thing.  There's a reason that the phone companies are common carriers - it's
because it relieves them of a massive amount of liability.  The telcos do some
things right on occasion, ya know.

This is not to say that I believe that spam is a Good Thing, or that the RBL is a
Bad Thing.  I hate Spamford for what he has wrought, and I believe that the RBL
is a natural and necessary response to it.  I do, however, suspect that the
trouble that Spamford and his ilk have caused, which has long since been dealt
with, is nothing compared to the trouble which has now been assumed by the
sysadmins and network operators.

Congratulations.  The Chinese have a saying about being careful what you wished

>         If you want to use your time and resources to foster and promote
>         the activites of people that prey upon society at large, go right
>         ahead -- that's "freedom", and it is your "right" to do so.  I have
>         always found it interesting that the people the scream the loudest
>         about their rights do it in the context of denying others their
>         rights.  As an ISP, I have the right to choose.  And I choose not
>         to do business with spammers.

I wonder if you'll be so cavalier when the blubbering-mother-of-the-week is busy
suing your arse off for not protection her little kid from:
a)  pedophiles
b)  bomb-making instructions
c)  satanic song lyrics
d)  pork (the other white meat)
e)  Chevrolet
f)  anything else deemed offensive.

Tell me, what would you "choose" to do should one of your customers send back,
stapled to their usage contract, a list of content they find objectionable and
ask you to filter it?  Suppose you can't, don't, or won't?  How about if you
screw it up and some gets through?

Power comes with responsibility.  Responsibility carries with it liability.  Are
you prepared to assume the liability that comes with "choosing" to selectively
block content?

Szechuan Death, AKA Theron Bair, sysadmin, net tech, student, etc.

Black Hole Vixie/RBL

Paul A Vixie <> writes
+ The RBL team and I are kind of wondering what to do about some spam
+ we got. Because blackholing NSI would be of operational concern to a
+ lot of you, I've decided to ponder this question out loud:
+ >Technically, this is an opt-out customer-relationship spam.
+ >
+ > I think it is a special case, because _there is no where else to go_.
+ >
+ > should be RBL'ed, IMHO.  Help me.

 Mr. Vixie and his cohorts increasingly
 imagine themselves to be the final and
 ultimate arbiters in matters of Network
 integrity. Having them sit in judgement
 over the Black Holing of successive and
 alleged perpetrators violates numerous
 protections and freedoms all citizens

 It is my opinion that these activities
 have reached their zenith and something
 should be done to finally Black Hole
 Vixie/RBL should they continue on their
 renegade mission of uncontrolled and
 arbitrary censorship. Maybe it is time
 to pull the plug on the ultimate plug
 pullers, black hole the black holers!

 Bob Allisat

 Free Community Network _ . _

Re: Black Hole Vixie/RBL

BBBZZZTTT yourself. Blocking email is an interception under the ECPA (18
USC 2511 et al).  It has been reported here previously that 

1)  The ECPA was amended to apply to email.

2)  A US attorney has stated that ISP's who define their service to include
mail filtering for their customers implicitly have their customers
permission to do so, as required under the ECPA.  

Those who don't have permission would be in violation of the ECPA were they
to block email.

So as twisted as his writing and perhaps his thinking is, Bob is
essentially right on that.

You, as usual, are unequivocalably wrong.

Perhaps you also can quit wasting our bandwidth.


>*BBBZZZZTTT*, wrong answer,thank you for playing.  Prevention of email
>delivery is not interception.  Nor is there reading of your private email,
>or any of the other horrible crimes against humanity that so many envision.
> Unlike the USPS, if you don't like your ISP's email policies, you are free
>to go elsewhere.  Your argument has no basis in legal, moral or ethical

           Plain Aviation, Inc        

Re: surge in spam email (fwd)

>I think if *everyone* stood up at once and declared that open relays
>were bad for us all then there wouldn't be too much trouble because
>there'd be nowhere for frustrated customers to jump to!  ;-)

Ya know, Greg, if everyone in China jumped off a 12 inch stool
simultaneously it'd cause a tidal wave which would sweep over the
entire United States.

Or maybe not.

But it's not worth losing sleep over.

I'm not really trying to be too sarcastic, but I think your world-view
of what the net has become is anachronistic and the idea that some
project like ORBS is going to harass every open-relay in the world,
every workstation capable of forwarding mail for example, into
behaving better is at this point in time kinda like the Chinese
footstool tidal wave (is that from Dr Strangelove? whatever.)

No, we need a legislative approach, with some technical support to
help increase the likelihood that spammers who break the law will get
caught. But first it has to be illegal, or else it's all for naught.

Put it this way: I consider my house locked up even if I do have glass
windows, and even if glass is rather easy to break.

If it were legal for a person of ill intent to break the glass to get
into my house to rob me the first approach would not in my mind be to
board up all the glass unless I really lived in some mad max anarchy.

I'd first want to see it made illegal to break into my property.

Then, with reasonable diligence, I can enjoy the sunshine and spend my
time and money on more important things than trying to engineer it so
it's impossible to break in.

Or at least I can do the cost/benefit analysis from the situation
where it's illegal to break in, rather than just a stupid cat and
mouse game as we're currently playing with spammers most of the time.

      The Walrus and the Carpenter
      Were walking close at hand;
      They wept like anything to see
      Such quantities of sand:
      "If this were only cleared away,"
      They said, "It would be grand!"

      "If seven maids with seven mops
      Swept for half a year,
      Do you suppose," the walrus said,
      "That they could get it clear?"
      "I doubt it," said the Carpenter,
      And shed a bitter tear.

        -Barry Shein

Software Tool & Die    |          |
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989     *oo*



My name is Sabri. I'm just another dude involved in internetworking and I
work for a small isp in The Netherlands.

I am concerned. Concerned about people and companies who think they are in
the position to be net.gods and for political reasons destroy the free
character of the internet.

In the history of the internet, people have been trusting each other. On
the lower technical levels, great things like peering have been developed.
At the various IX'es, commercial and non-profit companies exchange
information about each others routes using BGP4 and various other routing

In my opinion, announcing a netblock using BGP4 is making a promise to
carry traffic to a destination within that netblock. If you feel that
parts of that network are against your ethics or AUP, you should not be
announcing such a netblock. If you do so, you will make a promise which
you do not forfill.  That is not a nice thing to do in a world which is
based on trust and agreements between parties.

I was shocked to find out that one of the larger transit providers (which
the company I work for buys transit from) is actively violating the trust
it has been given by the internetworld. is blocking a host in UUnet IP space. After finding out about
this we notified in The Netherlands and asked what it was about
and requested them to stop announcing the netblock if they would continue
to nullroute the host involved. After various contacts about this matter, answered with the following statements (according to the
salesdroid it came from Paul Vixie himself):

> --> this tester is part of a /16 belonging to
> uunet, and sends traffic which is in violation of our AUG.  we
> complained to uunet without any effect.  if we have blocked access
> from this /32 to our backbone, we are within our rights.

After this mail, we contacted again. They basically told us it
was for our own protection because that traffic from that host does not
comply to their AUP. We specifically told them we really don't mind them
blackholing that host but *announcing* a route for it. So far no response.

More information and logs on

/*  Sabri Berisha
 *  CCNA, BOFH, Systems admin Linux/FreeBSD

Re: net.terrorism

> Subject: Re: net.terrorism 
> Date: Tue, 09 Jan 2001 04:37:37 -0800
> From: Paul A Vixie <>
> 	[...]
> why are we discussing this on nanog?

Well, it sounds like an operational issue.

As described in the original post, a group is disrupting Internet
connectivity to some destinations to achieve certain policy objectives.
This has a number of adverse implications.

o	Policy-based "disconnectivity", like any other source of 
	connectivity problems, makes the Internet appear less reliable
	and less predictable to the end user.  Only a relatively
	sophisticated end user can differentiate broken connectivity
	caused by policies from other sources of connectivity problems.
	Adding yet another cause of difficult-to-diagnose connectivity
	problems hardly seems like a good thing.

o	Whatever the official marketing literature may say, the
	effectiveness of routing-based disconnectivity is generally
	based to a large extent on inflicting pain on third parties.
	That is, if the policy-based disconnectivity causes enough
	pain to enough people, then the originating network or ISP will
	have an incentive ("be forced") to remove the activity that violates
	the policy.  This basic strategy hardly seems like a good thing.

o	Policy-based disconnectivity techniques would appear to set a bad
	precedent.  That is, this activity tends to legitimize the use
	by ISPs of black-hole routing to enforce various acceptable use
	policies.  To the extent that the network community endorses
	black-hole routing as an acceptable tool for enforcing anti-spam
	policies, the technique is more likely to be applied in the
	enforcement of other policies.  For example, French courts could
	conceivably decree a policy-based disconnectivity solution to
	protect users in France from auction sites selling Nazi memorabilia
	(i.e., Yahoo).  (After all, if the technique is acceptable for
	relatively minor social ills like spam, then surely it is
	acceptable to use it for more significant social problems). German
	courts could conceivably require German ISPs to black-hole foreign
	"hate" sites.

	(By the way, I believe that a number of prominent organizations
	have taken stands against the filtering based on content of certain
	foreign sites by some totalitarian countries.  I don't think these
	organizations are are saying that it is wrong to filter based on
	political content, but OK to filter on, for example, less-political
	content such as spam. )

	I believe that legitimizing the use of "disconnectivity" techniques
	(whether they are routing-based or filter-based and whether they
	are "voluntary" [voluntary to whom?] or mandatory) to further
	policy objectives is a really bad thing.

It is not altogether obvious to me that the cure is not worse than the
disease in this case.




[ ]