North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: AOL scomp
> From [email protected] Sat Feb 26 13:42:19 2005 > Date: Sat, 26 Feb 2005 10:27:40 -0500 > From: Rich Kulawiec <[email protected]> > To: [email protected] > Subject: Re: AOL scomp > > > On Fri, Feb 25, 2005 at 01:34:21AM -0600, Robert Bonomi wrote: > > Because the recipient *expressly* requested that "all mail which would reach > > my inbox on your system be sent to me at AOL (or any other "somewhere else"). > > I have three somewhat-overlapping responses to that -- and I'll try to > stay focused on operational issues, since this is NANOG, not Spam-L. > (But if you to delve further into this, I would suggest shifting the > discussion there, as it's probably more appropriate.) > > 1. SMTP spam is not mail. "Spam -- it's about _consent_, not *content*." If I, the forwarding system operator have the _consent_ of the mailbox owner on the destination system to forward messages to him, they are *not* spam on _that_ system. This *is* a separaate issue as to whether or not they are spam _on_the_forwarding_system_. Yes, the forwarding system should do everything "reasonable" to suppress spam from (a) reaching the local inbox *or* (b) being forwarded, if the customer has requested mail forwarding. If the recipient has a problem with receiving the forwarded message, he should complain _to_the_FORWARDING_system_ about it. *NOT* to the destinaiton system. > So while the end user on some remote system may have in fact said > "send me everything, including the spam" (although this seems very > unlikely) How about various 'spamtrap' mailboxes, auto-forwarded to a central location for "further processing"? <evil grin> > > This means that every such message from the 'forwarding' system to the > > destination system is, BY DEFINITON, "solicited". The mailbox owner has > > expressly and explicictly requested those messages be sent to him at the > > receiving system. > > This is a definition of "solicited" which is wholly at odds with that > in common practice for the last few decades. By your definition, > the victim of a mailbombing attack would have somehow "solicited" that > abuse merely because they have a forwarding alias on your system. NOT AT ALL. It *IS* 'unsolicited' on _my_ system. It is *not* unsolicited at the final destination system. Questions/complaints/help-requests should be sent *TO*ME*, not to the destination system. He's *MY* customer, too. I've got an incentive to 'make things right'. > I'm not having any. UBE (the proper definition of SMTP spam) doesn't > magically become not-UBE just because it gets forwarded by somebody. Suppose my user "manually" forwards a 'spam' message to an account of his on another system. And then _forgets_ that *he* did it. And reports it to *that* provider as spam coming from my system. Is this _my_ fault? IS spam originating from my system? Should I terminate this user for 'spamming'? > It's still spam, and anyone sending/forwarding it is personally > responsible for their choice to do so. "It's about *consent*, not _content_." Want to try to deny that the recipient _consented_ to the forwarding from his other account? It is _not_ 'unsolicited' (the first word of UBE / UCE) on the destination system. It *may*well* be 'unsolicited' at the system where the customer has the forwarding mailbox. Complaints should be directed to *THAT* system operator, *not* the operator of the destination system. Note: I *agree* that "anyone sending/forwarding it is personally responsible fortheri choice to do so." The person that *made* that choice -- to forward that message -- however, is _the_customer_; the 'owner' of mailbox on the 'forwarding' system, *and* the 'owner' of the mailbox on the destination system. If "my customer" (in his identity on the receiving system) reports "my customer" (in his identity on _my_ system) as sending spam, should I terminate him from my system? After all, he's identified _himself_ as the spammer. > (Yes, I realize that it's not possible to achieve perfection, but that > isn't an excuse for failure to keep trying, continuously. It's not > difficult to block 90% of spam using simple, free measures that rely > entirely on open-source software and freely-accessible data. There's > thus no valid excuse for not doing at least that much -- today.) Yup. Keep it from getting to the point it 'would' get to his inbox, and it won't get forwarded, either. But, if it _does_ get through, the recipient should be complaining about it _to_me_, not to the operator of the destination system.