Are we looking for solutions, or just ranting? (was Re: Comcast and SORBS)

[rlk at alum.mit.edu (Robert L Krawitz)]

   Date: Fri, 26 Nov 2004 10:57:22 +0900
   From: Derek Martin <invalid at pizzashack.org>

   On Thu, Nov 25, 2004 at 06:19:40PM -0500, Bob George wrote:
   > Derek Martin wrote:
   > 
   > > [...] As we have seen, this apparently doesn't solve the problem.
   > 
   > Then I'm confused as to what the problem IS. 

   In broadly stated terms, the problems is that individuals are being
   restricted from running their own Internet services (specifically
   e-mail, but the argument applies to other services too, where for
   example incoming HTTP ports are being blocked, etc.) without paying
   exhorbitant fees (i.e. buying business-class service) for the
   privilege to do so, through the actions of large corporations with
   the finacial resources and market share to effect this.  These
   business practices are unfair, and consumers should not tolerate
   it.  Businessess exist to provide PEOPLE with services.  But they
   have come to think of the relationship in reverse; people exist to
   provide THEM with a revenue stream.  We have allowed them to think
   this way by being apathetic.  We should not tolerate this in our
   society.

   > Rich's original post 
   > referred to SORBS tagging of dynamic IPs. 

   This is what started the thread, but it is only part of the
   problem.  Big companies like AOL block IP ranges seperately from
   SORBS.  It is the same issue, even if it is not exactly what Rich
   posted originally.

You're raising multiple disjoint issues here, but lumping them all
together into a single complaint:

1) ISP's that forbid their customers (you) from running servers (where
a "server" is defined as something that listens for connections, such
as a web or ftp server).

2) ISP's that block outbound traffic from their customers (you) on
certain ports (i. e. forbid you from running certain types of clients,
specifically MTA's that can connect to any site on the internet).

3) ISP's that block certain inbound traffic from reaching their
customers (you).

4) ISP's that block your traffic from reaching their customers.

5) ISP's that refuse to accept certain inbound traffic altogether from
you.

6) ISP's that refuse to allow you to receive certain inbound traffic.

The first two are business matters between you and your ISP.  The
others are only business matters between you and your ISP to the
extent that your ISP blocks traffic inbound to you, but your complaint
seems to be about other ISP's who block your traffic from directly
accessing their customers.

   > Even if your ISP allows outbound SMTP (Rich's does I believe),
   > others may well blacklist such ranges. Like it or not, that's how
   > it is. Any solution will have to contend with this reality at
   > some level.

   It doesn't have to be.  As consumers, we do have some power; but
   only if enough consumers care, and complain.  Getting people to
   care is the hard part.

You're not a customer of AOL, so there's very little business reason
for AOL to listen to you.  If you have a problem with AOL's practice
in this regard, you need to get AOL's customers to object to this
practice, which I suspect will be difficult, since AOL sells itself as
an easy to use service that emphasizes blocking spam and other
nasties.  They're not likely to care in the least that you have to
route your mail through your service provider.

   > > [..] It shouldn't be. E-mail is becoming just as important a
   > > means of communication as the telephone; the ISP should not
   > > have the right to block the sender just because they don't like
   > > their net address block, just as phone companies can't block
   > > incoming calls from their competitors (or for any reason,
   > > AFAIK).
   > 
   > But of course an individual can refuse calls from whoever they like. 

   Indeed, and individuals can and should be able to run their own
   spam filters to dump e-mail from people they don't want to
   communicate.  In my opinion, the ISP should not be performing this
   role on behalf of people.  Yes, it saves spam...  But some people
   WANT that spam as testified to by the fact that it actually does
   generate a considerable amount of revenue.  Ultimately the decision
   of who can deliver mail to be should be left up to me.

What about customers who *want* their ISP to perform this role (which
I suspect is the large majority of private individuals in the world)?
Should they be denied this service because *you* want the ability to
choose a different way of transmitting your mail?  Even Speakeasy,
which emphasizes individual responsibility and network freedom, offers
this service to their customers.

Consider someone with a 28.8 modem connection who on a good day gets 2
KB/sec throughput.  If that person receives 50 spam messages totalling
200 KB per day, then not counting protocol overhead it would require
over 3 minutes per day just to download these messages (protocol
overhead would likely at least double, if not triple, this).

In complaining about your freedom being abused, you're ignoring (if
not outright asking to trample on) the freedoms of others, who choose
ISP's on their ability to filter out spam, and who would welcome more
stringent technical measures to filter it out.  You do note that "the
decision of who can deliver mail to [m]e should be left up to me" --
people who subscribe to AOL have made that decision for themselves,
namely they want AOL to police this.

   This is one of many reasons I want to run my own mail server.  It
   gives me that.  If I WANT to run with SORBS, I can.  If I don't, I
   don't have to.  As it happens, I don't, because SORBS blocks mail
   from legitimate people, some of whom I happen to want to
   communicate with.

Fine, so use Speakeasy, which doesn't do any of this and is more than
happy to let you do whatever you please as long as you don't do
anything stupid or nasty.  If other ISP's block you from connecting to
their MTA's...well...you're not their customer.  The problem here
appears to me that you're demanding that other ISP's and their
customers play by your rules, which perhaps they don't want to do.

   > > [...] Percentagewise, I'm sure that's true, but that doesn't mean it
   > > should be impossible.
   > 
   > Again, many DO seem to be running their own servers from dynamic IP 
   > addresses. The actual problem Rich cited is that others -- whether 
   > fairly or not -- have deemed it a likely source of spam. Protestations 
   > of unfairness are likely to fall on deaf ears. That doesn't mean that 
   > there is nothing that can be done, but of course, it may cost or not be 
   > particularly "convenient" to do so.

   You're right.

   One way that it could change is if there were enough of us who want
   to run our own server, making noise.  There are many reasons why
   people don't want to run their own mail server (lack of knowledge,
   time, etc.), but ideally I think there are also many reasons why
   people SHOULD want to run their own server:

This has nothing to do with running your own *server*.  It has to do
with running your own *MTA*, which is a very different beast.  I run
my own SMTP (and IMAP) server to serve my internal home network (I
prefer to run an intranet rather than using NAT).  It only accepts
connections from my internal network, so it doesn't look like a server
externally.  However, I deliver my outbound mail by sending it from my
MTA to Speakeasy's; it really doesn't interfere with anything
particularly interesting I care to do.

    - It gives you more control.  You can, for example, choose to use
      SORBS, or not.  LIkewise with any other measure/feature which
      requires control over the server.  Another example is advanced
      filtering/sorting using something like procmail.

You can do procmail just fine without running an externally-visible
server, much less an MTA that does actual delivery.  A much better
example would be running mailing lists on your own domain.

    - It is definitely more private, regardless of what the nay-sayers
      say.  Using your ISP's mail server gives them unrestricted access
      to all your communications, which they can do anything they want
      with, without your knowledge.  If you run your own server, 
      your ISP can still capture packets, but there's not a lot of
      incentive to do this.  It's harder, and requires more work.  Plus
      as I've said, if you and all your friends enable STARTTLS, your
      communications will be encrypted, and your ISP can't do much about
      that.  PGP is a more sure-fire way to deal with this problem, but
      it may not be available to all users (it may be to hard to use, or
      to learn, or it may be illegal, etc.).  This is not perfect
      privacy, but it's a lot better than giving your ISP unrestricted
      access to your communications.

With all due respect, I think you're deluding yourself here.  This is
basically security through obscurity, and you're both smart and
experienced enough to know that that doesn't hold up.  If your ISP
gets a subpoena, they'll capture your packets.  If they really want to
know what you're discussing with a competitor of theirs, they'll tap
any packets addressed to that competitor.  If they're specifically
trying to watch for customers doing something that looks like they're
trying to hide something, they may be *more* inclined to tap all
packets going to port 25 than watch mail being sent through their
servers.

Sure, you can encrypt the connection, but you can just as well use
PGP.  If it's hard to use or hard to learn...if you really want the
security, you and your friends will learn how to use it.  Since that's
a perfectly good workaround (and is more robust), it doesn't seem like
a particularly strong argument.

    - It is usually faster.  Your own server isn't clogged up with
      messages for a bazillion other users.  If you're on a fast link,
      your mail comes right to you, and arrives immediately.

Perhaps, unless you're the victim of a DoS of some kind.

    - You are not dependent on your ISP's mail server.  If theirs goes
      down, you still get mail.  Of course, the down side is, if yours
      goes down, you're SOL until you fix it.  This can be mittigated
      by partnering with a buddy and running relays for eachother.

Fair enough.

Against this is the fact that if your server barfs on the floor in
certain ways, they may have to clean up after you.

   > If find it strange that the ability to send unprotected SMTP is seen as 
   > any great protection of one's freedom, and that energy is expended 
   > arguing that it is. 

   I have given several reasons why it is.  I have also stated that
   opportunistic emcryption can be used to protect your communications
   effortlessly.  If you and the people you communicate with all have
   their own servers set up this way, you don't need PGP, which is, quite
   frankly, generally quite difficult to use.

But far from completely unusable, which puts this more in the
convenience than the necessity.

   > This thread seems to have become a rant-fest rather than any
   > effort to coordinate a solution to this, and related problems. If
   > that's the intent, fine.

   Here's my proposal: Go to your ISP and demand that they allow you
   to run your own mail server.  write e-mail and letters to all the
   companies you know of which block e-mail based on netblocks.
   There's no need for them to do this; there are other methods they
   can use which will not penalize legitimate users.  Finally, write
   to your comngressman to demand that ISPs start acting more fairly.

Blocking off certain netblocks is a very resource-efficient way of
blocking a lot of the spam sent out by zombies -- much more so than
running SpamAssassin or the like, which requires substantial
processing on each message.  AOL processes billions of messages per
day; if blocking dynamic and other home IP's from sending email cuts
off half of those, that's a lot of compute power (and therefore a lot
of money) they don't need to expend.  You're basically asking them to
spend a tremendous sum of money (and therefore have to raise their
prices) so that a tiny number of people can do the same thing they
could do otherwise, but in a way that they prefer for their
convenience.

   I've spelled out the problem, and the reasons why it is a problem,
   as clearly and completely as I can think how to.  I've provided a
   potential long-term solution, which will almost certainly not cmoe
   to pass, because people only worry about unfair business practices
   when they feel directly affected by them, and most people just
   don't care about running their own server.  The numbers just don't
   add up.  But I hope you will not think that I'm just ranting; I
   really want to change this, though I'm not hopeful.

   I'm open to other suggestions, so long as the end result is that I
   can use my PERSONAL mail server at reasonable, PERSONAL prices, an
   not be arbitrarily blocked for no good reason.  But it seems like
   it will require legislative changes.

As far as legislation, do you really want to open that can of worms?
You're far more likely to wind up with legislation that *requires*
ISP's to block outbound SMTP traffic, or that adds even more onerous
wiretapping requirements, or the like.  The Supreme Court has already
ruled that freedom of speech does not forbid the government from
mandating the do-not-call list for telemarketers; people have a right
to be left alone in the privacy of their own homes.  If they want to
delegate this to their ISP -- and my guess is that the vast majority
of people, even with all of this explained would want to do precisely
this -- that's their right.

-- 
Robert Krawitz                                     <rlk at alum.mit.edu>

Tall Clubs International  --  http://www.tall.org/ or 1-888-IM-TALL-2
Member of the League for Programming Freedom -- mail lpf at uunet.uu.net
Project lead for Gimp Print   --    http://gimp-print.sourceforge.net

"Linux doesn't dictate how I work, I dictate how Linux works."
--Eric Crampton