AOL now rejecting mail from Comcast residential IPs.

Mon Mar 31 12:09:12 EST 2003

Jeff Kinz wrote:
> On Mon, Mar 31, 2003 at 12:37:49AM -0600, Thomas Charron wrote:
>>Since when is forcing an SMTP server to accept your mail a punishment?
> 
> It isn't.  Whats happening here is that hundreds, possibly thousands
> of people who do NOT have open relays cannot use a standard internet
> protocol in the standard, approved fashion. Twenty years of internet
> policy are thrown away because AOL/comcast are lazy.

No. You can still send them mail. You just must use another method. They 
aren't being lazy. (See my previous mail.)

>>What you are saying is basically that the use of an SMTP server is now a god 
>>given right, along side freedom?  
> 
> 
> No - but proper cooperative behavior - which includes freely exchanging
> email, is part of the basic nature of the internet and has been for over twenty
> years.  It is a fundamental characteristic which makes the internet
> so valuable and useful. If it is abridged the entire Internet is damaged.

Yes, and the entire Internet is damaged by the flood of spam and 
undeliverable email messages that are sent every day. Right now, there 
is no way to police this other than rejecting IP ranges and installing 
imperfect spam filters. I would argue the Internet is damaged more by 
spam than by having a few IP blocks restricted on some mail servers.

> And this is not some vague, theoretical damage.  Take a look at 
> "at Home in the Universe" by Stuart Kauffman or "The collapse of chaos" by
> Cohen and Stewart.  The specific emergent characteristics of the internet are
> completely dependent on the uncensored nature of the flow of information on
> the internet.  An entity as large as AOL can actually damage that flow 
> and in so doing will lessen the internet, eventually causing great harm.

Perhaps they would actually damage the Internet if they were a *real* 
part of the Internet. As it stands now, they are a gated community in 
one of the Internet's suburbs. They are not grand central starion or 
I-95. The only people that will truly be harmed by AOL's decisions are 
their customers. Their customers have choices. They can leave AOL, and 
apparently many are. For some people, AOL is basically just training 
wheels for the Interent. Other people like the services that AOL 
provides and they choose to stay.

As for emergent behavior, what I learned in AI class was that emergent 
behavior is the appearance of intelligence in a larger system composed 
many agents each acting in their own self-interest or according to their 
own programming. They are not programmed to cooperate in any particular 
manner, though they may be allowed to interact in many diverse ways. By 
imposing this rule upon AOL, "thou shalt accept mail from all IPS," you 
are actually imposing an artificial restraint upon the system. You're 
interfering with the emergent behavior of the 'net more than is AOL. 
AOL, as even the small part of the 'net that they are, is participating 
in the emergent behavior of the 'net. Their decision to block IP 
addresses is just a part of that behavior.

> 
> Further more - AOL's decision doesn't fix the spam problem.  It just pushes
> it somewhere else.   Lets really fix the problem.  Lets implement an SMTP
> protocol that contains embedded PGP Authentication.  No more casual anonymity.
> 
> (Real anonymity has a purpose and will still need to be available through
> anonymous email gateways which are PGP authenticated)

Anonymity has a price. Identity has a price. You can't have it both 
ways. I understand why you want PGP authentication on mail servers, it 
makes sense. However, PGP would then have to be tightly integrated into 
the 'net and most 'net applications, not just email. Most folks seem to 
have problems with the relatively simple protocols that we have now. 
Adding a layer of PGP at this point would simply complicate things 
further. It also opens up the possible of real identity theft, becasue 
it would build a false sense of security among Internet users. I believe 
most people's keys would soon be compromised simply because they chose 
lousy pass phrases. Even at U.K., where we gave everyone with a computer 
a handout on passwords and many even got a lecture, most passwords on 
the system were joes. Anything that relies on passwords and pass phrases 
for security is inherently insecure.

Getting into real security is a huge topic, but I don't really think it 
is possible on a computer network. One-hundred percent security (if you 
can measure it at all) isn't possible any where at any time. On the 
'net, I don't think you could security even approaching 5%. No, I don't 
think IPV6 will help. I don't think you can architect a publicly 
accessible network that would have any kind of security on the whole. 
There maybe isolated pockets that are reletively secure, but the 
majority of it will be like life, wild and free and open. [All right, 
I'm drifting way off-topic.]

>>It's not the spammers here.  It's the open relays that spammers USE.  It's the 
>>people who relay.
> 
> 
> So is comcast scanning for Open Relays and shutting them down/getting them
> fixed?   No - they are implementing a policy that harms more innocent 
> parties than guilty parties

Well, you signed their TOS, or at least agreed to it when you signed up 
for service. If you didn't like it, you should have sought out an 
alternative. One could argue that "no servers" means "no server 
protocols." IOW, don't use your computer as if it were a server, even 
though it isn't.

> 
> Do we take away everyone's car because drunk drivers use them too?

Actually, I think we should take everyone's car because, in my 
experience, most people are incapable of operating them safely. Also, 
statistically speaking, automobiles are involved in the deaths of more 
people in the U.S. (and likely in the world) than any other man-made 
device, including firearms. Whether folks are driving drunk or not is 
irrelevant. I do believe that the last time I checked, more people are 
killed by unimpaired motorist than by those who are.

>>Again, you're not being put in jail.  They're saying, "I don't want you 
>>calling me".  Tell me..  Anyone here have a caller ID block on unknown numbers?
> 
> 
> But I am not an unknown number - all my mail comes from kinz.org.  I am
> available to be held accountable for my emails. 
> (And I have been, believe me :-)  )
> 
> At the very least AOL should accept SMTP from registered domains.  I can
> understand not accepting it from semi-anonymous dynamically assigned IP's.

Ah, yes, but see my previous message. You are probably in violation of 
your ISP's TOS for registering a domain on their IP block. To most 
people's thinking that constitutes running a server. It's the only 
reason you'd want to do so.

> 
> 
>>I'M BEING REPRESSED!  I'M BEING REPRESSED!
> 
> (Come see the violence inherent in the sys-admin!  :-)
> (http://www.userfriendly.org/cartoons/archives/99mar/uf000427.gif)

I prefer BOFH. It's closer to how we sysadmins actually feel.
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=BOFH&btnG=Google+Search

> 
> 
> 
>>>Yes it works for companies, but then companies are entities that make 
>>>conscious, well informed decisions to let people die because the
>>>cost of the lawsuits is calculated to cost less than changing a design
>>>defect that left the gas tank filler neck of the Ford Pinto just a 
>>>wee bit too short.  I don't think we want to follow that kind of lead
>>>as an example of principled behavior.
> 
> 
>>Oh my GOD man.  They rejected your SMTP email.  Shesh.  Since the protocol has 
> 
> 
>   :-)  I'm not comparing the magnitude of immorality in the Pinto decision to
> AOL decision to block residential IP's.  I'm saying its the same KIND of 
> thinking,  "We don't care who gets hurt, we are maximizing profit". 

Ah, yes, but AOL and its customers would be hurt if they didn't make the 
decision that they made.

>>.... Since the protocol has 
>>no built in method of authentication, this is the best they can do.  You can 
>>either eat spam, or do something like this.  Period.
> 
> 
> Hmmm - I don't eat spam - I use Bogofilter.
> 
> So lets change the protocol!  

Well, there's not way to change it that would truly be effective, if you 
ask me. What ever authentication method you use will be broken before 
long. You will simply increase the stakes, and thereby make a more 
attractive target for spammers. You'd also create a new class of 
criminals who have broken whatever authentication scheme you've created. 
There would be a black market for cracking tools, and most people can't 
be trusted to operate their computer responsibly, so adding another 
layer of responsibility on them will not help the situation, it will 
only make it worse because now there's another potentially exploitable 
layer, but now that layer is somewhat trusted, so the stakes are higher 
and the prize is even more attractive, and the outcome of it being 
broken more catastophic for the system and for the individuals in the 
system.

I think of the war on drugs as a good example. The law enforcement 
approach simply exacerbates the problem. Study the history of 
Prohibition for what I'm talking about.

>>>The reason AOL is blocking 
>>>those IP's is its easier than actually blocking the spammers.
>>>But its wrong.  Its breaks the internet, a little bit and begins 
>>>the whole kit and kaboodle sliding toward the day when all email
>>>and web services MUST go through an AOL/ISP approved node.  
>>
>>They are blacklisting addresses of known open relays.  They are refusing to 
>>deliver pizza to an area where people are known to allow attack dogs to freely 
>>roam the streets.
> 
> 
> Again - that doesn't fix the problem.  It allows it to grow and get worse.

It might, but it is a good short term policy. Perhaps, if the people who 
live in that neighborhood get so pissed at no being able to get their 
delivery pizza, they'll do something to get the drug dealers out. (Don't 
get me started on drugs and U.S. policy, 'cause I won't stop.) People 
are responsible not just for themselves, but for the places where they 
live. If you don't like your neighborhood, you can move or take positive 
steps to change it. Nobody said that life would be easy.

>>>That must never happen but all the large ISP's would like it to.
>>>Does anyone think that AOl would never try to act like some of the other
>>>large monopolistic companies?
>>
>>Could very well be.  But this is one move that, while being annoying as all 
>>hell, is a viable attempt to securing something.
> 
> 
> It "secures" a huge block of innocent peoples internet nodes.  Just to get 
> relatively few poorly secured systems.  How about we sue the hell out the
> people who have open relays and get it well publicized?  
> 
> "Gee - if I don't take care to make sure my system can't relay mail it could
> cost me thousands of dollars?  I'd better do something!"  I wonder if Norton
> has a $35 tool for this? (from the brain of a Wintel PC owner)"

This will never happen. People and organizations do things all the time 
knowing that they could possibly be sued or could suffer catastrophic 
losses. Witness all the people who use Microsoft software, particularly 
Outlook. Witness all the companies that blatantly break the law, and get 
away with it. People have the "it will never happen to me" attitude. 
They always think they'll catch the other guy, or it will happen to 
someone else and not to themselves.

>>You know..  The same reason why some here always include their PGP signature 
>>to validate identiy?
> 
> 
> Or some don't because its not yet widely enough participated in to be
> worthwhile.  It needs to become a mandatory part of the mail transport 
> protocol.

No, this actually makes things worse. (See above and see my previous 
message.) Perhaps, I should sit down and write a little think piece 
expressing my thoughts on the matter.