AOL now rejecting mail from Comcast residential IPs.

Jason Stephenson jason at sigio.com
Mon Mar 31 13:02:33 EST 2003


Jeff Kinz wrote:
> On Mon, Mar 31, 2003 at 11:24:01AM -0500, Jason Stephenson wrote:
>>they must block ranges from the lists. Why? 
> 
> No they don't have to.  They decided to based on costs.
> They can dynamically block individual IP's

Look, if an IP is on a "dialup list." That implies it will change every 
time a computer connects to the net. This is how most dialup, cable and 
residential DSL connections work. AOL has no way of "dynamically" 
blocking spamming IPs from a given net block. They can run filters that 
check each mail as it arrives, but this is expensive. It is more 
efficient just to say, we've gotten spam from IPs in this net block. The 
net block owner says they're dynamically assigned, so let's block 'em all.

> So because AOL isn't smart enough to deal with spam in an automated cost
> effective fashion it becomes OK to harm people who haven't done anything 
> wrong.   Nope - fails the integrity of principle test for me.

It's not a question of being "smart enough," it's a question of 
technology and resources. If you really know of a way to selectively 
block IPs from a dynamic net block, then by all means share the source 
code and enlighten the rest of us.

They are dealing with it dynamically. I'm sure they're running spam 
filters in addition to IP blocking.

BTW, from what I can tell AOL doesn't run sendmail. They use their own 
MTA that bridges between SMTP and their internal email protocols.

>>As someone that has had to deal with spam on a daily basis (I helped 
>>admin the mail server for the College of Engineering at the University 
>>of KY), I understand completely where AOL is coming from on this, and if 
>>I were in their shoes, I'd  most definitely do the same thing.
> 
> 
> If I were in their shoes I would use a Bayesian filtering system 
> that would automatically block individual IP's that are spamming.

We did that. CoE at U.K. runs SpamAssassin or did when I left in July. 
What the filters don't catch are undeliverable messages, which are 
usually but not always spam.

>>It's not a punishment. It's a business decision. AOL decided that they 
>>can't afford to filter spam from this IP block, so they simply block 
>>them all. It makes perfect sense.
> 
> Only if you believe it is OK to damage (even slightly) innocent parties.

You aren't being damaged. You can still send them mail. (You're starting 
to remind me of my two-year-old daughter when she can't have a cookie 
because she has to eat her lunch first.)

>>You do have choices. You can switch to DSL with an ISP who will allow 
>>you to run servers, and whose IPs are not on a blaclist or a dialup 
>>list. Then you can connect directly to AOL's SMTP servers and spam them 
>>all you like. If you can't get DSL where you live, then you can move. 
>>You could also pay for a T1. You could use your ISP's mail server. You 
> 
> 
> Fine. I'd like to get a T1 - since I can't afford it I assume that you have
> volunteered to pay for it correct?   Just saying that somebody has a choice
> doesn't mean they actually have that choice.  

No, I said some of the choices aren't viable. I never said you could 
afford a T1. The opportunity to get one is there, and that is all that 
matters. You have the freedom to make choices within your circumstances. 
If you don't like the choices that your current circumstances offer, 
then you must change your circumstances.

> On the other hand I suppose I could sue AOL for any costs/loss I incur
> from moving to a place where I can get an unblocked connection.  Its a 
> stretch but I'll bet Johnnie Cochran could make it work.
>    "If its a bit, you must transmit!"  :-)

Ha! That's funny.

Sure, you can sue, but you'd lose. AOL has no obligation to you, none 
whatsoever. They are not a common carrier nor a public utility, neither 
is the Internet as a whole.

>>have plenty of choices, though not all of them may be viable depending 
>>on your circumstances.
> 
> And for many people none of them are viable.

True, but the choices are still there.

> 
> 
>>>Caller ID blocking is fine, as it represents the individual making a
>>>choice whether or not to receive those calls.  It is NOT ok for the
>>>service provider to make those decisions on behalf of all its
>>>customers.
>>
>>Actually, phone companies may have that right. They've never tried it.
> 
> Any phone company that arbitrarily decided to not let your call go thru
> would be severely fined.  That is already well established.  

Yes a phone company is a "common carrier." The Internet is not currently 
under any common carrier restrictions. It is a collection of private 
networks that agree to transmit messages among each other according to 
certain protocols. The Internet is not your phone company.

>>Fact is, though, we aren't talking about phone service, we're talking 
>>about email. After all, I'm free not to answer my phone, and when I 
>>don't the phone company's cost of that call is practically nil. If AOL 
>>has to accept spam from evey open relay on the net, then there is a 
>>definite economic cost in bandwidth, disk space, and aministrator 
>>overhead. Most undelieverable messages have to be manually removed from 
>>the queue. At U.K., we'd spend a couple hours a week doing this for a 
>>mail server with 6,000 users. I imagine it's a full time job for a dozen 
>>or so people at AOL with several million customers.
> 
> 
> Yikes - my undeliverable mail goes right to /dev/null, after appropriate
> filtering.  
> (a script automatically adds those individual IP's to my firewall)

If AOL did this, then it would not help your situation if your IP is 
truly dynamic. Billy Bob gets the IP on Tuesday, spams AOL and that IP 
gets blocked. On Wednesday, you can't send mail to AOL because the IP 
address is blocked.

Besides, you can do that for one person, or a handful. When you have 
6,000 accounts and a responsibility to those users, you need to check 
that undeliverable to see if there are actual, valid recipients that 
might need to see it. It's a question of policy. You can enforce your 
policy on your machines, and I was responsible for enforcing the 
college's policy on their machines. AOL is enforcing their policy on 
their machines.

> 
> 
>>>Or you can go after the spammers.  Which is the only right way to go
>>>about the problem.  Make spamming not worth the potential gains.  Fine
>>>the bastards for every spam sent.
>>
>>I'm not even going to touch this. There are actually more effective 
>>solutions. Law enforcement solutions are reactionary and generally 
>>counterproductive. It's better to just block IPs and work on improving 
>>spam filter software. Better user education is also required to help 
> 
> 
> Neither of these things do anything to effectively stop spam.  They just
> improve the local situation.

Perhaps. But the Third Law of Themodynamics definitely applies here. You 
may improve a local situation but you've increased the chaos in the 
total system, and gotten us that much closer the heat death of the 
universe, in this case the collapse of the Internet as a viable 
communications medim. Whether that's good or bad may depend upon your 
point of view.

>>We've already had a discussion on why PGP 
>>signatures don't really provide this level of proof (check the 
>>archives), but still that's how many people use it. Signatures are 
>>really only valid to "prove" that you actually did send this particular 
>>message, they can't be used to prove that you didn't send another
>>message.
> 
> 
> Asymmetric public key encryption signatures can be used to certify
> that you did send a given email and can be used to prove you didn't send
> another one. If PGP cannot do this then another technology should be
> used.

Only if you're a good faith actor. It cannot prove that you didn't send 
a message that appears to come from you that isn't signed. You can argue 
that you didn't send it, that it was forged, but you cannot absolutely 
prove it.

Trouble is there is no technology that can do it. Technology is only a 
tool, actually the forging of art or skill with science or knowledge. 
Any tool can be abused, misused, broken, modified, or put to a use other 
than that for which it was intended. There is no fool proof technology.

The only proposals I've seen in the area of spam reduction so far raise 
more issues than they solve to my mind.




More information about the gnhlug-discuss mailing list