Re: Why I don't want my data in "The Cloud"

[David Farber <dave () farber net>]

Begin forwarded message:

From: Rich Kulawiec <rsk () gsp org>
Date: July 22, 2010 10:55:38 AM EDT
To: Dave Farber <dave () farber net>
Cc: "David P. Reed" <dpreed () reed com>, "Patrick W. Gilmore" <patrick () ianai net>, Paul Vixie <vixie () isc org>
Subject: Re: [IP] Why I don't want my data in "The Cloud"

> The idea was supposedly that if an MTA didn't take responsibility for
> spam passing through it, it would be *punished* by shutting it down.

This, and most of the rest of this rant against the hard-working
volunteers who've done the heavy lifting to keep email working in an
environment where in excess of 9X% [1] of all SMTP traffic is abuse,
is well off-target.

System and/or network administrators don't possess the ability to
shut down others' outbound MTAs, whether or not they're problematic.
If they *did* have said ability, then surely they would have done so
and bypassed not only the tedious work of compiling the requisite data,
maintaining the publicly-available resources in face of concerted and
sustained attacks, and enduring the baseless accusations and occasional
legal or violent threats spewed by spammers and their colleagues/supporters.

But they don't.

What system and/or network administrators *do* possess is the ability
to grant or revoke access privileges to others.  They're not required
(except in special cases such as public government sites) to provide
SMTP, or HTTP, or SSH, or FTP, or DNS, or any other services to the
Internet at-large.  They may furnish these, or revoke them, for any
reason they wish -- or merely on a whim, although I trust it's obvious
why such whims are rarely if ever indulged.

Many people don't grasp this: they're so accustomed to the concept
that every resource on the Internet is just a click away that it never
occurs to them that absent a governmental obligation or a contractual
agreement, they're NOT entitled to these: every single one is a courtesy,
a privilege furnished to them by the generosity of those providing it.
And those graciously providing these services are not required to continue
extending their generosity in the face of abuse; they may restrict use
of the resource or withdraw it entirely or take other steps to forestall
that abuse.

And if they choose to take any of these countermeasures, is anyone
"punished"?  No.  Is anyone "damaged" -- another term often mistakenly
applied -- when this happens?  No.

They were never entitled to these resources in the first place.

Only the fatuously self-important have the audacity to assert some claim
over the private resources of others.  They are no more "punished" or
"damaged" than if they're turned down for a date, or refused entrance
to someone's home, or passed over for a giveaway. [2]

It's not only a best practice to deny services to abusers, it's
counterproductice (to say the least) to do anything else.  Everyone with
sufficient experience in the field knows that rewarding abusers by
continuing to indulge them will not only result in more local abuse,
but will empower and encourage them to engage in more global abuse.
(We know this not only by direct observation over a period of decades,
but we also know this because abusers have been noted discussing this
very point in formerly-private conversations.)

One of the parts of the unwritten social contract that allows the Internet
to function is the rule that says that everyone is responsible for what
their operation does to everyone else's operations.  Not in a content
sense, not in a political sense, but in an operational sense: every system
adminstrator is personally responsible for any abuse that emanates from
their hosts; every network administrator is personally responsible for
any abuse sourced from their network.  Responsible operations staffed by
capable people make it a point to proactively address this and thus are
rarely, if ever, the sources for major abuse incidents of long duration.
On the hand, some irresponsible operations not only fail to address this,
but actively support, encourage and endorse abuse -- since it's quite
profitable -- and are thus chronic, pervasive sources of abuse. [3]

There is no reason for the former to continue supporting, facilitating
and underwriting the latter.  It was never a good idea, and now both
the risks and the costs have become so enormous that it's a terrible idea.

The latter's clients/customers may find thus their privileges restricted
or revoked: this is a good sign that they've made a poor choice of service
provider, a choice which they're free to correct or not as they see fit.
But 100% of their complaints about such matters should be addressed
to their provider, because that's where 100% of the underlying problem
is located.

---Rsk

[1] Pick your "X".  Some published studies cite an X of 0 or 5, but
discussions among those of us who do a lot of work in the anti-spam
field suggests that something like 8 or 9 is likely more accurate.
Whatever the the number really is, it's clear that the ratio of SMTP
abuse to legitimate traffic is already somewhere in the ballpark of
100:1 and still increasing.

[2] Nor are they, as is sometimes incorrectly claimed, "censored".
There is no requirement for the rest of the Internet to expend the money
and other resources to furnish a free soapbox to anyone.  And should a
speaker (as they ought to) spend *their* money and resources to provide
their own, there is no requirement that the rest of the Internet listen.
Moreover, abuse != speech -- or as I like to put it, spam and other
forms of abuse are not speech, just as a brick with an attached note
thrown through a window is not publication.

[3] See, for example, McColo -- unfortunately only one example out
of many.  Discussions on anti-spam, anti-phishing, and security mailing
lists encompass many others on a routine basis.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4
Powered by Listbox: http://www.listbox.com