Ramblings about MAPS and the RBL

I used to work for the Mail Abuse Prevention System (MAPS). They maintain, among other things, the Realtime Blackhole List (RBL).

The MAPS RBL is a list of Internet sites. On this list are sites that have sent spam, assisted people who sent spam, benefited from spam, or due to other, generally related criteria.

People use the list to block mail from sites on the list. By people, I mean the people that run ISPs or networks or companies. The folks in charge of the mail servers.

In other words, anybody that uses the MAPS RBL, specifically chooses to do so. If you block mail from sites on the RBL, it's because you configured your server to do so. MAPS doesn't have the ability to step in between your site and some other site; MAPS has to be invited to assist in refusing that traffic.

As somebody who worked for MAPS, obviously I believe in the right for people to own networks and ISPs to block traffic from wherever I want.

But the fact that ISPs and companies take the advice of MAPS on whom to accept mail from, often without review of individual listings, makes a lot of people mad. At the least, it is difficult for people to grasp the details of implementation that define the RBL. They assume that MAPS is actively interfering, as a third-party, with their ability to mail various sites.

That causes two problems. Lunatics and lawsuits.

First, people who are angry at being listed on the RBL and fail to grasp the concepts behind how a list like this works often put up web pages detailing the great MAPS conspiracy, and how it involves everybody back to and including Lee Harvey Oswald.

Second, some of the organizations that have been listed know that the legal precedents have not been set, and that the technical issues involved can be confusing. Though MAPS has a long-standing claim that precedent-setting lawsuits are one of their goals, it's not clear that this can be accomplished.

Next, MAPS recently changed their usage policies so that if you want to utilize the MAPS RBL, you have to pay, or at least sign a contract. It's my understanding that so many organizations were utilizing the RBL for free, without restriction, and that this was putting a strain on their resources.

You can't blame them for needing to address that problem -- resource allocation for an entity generating little or no income must be a huge problem. However, restricting the usage in this manner has the side effect of reduced usage. Reduced usage of the MAPS RBL means reduced clout to induce listed entities to reform their bad practices. Reduced clout increases the likelihood that an organization isn't going to care about being listed on the RBL.

Combine those problems, ongoing operating costs, and issues of security and trust, and suddenly it's not very clear that something like an RBL can be effective, or last any length of time.

So if the RBL can't do it, or won't be around to do it, what's next?

More info on that later. :-)

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.