Blast from the past: John Gilmore's open relay

John's a famous guy. A self-described "entrepreneur and civil libertarian," he's probably most recently famous for being the guy who challenged the government over requirements that you produce ID before you are allowed on an airplane: "In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a "secondary screening," which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules. [He sued, and] the case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search."

There's something else about John that you might not know, however. One of his systems is an open relaying mail server.

What is an open relay, you ask? Wikipedia has a detailed overview, if you're curious. The short version is: internet mail servers used to be available for anyone's use. This was common and expected, until the rise of spam in the 1990s. It came to be that these unlocked open relaying servers were widely abused to send spam. Spammer used open relays to bypass spam blocks and attempt to disguise the actual source of their messages. It was a huge problem for those of us who dislike spam. Many server operators rushed to reconfigure their servers to prevent this type of abuse, and multiple spam blacklists were created to facilitate the blocking of open relaying mail servers that weren't yet reconfigured. Usually because the server's admin was asleep at the wheel; very rarely because they purposely wanted their server to be used to relay spam.

I've created more than one blacklist myself, and I've helped out with a few other ones over the years. The most widely-used one I created was called the Radparker Relay Spam Stopper (RRSS), which became the MAPS (Mail Abuse Prevention System) Relay Spam Stopper in 1999. We were tracking, and helping people block mail from, open relaying mail servers that had been utilized to relay spam. The thought behind this process was that where one spam was seen, more was likely to follow, and the statistics showed that to be correct. So, I know quite a bit about open relays.

Even way back then, John Gilmore was running one of these servers. On purpose. Spammers have used his open relay server to vector their mail to unhappy end recipients multiple times. Yet, he persisted in running the open relay, because he felt it was his right. It probably is his right, but I am of the opinion that it's also the right of everybody else to block mail from this server because it has on occasion relayed spam, and is being purposely left configured in a state that allows more spam to be relayed through it. I think that's true now -- I'm not personally going to poke at his server and see for myself. But the IP address 209.237.225.244 seems to be assigned to him, and it's currently on the Spamhaus SBL blacklist. Spamhaus's website indicates that this IP address has been identified "mailbombing the full disclosure mailing list amongst others." That's from March 2006, as is this information indicating that "there's another spam run underway" from 209.237.225.244.

I believe that this server could be configured to disallow abuse by spammers, and that John chooses not to go that route. His website rant against Verio (a previous provider who declined to continue to provide him internet access over this issue) says that's missing the point. "The point is that contract terms created by negotiation are fair, but contract terms imposed by blacklisting anyone who won't accept them ("refusal to deal") are a violation of antitrust law, if those who are doing the blacklisting have market power."

So, John indicates that it's a legal issue. John's standing up for his rights, which he's absolutely certain he has, even though he's been blacklisted on and off since at least 1999 and is still blacklisted as of December, 2006. Even though his server is STILL periodically being as a conduit for unwanted email traffic. I'm not an anti-trust lawyer, but I still think John's in the wrong. He's not being a good net neighbor, and I believe that he's putting his "dammit, I'm right and you can't stop me" attitude ahead of doing the right thing to help reduce spam on the internet.

John's website has a section containing more commentary from him relating to this issue: "If you're a friend and you've tried emailing twice, it's probably one of our mail handling systems. I suggest phoning me. It seems that in the last few years, large numbers of ISPs have started using "blacklists", even the ones that never did before. The blacklisters hate me, so they put me on their lists, even though I have never sent a single spam message. They don't like the way I administer my machine. (I don't like the way they administer their machines either.)"

I take issue with this. I think "the blacklisters" actually hate spam, not him. Most likely learned about him only due to the receipt of junk (spam, virus or worm) email transmitted to them via his server. Even if they've knowingly facilitated the blocking of mail from his server, I suspect they only start to hate him after a frustrating debate (or Google search) reveals that he runs his server this way on purpose.

I, myself, received reports of spam from the server, back in 1999 or 2000. A quick Google search finds a ton of online discussion about John and his open relay. It also confirms that the server has been utilized to vector more spam in the days since my involvement in open relay blocking, in at least 2002 and 2006.

After years of this, you'd think the point was made. John, delcare your victory and configure your server to disallow unauthenticated relay.

Under the US Federal "CAN-SPAM" anti-spam law, it looks to me like ISPs are free to block mail from whomever they choose in their best efforts to stop spam. ISPs use a variety of methodologies, including blacklists, to measure your "sending reputation" and determine whether or not they should accept your mail. I deal a lot with reputation issues in my current job, helping clients clean up and do mail right, so they're not labeled as spammers and blocked. I respect how ISPs handle this -- most do so in a very fair-handed and easily understandable way. Egos are set aside and decisions are primarily data-driven. There's very little hate involved. Maybe what John says was true seven years ago, but since then, there's been a very interesting power shift. In 1999, MAPS held the keys to the inbox. Get listed on their Realtime Blackhole List (RBL) and find 30%-40% of your mail bouncing. Today, the ISP is the greater gatekeeper. AOL, Hotmail, Yahoo, combine to house around 50% of end user mailboxes. They and other major receivers all have different reputation mechanisms, blocks, and filters in place, and they're whom you have to deal with if you're trying to clean up an IP address's reputation. Spamhaus still has a fair number of users, but I suspect John's blacklisting stance amounts to tilting at (mostly crumbled) windmills nowadays.

If mail from John's IP address is still getting blocked by the top tier ISPs, the resolution is so amazingly simple. Modify the server's configuration so it's no longer perceived by receivers as an attractive nuisance. Prevent unauthorized relaying and proxying. Maybe he'll have to reach out to those ISPs and ask for them to check the reputation of his server anew. ISPs would most likely lift the block and that'd be the end of it.

Others have posited that an open relay is a necessary thing to support the roaming internet user. Maybe that was true in the earlier days (note that the date on that defense is from 2001), but nowadays, it's simply not necessary. I'm living proof -- I travel constantly for work and for pleasure. I connect from four different ISPs. I have email addresses at multiple personal domains that I host with various means. Yet, I am easily able to securely relay mail through the authenticated SMTP relays of both my wireless broadband ISP (Verizon Wireless) and my webmail provider (Gmail). Even if SMTP is totally blocked I can use Gmail's web interface to send and receive mail just fine. The geek set has access to free tools and methods like SSH tunneling, the ability to set up their own authenticating SMTP servers, or even installing an open source webmail platform like IMP.

0 comments: