Re: Time to make multi.uribl.org optional rather than default?

[Justin Mason <jm...@jmason.org>]

Matt Kettler writes:
> In general I'm somewhat averse to systems with undocumented or vague 
> policies in SA. Case in point, razor used to be disabled by default due 
> to a rather vague policy about "high volume" use, that didn't really 
> define what that volume was.

+1.

We haven't decided *not* to remove Spamhaus usage from the base ruleset
yet... it just hasn't come up in discussion again.  So nobody should
take the remaining inclusion of Spamhaus as any kind of indication that
we approve of such policies.

--j.

Re: Time to make multi.uribl.org optional rather than default?

[Yet Another Ninja <sa...@alexb.ch>]

On 2/20/2008 1:01 PM, Andy Dills wrote:

<snipping-warm-air>

> This was way too long but I'm waiting on a couple buildworlds and the more 
> I think about this the more shady it feels to me.
> 

wow, for someone who didnt know URIBL existed, and doesnt see any value 
in it, you sure have a lot to say.

If you go to http://www.uribl.com/links.shtml you may see a few who have 
done a damm lot to keep Uribl.com alive

funny - I don't see Xecunet in that list....

EOT

RE: Time to make multi.uribl.org optional rather than default?

[Robert - elists <li...@abbacomm.net>]

> This was way too long but I'm waiting on a couple buildworlds and the more
> I think about this the more shady it feels to me.
> 
> Good luck regardless,
> ---
> Andy Dills

Andy

Think about it like this... in terms of just your immediate family or
businesses

If you are so overloaded helping others, or doing extra non profitable busy
work, that you cannot do your profitable work and make a paycheck that
provides for you and your families needs, then is that good prioritization
for your life?

Now, apply that to any network entity or services...

 -rh

Re: Time to make multi.uribl.org optional rather than default?

[Rob McEwen <ro...@invaluement.com>]

Jeff Chan wrote:
> If you think blacklists should be free, then you should set up your 
> own, spend thousands of hours per year on it, undergo constant threats 
> of DDOs or worse, and listen to complaints if you dare to consider 
> being partially paid for your work.
Yes!

And some need to start asking themselves why there is such a huge 
graveyard of very promising DNSBLs that were off to a good start... but 
then suddenly died. There are literally dozens of such DNSBLs that have 
died within the past few years. The reason is simple. Altruism and/or 
that "high" one gets from all the "pats on the back" for their "free" 
DNSBL eventually gets old and certainly doesn't pay the bills... and 
running a high-quality DNSBL is VERY costly, both in terms of personal 
time and resources involved. Risk of harassment and DDOS attacks is very 
real and protecting against these can be costly as well. The time and 
effort involved can suck the life right out of anyone and someone saying 
that this time/effort/resources/risk should always be donated for free 
SHOULD be offensive to people like Jeff Chan, who I personally can 
verify for a fact has donated thousands of hours of his unbillable time 
helping ALL of our spam filters to be better via his efforts with SURBL 
(and elsewhere).

DNSBL operators like Jeff (and others) are NOT the Energizer Bunny!

(BTW - really, more ISPs need to move to RSYNC... and we should ALL be 
running local DNS caching servers)

Rob McEwen

Re: Time to make multi.uribl.org optional rather than default?

[Jeff Chan <je...@surbl.org>]

If you think blacklists should be free, then you should set up your  
own, spend thousands of hours per year on it, undergo constant threats  
of DDOs or worse, and listen to complaints if you dare to consider  
being partially paid for your work.

Jeff C.

Re: Time to make multi.uribl.org optional rather than default?

[Matt Kettler <mk...@verizon.net>]

Andy Dills wrote:
> I just can't parse the logic; the seperation between those who should pay 
> and those who shouldn't is based on volume, yet if those who generate too 
> much volume wish to eliminate the traffic entirely...they must pay for the 
> traffic of those who do not hit the arbitrary cutoff?
Query volume = server load and bandwidth = increased costs for the URIBL 
operators. What's so hard to parse about that logic?

It's basically saying "we're willing to give away up to x mbytes of 
bandwith and x cpu hours per day for free, beyond that, you need to pay 
for the service.


>  At least MAPS was 
> logical in charging those who are for-profit, providing free to those who 
> are non-profit. 
Well, AFAIK you're not a non-profit, you're a commercial ISP, so that 
point isn't directly relevant to your situation. Still, I don't see 
anywhere that says URIBL requires nonprofits to pay, or at least offer 
them steep discounts on data feeds (SpamHaus does the latter.). They 
don't exactly have their pricing on their website. AFAIK you've only 
seen their "for profit mid sized ISP with heavy query load" pricing.
> Or take Vernon's DCC project, he provides a value added 
> service to those who pay, not available free to anybody.
Well, not really true. DCC is free for those who contribute back to DCC. 
Your queries to DCC double as volume report data, which is what makes 
DCC work in the first place. So, here by using DCC you're directly 
giving back. DCC is *NOT* free if you try to run a private server that 
doesn't report its statistics back to the public DCC network.
>  What would make 
> sense would be if an RBL charged people who generate more than 500k 
> queries IF THEY DID NOT obtain a data feed and wanted to still query at at 
> high volume, perhaps the RBL would provide a special low latency server 
> only queryable by paying customers, which perhaps get the latest updates 
> faster than the public servers.
That doesn't really seem sensible to me. Who wants a "special server" 
for a high volume site? It's a waste of your own bandwidth as well as 
the RBLs.. You really want rsync at that point.
>  These arrangements are appropriate and 
> valid from an ethical and logical point of view and charge the appropriate 
> parties a cost-based fee. 
That much makes sense, and the same makes
> Vern is charging for his additional time, MAPS 
> charges those who in theory profit (directly or indirectly) from the 
> filtering, and in the last case the RBL would be charging for the traffic 
> and exclusive access.
>   
Vern doesn't run maps anymore by the way.. so it's Vern
> Perhaps I'm simply tired and unable to escape my Max Weber-esque Iron Cage 
> and grasp this seemingly inconsistent paradigm of charging those who wish 
> to reduce the bandwidth costs of an organization openly begging for 
> donations! They even charge non-profits for a barely reduced fee for the 
> data feed!
They do? Where is that price list?
>  How does that make sense unless profit is the motivation? 
Gotta pay for the infrastructure somehow. The operators personal 
finances aren't a long-lasting viable arrangement.
> They 
> take an organization who has no profit motive and charge them for reducing 
> uribl's bandwidth, all in the name of a common desire to reduce mail 
> abuse? The website seems to have a motto of "because spam sucks." That 
> certainly serves as no explanation or motive for charging those whose 
> primary desire would be to both reduce spam AS WELL AS the expenses of a 
> donation requesting, swag peddling, ad profiting organization! (are google 
> ads a mild yet socially accepted form of spam? I would say no, some might 
> say yes)
>
> I must be stupid, I'm not able to invent an explanation that doesn't 
> involve a profit motive.
Perhaps they're just trying to cover their operating cost, as opposed to 
operating at a loss?

Personally, I think you're jumping to conclusions for no good reason.

Re: Time to make multi.uribl.org optional rather than default?

[Rob McEwen <ro...@invaluement.com>]

Andy Dills wrote:
> given that they openly ask 
> for paypal donations, have google ads, and sell branded merchandise
Which probably doesn't account for much revenue.. which is why (I think) 
they *later* added the paid access.
> I guess I have grown too accustomed to the long standing symbiotic 
> relationship between spam warriors and service providers. We rely on you 
> to help us filter our incoming mail, you rely on us prevent or at least 
> diligantly mitigate spam coming from the large number of potential sources 
> on our networks. We're supposed to be in this together, working from both 
> sides of the equation.
>   
This relationship seems very one-sided to me. The service providers 
charge for their services, and they get more business from paying 
customers when their spam filtering is better than their competitor's 
spam filtering. However, I see no equivalent benefit for the 
time/efforts of the spam warriors if/when the DNSBLs are free. NOT 
saying they should all start charging exorbitant fees, but I don't see 
this "symbiotic relationship" you refer to when DNSBLs are free. Am I 
missing something here?

> As soon as the motivation stops being about preventing spam and becomes 
> about making money, you essentially equate yourselves to the various large 
> networks providing transit to spammers out of desperation to pay for their 
> overbuilt networks and meet quarterly revenue goals.
>   
To equate (A) paid access to DNSBLs with (B) DNSBLs giving spammers a 
pass in exchange for cash... this is very insulting to DNSBL operators. 
Can you (or anyone?) provide examples of currently well-respected and 
frequently used DNSBLs which you know for positive are giving spammer's 
a pass in exchange for cash and which haven't been severely "taken to 
the woodshed" on public forums. If there is such an example, I'd like to 
know. (The closest thing I can think of is DNSBL operators giving some 
of the larger mainsleasers a pass for fear of being sued out of 
business... but that only emphasizes the riskyness of this business and 
is NOT profiteering nor "quid pro quo")

> the more 
> I think about this the more shady it feels to me.
>   

DISCLAIMER: I'm an admin for SURBL. I ALSO run a separate for-profit 
DNSBL that requires a monthly subscription payment for access. I even 
e-mailed Andy off-list to tell him about my subscription based-DNSBL in 
case that would help him.

When I think about the countless unbillable hours that I've spend 
creating two world-class blacklists over the past years... (a URI list 
and an "RBL") as well the time I've spent helping SURBL... I have to 
confess, after reading Andy's comments, I was about ready to throw 
furniture across the room.

But, at the same time, I can't help but feel like URIBL's prices seem a 
bit steep.Then again, maybe I wouldn't think so if my own mail hosting 
business really did have enough business to generate enough queries to 
raise alarms. IOW, at the (current) size of my business, these prices 
seem high... but maybe that is comparing apples to oranges since I don't 
have the revenue streams that the typical business from which URIBL 
would require a subscription.

In general, it would be nice if more DNSBLs would create revenue models 
where smaller organizations would pay just a little per month... and 
that is closer to what I've come up with regarding my own 
subscription-based DNSBLs. I can understand the sticker shock when 
something goes from "free" to being thousands of dollars per year.

But when someone says that all DNSBLs should be "free", and implies that 
those operating "for profit" DNSBLs are "shady", I'm left feeling angry 
and frustrated. Running a DNSBL is a risky, time-consuming, and costly 
business (particularly if the DNSBL is of world-class quality.)

Rob McEwen

RE: Time to make multi.uribl.org optional rather than default?

[Robert - elists <li...@abbacomm.net>]

> 
> I'll defer to the wisdom of the people who invest their time and effort to
> provide the services and develop the software that the rest of us have
> come to rely on. If you guys don't have a problem with it, then that's
> good enough for me.
> ---
> Andy Dills

Andy

You are a smart person, just try negotiate a win win situation that is best
for you and them and the spam fighting community at large

Sound like you have a pretty impressive network anyways and a little extra
bandwidth and processing as a mirror would help you and others.

Maybe make a donation too?

:-)

 - rh

Re: Time to make multi.uribl.org optional rather than default?

[Andy Dills <an...@xecu.net>]

On Wed, 20 Feb 2008, Kevin Golding wrote:

> Seriously Andy, I understand you're annoyed about the situation and
> there is plenty of scope for discussion about SA policy, and the URIBL
> lists would probably be a more on-topic location for debates about the
> implementation, but whilst I'll happily read a wall of text this is
> sounding more like you want to complain to someone (anyone?) than
> anything else now.

That's reasonable, as is the response from Jeff Chan. 

I'll drop it, for some reason it struck a nerve. I guess I felt 
slighted that when I set out feeling guilty for having been slamming 
their servers, wanting to quickly setup a local cache of their zone to 
fix the problem, I discovered that they wanted me to pay an entirely 
unjustifiable sum (based on value provided to my customers) in order to be 
a good netizen.

I'll defer to the wisdom of the people who invest their time and effort to 
provide the services and develop the software that the rest of us have 
come to rely on. If you guys don't have a problem with it, then that's 
good enough for me.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Time to make multi.uribl.org optional rather than default?

[Kevin Golding <ke...@caomhin.demon.co.uk>]

In article <20...@shell.xecu.net>, Andy Dills
<an...@xecu.net> writes
>I must be stupid, I'm not able to invent an explanation that doesn't 
>involve a profit motive. 

I think it's very safe to assume that URIBL is not profit making and
never likely to be so.

>providing free service (in theory) to those who 
>generate 400k queries per day from dozens of individual nameservers around 
>the globe who then charge for spam filtering (we do not btw)

Sorry, but if you charge anybody for access to mail accounts that are
filtered in any way, shape, or form then you charge.  You may not make
it a value added extra but if your standard fee doesn't include some
allowance for that service then you'll eventually run out of income.
Just the fact that you're engaged in this discussion suggests the
company has a spam filtering overhead which your customers pay for,
saying they don't is like saying that your company doesn't charge
customers for your wages simply because their invoice doesn't include a
line especially for each employee's percentage of the fee.

Seriously Andy, I understand you're annoyed about the situation and
there is plenty of scope for discussion about SA policy, and the URIBL
lists would probably be a more on-topic location for debates about the
implementation, but whilst I'll happily read a wall of text this is
sounding more like you want to complain to someone (anyone?) than
anything else now.

Kevin

Re: Time to make multi.uribl.org optional rather than default?

[Andy Dills <an...@xecu.net>]

(Sorry for the length, if you hate the wall of text, the last three 
paragraphs contain the essence of my thoughts and concerns on this)

On Wed, 20 Feb 2008, Justin Mason wrote:

> 
> Matt Kettler writes:
> > In general I'm somewhat averse to systems with undocumented or vague 
> > policies in SA. Case in point, razor used to be disabled by default due 
> > to a rather vague policy about "high volume" use, that didn't really 
> > define what that volume was.
> 
> +1.
> 
> We haven't decided *not* to remove Spamhaus usage from the base ruleset
> yet... it just hasn't come up in discussion again.  So nobody should
> take the remaining inclusion of Spamhaus as any kind of indication that
> we approve of such policies.

I respect your desire to withold judgement; it's not always a clear cut 
issue depending on your perspective. If nothing else, making people aware 
of the potential future fees would perhaps be a good idea before their 
customers arrange their filter thresholds based on what amounts to a 
introductory trial service.

For what it's worth, with dcc, razor, but no bayes, checking the cache of 
missed spam going back the past three months that we were unknowingly 
blocked from uribl.org, I have to say the impact has been very minimal. In 
fact, TimeElapsedSpamCheck seems to have dropped an average of over half a 
second (perhaps it would be a smaller difference if we were not blocked), 
so overall this is still a win-win, uribl doesn't get our bogus traffic, 
and we can delay the deployment of the next filtering server to the 
cluster for a bit, as this equates to a potential ~15% increase in 
efficiency.

I have a certain amount of respect for anybody who gives their time and 
effort to help fight mail abuse, even if I don't agree with their 
tangential policies. Good luck to you Dallas. Hopefully you will at least 
be upfront and inform the people (this relies on an assumption on my part) 
who submit samples to URIBL and provide free mirrors that there exists a 
possibility that more money will be generated than is consumed by expenses 
related to the project. Perhaps he does disclose their financials and I'm 
just being a douche...but I seriously doubt it, given that they openly ask 
for paypal donations, have google ads, and sell branded merchandise, while 
never mentioning on a non-password protected page (that I could find) that 
they also sell data feeds. Perhaps that would provide negative motivation 
to donate or support the cause by buying a uribl t-shirt? Overall I just 
feel like they're leveraging the default inclusion in spamassassin to 
eventually create revenue streams from unsuspecting companies who would 
happily just pay the fee. Afterall, those who generate 400k queries today 
will eventually generate 500k queries, and then comes the email suggesting 
you obtain a data feed (giving no impression of associated fees).

I guess I have grown too accustomed to the long standing symbiotic 
relationship between spam warriors and service providers. We rely on you 
to help us filter our incoming mail, you rely on us prevent or at least 
diligantly mitigate spam coming from the large number of potential sources 
on our networks. We're supposed to be in this together, working from both 
sides of the equation.

As soon as the motivation stops being about preventing spam and becomes 
about making money, you essentially equate yourselves to the various large 
networks providing transit to spammers out of desperation to pay for their 
overbuilt networks and meet quarterly revenue goals.

Does this apply to uribl? Perhaps not. But it sure felt like it when the 
"data feed request form" magically turned into a shopping cart once I 
selected responses from the first three dropdowns.

I just can't parse the logic; the seperation between those who should pay 
and those who shouldn't is based on volume, yet if those who generate too 
much volume wish to eliminate the traffic entirely...they must pay for the 
traffic of those who do not hit the arbitrary cutoff? At least MAPS was 
logical in charging those who are for-profit, providing free to those who 
are non-profit. Or take Vernon's DCC project, he provides a value added 
service to those who pay, not available free to anybody. What would make 
sense would be if an RBL charged people who generate more than 500k 
queries IF THEY DID NOT obtain a data feed and wanted to still query at at 
high volume, perhaps the RBL would provide a special low latency server 
only queryable by paying customers, which perhaps get the latest updates 
faster than the public servers. These arrangements are appropriate and 
valid from an ethical and logical point of view and charge the appropriate 
parties a cost-based fee. Vern is charging for his additional time, MAPS 
charges those who in theory profit (directly or indirectly) from the 
filtering, and in the last case the RBL would be charging for the traffic 
and exclusive access.

Perhaps I'm simply tired and unable to escape my Max Weber-esque Iron Cage 
and grasp this seemingly inconsistent paradigm of charging those who wish 
to reduce the bandwidth costs of an organization openly begging for 
donations! They even charge non-profits for a barely reduced fee for the 
data feed! How does that make sense unless profit is the motivation? They 
take an organization who has no profit motive and charge them for reducing 
uribl's bandwidth, all in the name of a common desire to reduce mail 
abuse? The website seems to have a motto of "because spam sucks." That 
certainly serves as no explanation or motive for charging those whose 
primary desire would be to both reduce spam AS WELL AS the expenses of a 
donation requesting, swag peddling, ad profiting organization! (are google 
ads a mild yet socially accepted form of spam? I would say no, some might 
say yes)

I must be stupid, I'm not able to invent an explanation that doesn't 
involve a profit motive. I'd think they were taxing the rich to provide to 
the poor if they weren't providing free service (in theory) to those who 
generate 400k queries per day from dozens of individual nameservers around 
the globe who then charge for spam filtering (we do not btw), and then 
turn around and charge a non-profit who generates 600k queries per day 
from their single primary caching nameserver they setup to reduce their 
own bandwidth costs as much as possible. Somebody help me here.

This was way too long but I'm waiting on a couple buildworlds and the more 
I think about this the more shady it feels to me.

Good luck regardless,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---