You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/02/20 10:16:47 UTC
Re: Time to make multi.uribl.org optional rather than default?
Matt Kettler writes:
> In general I'm somewhat averse to systems with undocumented or vague
> policies in SA. Case in point, razor used to be disabled by default due
> to a rather vague policy about "high volume" use, that didn't really
> define what that volume was.
+1.
We haven't decided *not* to remove Spamhaus usage from the base ruleset
yet... it just hasn't come up in discussion again. So nobody should
take the remaining inclusion of Spamhaus as any kind of indication that
we approve of such policies.
--j.
Re: Time to make multi.uribl.org optional rather than default?
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 2/20/2008 1:01 PM, Andy Dills wrote:
<snipping-warm-air>
> This was way too long but I'm waiting on a couple buildworlds and the more
> I think about this the more shady it feels to me.
>
wow, for someone who didnt know URIBL existed, and doesnt see any value
in it, you sure have a lot to say.
If you go to http://www.uribl.com/links.shtml you may see a few who have
done a damm lot to keep Uribl.com alive
funny - I don't see Xecunet in that list....
EOT
RE: Time to make multi.uribl.org optional rather than default?
Posted by Robert - elists <li...@abbacomm.net>.
> This was way too long but I'm waiting on a couple buildworlds and the more
> I think about this the more shady it feels to me.
>
> Good luck regardless,
> ---
> Andy Dills
Andy
Think about it like this... in terms of just your immediate family or
businesses
If you are so overloaded helping others, or doing extra non profitable busy
work, that you cannot do your profitable work and make a paycheck that
provides for you and your families needs, then is that good prioritization
for your life?
Now, apply that to any network entity or services...
-rh
Re: Time to make multi.uribl.org optional rather than default?
Posted by Rob McEwen <ro...@invaluement.com>.
Jeff Chan wrote:
> If you think blacklists should be free, then you should set up your
> own, spend thousands of hours per year on it, undergo constant threats
> of DDOs or worse, and listen to complaints if you dare to consider
> being partially paid for your work.
Yes!
And some need to start asking themselves why there is such a huge
graveyard of very promising DNSBLs that were off to a good start... but
then suddenly died. There are literally dozens of such DNSBLs that have
died within the past few years. The reason is simple. Altruism and/or
that "high" one gets from all the "pats on the back" for their "free"
DNSBL eventually gets old and certainly doesn't pay the bills... and
running a high-quality DNSBL is VERY costly, both in terms of personal
time and resources involved. Risk of harassment and DDOS attacks is very
real and protecting against these can be costly as well. The time and
effort involved can suck the life right out of anyone and someone saying
that this time/effort/resources/risk should always be donated for free
SHOULD be offensive to people like Jeff Chan, who I personally can
verify for a fact has donated thousands of hours of his unbillable time
helping ALL of our spam filters to be better via his efforts with SURBL
(and elsewhere).
DNSBL operators like Jeff (and others) are NOT the Energizer Bunny!
(BTW - really, more ISPs need to move to RSYNC... and we should ALL be
running local DNS caching servers)
Rob McEwen
Re: Time to make multi.uribl.org optional rather than default?
Posted by Jeff Chan <je...@surbl.org>.
If you think blacklists should be free, then you should set up your
own, spend thousands of hours per year on it, undergo constant threats
of DDOs or worse, and listen to complaints if you dare to consider
being partially paid for your work.
Jeff C.
Re: Time to make multi.uribl.org optional rather than default?
Posted by Matt Kettler <mk...@verizon.net>.
Andy Dills wrote:
> I just can't parse the logic; the seperation between those who should pay
> and those who shouldn't is based on volume, yet if those who generate too
> much volume wish to eliminate the traffic entirely...they must pay for the
> traffic of those who do not hit the arbitrary cutoff?
Query volume = server load and bandwidth = increased costs for the URIBL
operators. What's so hard to parse about that logic?
It's basically saying "we're willing to give away up to x mbytes of
bandwith and x cpu hours per day for free, beyond that, you need to pay
for the service.
> At least MAPS was
> logical in charging those who are for-profit, providing free to those who
> are non-profit.
Well, AFAIK you're not a non-profit, you're a commercial ISP, so that
point isn't directly relevant to your situation. Still, I don't see
anywhere that says URIBL requires nonprofits to pay, or at least offer
them steep discounts on data feeds (SpamHaus does the latter.). They
don't exactly have their pricing on their website. AFAIK you've only
seen their "for profit mid sized ISP with heavy query load" pricing.
> Or take Vernon's DCC project, he provides a value added
> service to those who pay, not available free to anybody.
Well, not really true. DCC is free for those who contribute back to DCC.
Your queries to DCC double as volume report data, which is what makes
DCC work in the first place. So, here by using DCC you're directly
giving back. DCC is *NOT* free if you try to run a private server that
doesn't report its statistics back to the public DCC network.
> What would make
> sense would be if an RBL charged people who generate more than 500k
> queries IF THEY DID NOT obtain a data feed and wanted to still query at at
> high volume, perhaps the RBL would provide a special low latency server
> only queryable by paying customers, which perhaps get the latest updates
> faster than the public servers.
That doesn't really seem sensible to me. Who wants a "special server"
for a high volume site? It's a waste of your own bandwidth as well as
the RBLs.. You really want rsync at that point.
> These arrangements are appropriate and
> valid from an ethical and logical point of view and charge the appropriate
> parties a cost-based fee.
That much makes sense, and the same makes
> Vern is charging for his additional time, MAPS
> charges those who in theory profit (directly or indirectly) from the
> filtering, and in the last case the RBL would be charging for the traffic
> and exclusive access.
>
Vern doesn't run maps anymore by the way.. so it's Vern
> Perhaps I'm simply tired and unable to escape my Max Weber-esque Iron Cage
> and grasp this seemingly inconsistent paradigm of charging those who wish
> to reduce the bandwidth costs of an organization openly begging for
> donations! They even charge non-profits for a barely reduced fee for the
> data feed!
They do? Where is that price list?
> How does that make sense unless profit is the motivation?
Gotta pay for the infrastructure somehow. The operators personal
finances aren't a long-lasting viable arrangement.
> They
> take an organization who has no profit motive and charge them for reducing
> uribl's bandwidth, all in the name of a common desire to reduce mail
> abuse? The website seems to have a motto of "because spam sucks." That
> certainly serves as no explanation or motive for charging those whose
> primary desire would be to both reduce spam AS WELL AS the expenses of a
> donation requesting, swag peddling, ad profiting organization! (are google
> ads a mild yet socially accepted form of spam? I would say no, some might
> say yes)
>
> I must be stupid, I'm not able to invent an explanation that doesn't
> involve a profit motive.
Perhaps they're just trying to cover their operating cost, as opposed to
operating at a loss?
Personally, I think you're jumping to conclusions for no good reason.
Re: Time to make multi.uribl.org optional rather than default?
Posted by Rob McEwen <ro...@invaluement.com>.
Andy Dills wrote:
> given that they openly ask
> for paypal donations, have google ads, and sell branded merchandise
Which probably doesn't account for much revenue.. which is why (I think)
they *later* added the paid access.
> I guess I have grown too accustomed to the long standing symbiotic
> relationship between spam warriors and service providers. We rely on you
> to help us filter our incoming mail, you rely on us prevent or at least
> diligantly mitigate spam coming from the large number of potential sources
> on our networks. We're supposed to be in this together, working from both
> sides of the equation.
>
This relationship seems very one-sided to me. The service providers
charge for their services, and they get more business from paying
customers when their spam filtering is better than their competitor's
spam filtering. However, I see no equivalent benefit for the
time/efforts of the spam warriors if/when the DNSBLs are free. NOT
saying they should all start charging exorbitant fees, but I don't see
this "symbiotic relationship" you refer to when DNSBLs are free. Am I
missing something here?
> As soon as the motivation stops being about preventing spam and becomes
> about making money, you essentially equate yourselves to the various large
> networks providing transit to spammers out of desperation to pay for their
> overbuilt networks and meet quarterly revenue goals.
>
To equate (A) paid access to DNSBLs with (B) DNSBLs giving spammers a
pass in exchange for cash... this is very insulting to DNSBL operators.
Can you (or anyone?) provide examples of currently well-respected and
frequently used DNSBLs which you know for positive are giving spammer's
a pass in exchange for cash and which haven't been severely "taken to
the woodshed" on public forums. If there is such an example, I'd like to
know. (The closest thing I can think of is DNSBL operators giving some
of the larger mainsleasers a pass for fear of being sued out of
business... but that only emphasizes the riskyness of this business and
is NOT profiteering nor "quid pro quo")
> the more
> I think about this the more shady it feels to me.
>
DISCLAIMER: I'm an admin for SURBL. I ALSO run a separate for-profit
DNSBL that requires a monthly subscription payment for access. I even
e-mailed Andy off-list to tell him about my subscription based-DNSBL in
case that would help him.
When I think about the countless unbillable hours that I've spend
creating two world-class blacklists over the past years... (a URI list
and an "RBL") as well the time I've spent helping SURBL... I have to
confess, after reading Andy's comments, I was about ready to throw
furniture across the room.
But, at the same time, I can't help but feel like URIBL's prices seem a
bit steep.Then again, maybe I wouldn't think so if my own mail hosting
business really did have enough business to generate enough queries to
raise alarms. IOW, at the (current) size of my business, these prices
seem high... but maybe that is comparing apples to oranges since I don't
have the revenue streams that the typical business from which URIBL
would require a subscription.
In general, it would be nice if more DNSBLs would create revenue models
where smaller organizations would pay just a little per month... and
that is closer to what I've come up with regarding my own
subscription-based DNSBLs. I can understand the sticker shock when
something goes from "free" to being thousands of dollars per year.
But when someone says that all DNSBLs should be "free", and implies that
those operating "for profit" DNSBLs are "shady", I'm left feeling angry
and frustrated. Running a DNSBL is a risky, time-consuming, and costly
business (particularly if the DNSBL is of world-class quality.)
Rob McEwen
RE: Time to make multi.uribl.org optional rather than default?
Posted by Robert - elists <li...@abbacomm.net>.
>
> I'll defer to the wisdom of the people who invest their time and effort to
> provide the services and develop the software that the rest of us have
> come to rely on. If you guys don't have a problem with it, then that's
> good enough for me.
> ---
> Andy Dills
Andy
You are a smart person, just try negotiate a win win situation that is best
for you and them and the spam fighting community at large
Sound like you have a pretty impressive network anyways and a little extra
bandwidth and processing as a mirror would help you and others.
Maybe make a donation too?
:-)
- rh
Re: Time to make multi.uribl.org optional rather than default?
Posted by Andy Dills <an...@xecu.net>.
On Wed, 20 Feb 2008, Kevin Golding wrote:
> Seriously Andy, I understand you're annoyed about the situation and
> there is plenty of scope for discussion about SA policy, and the URIBL
> lists would probably be a more on-topic location for debates about the
> implementation, but whilst I'll happily read a wall of text this is
> sounding more like you want to complain to someone (anyone?) than
> anything else now.
That's reasonable, as is the response from Jeff Chan.
I'll drop it, for some reason it struck a nerve. I guess I felt
slighted that when I set out feeling guilty for having been slamming
their servers, wanting to quickly setup a local cache of their zone to
fix the problem, I discovered that they wanted me to pay an entirely
unjustifiable sum (based on value provided to my customers) in order to be
a good netizen.
I'll defer to the wisdom of the people who invest their time and effort to
provide the services and develop the software that the rest of us have
come to rely on. If you guys don't have a problem with it, then that's
good enough for me.
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
Re: Time to make multi.uribl.org optional rather than default?
Posted by Kevin Golding <ke...@caomhin.demon.co.uk>.
In article <20...@shell.xecu.net>, Andy Dills
<an...@xecu.net> writes
>I must be stupid, I'm not able to invent an explanation that doesn't
>involve a profit motive.
I think it's very safe to assume that URIBL is not profit making and
never likely to be so.
>providing free service (in theory) to those who
>generate 400k queries per day from dozens of individual nameservers around
>the globe who then charge for spam filtering (we do not btw)
Sorry, but if you charge anybody for access to mail accounts that are
filtered in any way, shape, or form then you charge. You may not make
it a value added extra but if your standard fee doesn't include some
allowance for that service then you'll eventually run out of income.
Just the fact that you're engaged in this discussion suggests the
company has a spam filtering overhead which your customers pay for,
saying they don't is like saying that your company doesn't charge
customers for your wages simply because their invoice doesn't include a
line especially for each employee's percentage of the fee.
Seriously Andy, I understand you're annoyed about the situation and
there is plenty of scope for discussion about SA policy, and the URIBL
lists would probably be a more on-topic location for debates about the
implementation, but whilst I'll happily read a wall of text this is
sounding more like you want to complain to someone (anyone?) than
anything else now.
Kevin
Re: Time to make multi.uribl.org optional rather than default?
Posted by Andy Dills <an...@xecu.net>.
(Sorry for the length, if you hate the wall of text, the last three
paragraphs contain the essence of my thoughts and concerns on this)
On Wed, 20 Feb 2008, Justin Mason wrote:
>
> Matt Kettler writes:
> > In general I'm somewhat averse to systems with undocumented or vague
> > policies in SA. Case in point, razor used to be disabled by default due
> > to a rather vague policy about "high volume" use, that didn't really
> > define what that volume was.
>
> +1.
>
> We haven't decided *not* to remove Spamhaus usage from the base ruleset
> yet... it just hasn't come up in discussion again. So nobody should
> take the remaining inclusion of Spamhaus as any kind of indication that
> we approve of such policies.
I respect your desire to withold judgement; it's not always a clear cut
issue depending on your perspective. If nothing else, making people aware
of the potential future fees would perhaps be a good idea before their
customers arrange their filter thresholds based on what amounts to a
introductory trial service.
For what it's worth, with dcc, razor, but no bayes, checking the cache of
missed spam going back the past three months that we were unknowingly
blocked from uribl.org, I have to say the impact has been very minimal. In
fact, TimeElapsedSpamCheck seems to have dropped an average of over half a
second (perhaps it would be a smaller difference if we were not blocked),
so overall this is still a win-win, uribl doesn't get our bogus traffic,
and we can delay the deployment of the next filtering server to the
cluster for a bit, as this equates to a potential ~15% increase in
efficiency.
I have a certain amount of respect for anybody who gives their time and
effort to help fight mail abuse, even if I don't agree with their
tangential policies. Good luck to you Dallas. Hopefully you will at least
be upfront and inform the people (this relies on an assumption on my part)
who submit samples to URIBL and provide free mirrors that there exists a
possibility that more money will be generated than is consumed by expenses
related to the project. Perhaps he does disclose their financials and I'm
just being a douche...but I seriously doubt it, given that they openly ask
for paypal donations, have google ads, and sell branded merchandise, while
never mentioning on a non-password protected page (that I could find) that
they also sell data feeds. Perhaps that would provide negative motivation
to donate or support the cause by buying a uribl t-shirt? Overall I just
feel like they're leveraging the default inclusion in spamassassin to
eventually create revenue streams from unsuspecting companies who would
happily just pay the fee. Afterall, those who generate 400k queries today
will eventually generate 500k queries, and then comes the email suggesting
you obtain a data feed (giving no impression of associated fees).
I guess I have grown too accustomed to the long standing symbiotic
relationship between spam warriors and service providers. We rely on you
to help us filter our incoming mail, you rely on us prevent or at least
diligantly mitigate spam coming from the large number of potential sources
on our networks. We're supposed to be in this together, working from both
sides of the equation.
As soon as the motivation stops being about preventing spam and becomes
about making money, you essentially equate yourselves to the various large
networks providing transit to spammers out of desperation to pay for their
overbuilt networks and meet quarterly revenue goals.
Does this apply to uribl? Perhaps not. But it sure felt like it when the
"data feed request form" magically turned into a shopping cart once I
selected responses from the first three dropdowns.
I just can't parse the logic; the seperation between those who should pay
and those who shouldn't is based on volume, yet if those who generate too
much volume wish to eliminate the traffic entirely...they must pay for the
traffic of those who do not hit the arbitrary cutoff? At least MAPS was
logical in charging those who are for-profit, providing free to those who
are non-profit. Or take Vernon's DCC project, he provides a value added
service to those who pay, not available free to anybody. What would make
sense would be if an RBL charged people who generate more than 500k
queries IF THEY DID NOT obtain a data feed and wanted to still query at at
high volume, perhaps the RBL would provide a special low latency server
only queryable by paying customers, which perhaps get the latest updates
faster than the public servers. These arrangements are appropriate and
valid from an ethical and logical point of view and charge the appropriate
parties a cost-based fee. Vern is charging for his additional time, MAPS
charges those who in theory profit (directly or indirectly) from the
filtering, and in the last case the RBL would be charging for the traffic
and exclusive access.
Perhaps I'm simply tired and unable to escape my Max Weber-esque Iron Cage
and grasp this seemingly inconsistent paradigm of charging those who wish
to reduce the bandwidth costs of an organization openly begging for
donations! They even charge non-profits for a barely reduced fee for the
data feed! How does that make sense unless profit is the motivation? They
take an organization who has no profit motive and charge them for reducing
uribl's bandwidth, all in the name of a common desire to reduce mail
abuse? The website seems to have a motto of "because spam sucks." That
certainly serves as no explanation or motive for charging those whose
primary desire would be to both reduce spam AS WELL AS the expenses of a
donation requesting, swag peddling, ad profiting organization! (are google
ads a mild yet socially accepted form of spam? I would say no, some might
say yes)
I must be stupid, I'm not able to invent an explanation that doesn't
involve a profit motive. I'd think they were taxing the rich to provide to
the poor if they weren't providing free service (in theory) to those who
generate 400k queries per day from dozens of individual nameservers around
the globe who then charge for spam filtering (we do not btw), and then
turn around and charge a non-profit who generates 600k queries per day
from their single primary caching nameserver they setup to reduce their
own bandwidth costs as much as possible. Somebody help me here.
This was way too long but I'm waiting on a couple buildworlds and the more
I think about this the more shady it feels to me.
Good luck regardless,
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---