Open Relay == Bad? (Was Re: [oclug] Rogers sucks)

[Kevin Everets]

On Sat, Mar 09, 2002 at 10:02:03PM -0500, Brad Barnett wrote:

> He certainly makes some good points, but there is some flawed reasoning
> involved as well.

I'm not so sure about that... his points are quite lucid, and he's
making the case for being a "common carrier".  Spam is like
telemarketing (which you point out in your analogy), and the ISP
(toad.com in this case) is like Bell Canada.  Bell Canada has no right
to force filtered calls on me.  To say that they are at fault for
running an "open phone switch" that just allows anyone to make a call
to me would be ridiculous.  There should still be ways of dealing with
the telemarketers (laws, as you mentioned, about calling people at
obscene hours), but those should put the blame where it exists: on the
perpetrators themselves and not on the network that allowed them to do
what they did.

> Currently people who misconfigure servers and daemons aren't doing
> anything wrong or illegal.

He's not misconfiguring his daemon: it's meant to be an open relay.
It's like that for a reason, and there's nothing wrong with that.

> However, imagine if a nation wide call center
> (read : telemarketers) had a computer glitch that resulted in a call
> center on the East coast calling people at 6am on the West coast.

Then that call center would be liable, and not the phone network(s)
that allowed the call to make it to you.

> If this was rapidly fixed it is quite doubtful that charges would be
> applied.  It is illegal btw to make telemarketing calls outside of certain
> times.  Let's imagine that the person who owns the call center decides
> it's just "not worth his time" to maintain the call center regularly.  The
> above glitch happens quite often, resulting in frequent breaches of the
> regulations.  

Again, deal with the source of the problem and not unduly hinder other
people who are not causing the problem.

> If this was the case, no one would find it odd if they were charged,
> convicted and fined with a breach of the law, and of negligence.  However,
> people who configure servers irresponsibly are literally let off of the
> hook, irreguardless of the economic and mental distress it causes.

You've switched your analogy: it's not the people who configured the
server that is the problem (like it's not the phone network's fault if
someone can call you at 6 am).  It's the telemarketer's (spammer's)
fault, and they need to be dealt with.

> Even
> worse, companies attempt to fool you into thinking that the "let's not do
> a serious code audit, wait for a deadly bug to occur, and then patch 6
> months afterwords" is a normal occurrence.

[snip]

This (and the ensuing paragraphs on Software Quality and Liability) is
outside the issue at hand: the servers have properly audited and
maintained code on them (there was no "bug" that allowed the open
relay to happen: it is purposefully like that), and it is all about
what the owners of the server choose to do with them.  In this case,
send on any mail it receives (regardless of the source) to its'
intended destination.  A good thing to do.

> However, rather than blither and blather about this, back to the point at
> hand.  The above info correlates with the article you posted in several
> ways.  Firstly, whether it is configuring software so that it operates
> correctly, or writing software so it does so, reasonable efforts must be
> made to test your machine.

As stated above: the software is (most likely) performing correctly.
It would pass any test on quality and configuration.  It was a
conscious choice to properly configure it to pass on any mail that it
received (as it would pass on any internet packet that it received).

> If spam is illegal, you would be an accomplice
> if you happen to allow people to use your server to spam.

Spam is (somewhat unfortunately) not illegal.  And if you're a
"common carrier", then you aren't an accomplice if you allow your
server to be used for spam, just as a router owner wouldn't be held as
an accomplice.  Just as Bell Canada isn't held liable for every
illegal transaction that takes place over its' phone lines (can you
imagine that?  A drug deal was done using a cell phone, so that cell
phone company has to be held liable... I mean, they should have been
carefully listening to every phone call to ensure that it didn't
contain something illegal).

> Everyone has to
> be responsible for whatever they maintain.

Sounds good... John's responsible for making sure that any mail his
server receives, it passes on.  Just like every packet his computer
receives, he passes on.  If he didn't transmit mail (or receive mail)
because of some mob rule that said "You can't send or receive mail to
this IP address, because we think they've done something that we don't
like", then I wouldn't have any respect for the man (and he'd be
violating the rights of his customers, and enforcing poor rules on his
friends that use his service).

> If you have a gun for example,
> you must keep it out of the reach of children.  It isn't enough to simply
> hide it, it must be locked and stored correctly.  Otherwise, as studies
> have shown, too much abuse and unneeded pain and suffering exists.

The gun analogy doesn't really apply.  You shouldn't let anyone else use
your gun... but you should let other people use your telephone switch,
or internet router, or mail server (as otherwise these things are
pretty useless).

> So, what I am contending is that if you run a mail server, you must make
> reasonable and logical assurances that it can not be used to break the
> law.

Why is a mail server special in this regard?  Why not hold router's
liable for allowing the transmission of the information as well?

> You must make sure it is configured correctly, and that it can not
> be easily used to spam.. but only if spam is illegal!  As our friend
> pointed out, it isn't in his state(?).  This person is not breaking the
> law, law doled out by a democratic body.  

Exactly.  He's not breaking any laws, and he's standing up for his
right to configure a mail server as he wishes.

> Furthermore, while I personally love and use MAPs, there is something to
> be said for his arguments.  Again, it is the case of _much_ power weilded
> outside of the law.  This is why it is imperative that laws should be
> drafted clearly stating the policy on such matters, and PROPER legal
> authorities should enforce it.

Exactly.

Kevin.