Open Relay == Bad? (Was Re: [oclug] Rogers sucks)

Sun Mar 10 21:05:31 EST 2002

On Sun, 10 Mar 2002 20:10:11 -0500
"Michael P. Soulier" <michael.soulier at rogers.com> wrote:

> On 10/03/02 Brad Barnett did speaketh:
> 
> > I completely understand where you are coming from here, but there are
> > obviously exceptions to every rule.  With SMTP authentication, there
> > is little need for a relay that allows spamming.  Keep in mind that
> > whatever MAPs calls an open relay is, is not what I want the legal
> > definition of one to be. ;)  I want an open relay to equate to
> > something that can be used to spam.  SMTP authentication is enough to
> > make me happy with regard to this. 
> 
>     It doesn't seem to prevent spammers from using Rogers, but yes, at
>     least they're making an effort. :)
> 
> > SPAM, because of its current nature, needs to be controlled by making
> > spam illegal, and open relays (as I defined them above) illegal. 
> > While SPAM
> 
>     Lets be sure of that second point. While I can't see a need, does
>     anyone have a good example of why you'd ever want an open relay? 
>     Somehow, keeping an open relay and permitting it to be used for spam
>     seems like depraved indifference to me.

The original URL that sparked this thread was an article about someone who
needed one, for various reasons.  Some of them were valid, but a l/p would
fix any spam problems.

> 
>     Ex. I walk by a man who's beaten and bleeding on the street. I know
>     that whomever beat him broken the law, but I walk on by and do
>     nothing to stop it. In the eyes of the law I'm now guilty of
>     depraved indifference.
> 
>     Ex2. Even worse. I know that drug deals are going down on a regular
>     basis in my restaurant. However, they're my best customers and they
>     tip really well, so I do nothing about it. I even look the other way
>     when they kill someone in my place. Now I'm benefitting from their
>     crimes. I didn't commit the crimes mind you, but I don't think a
>     judge would look too kindly on me.
> 
>     Ex3. UUNET looks the other way while spammers use open relays to
>     broadcast spam across the world. But, they're my best customers so I
>     do nothing to stop it. 
> 
> > Your entire argument is flawed though.  If I buy a shovel and use it
> > to hold up my car while I work on it, that's my fault.  A shovel was
> > not designed to be used in such a manner.  
> 
>     His entire argument is not flawed. He was simply responding in the
>     context of your words. Your words:
> 
> >> 3) The same needs to be true of software authors/vendors.  If they
> >> have huge gaping holes and bugs that cause their software to perform
> >> outside of the law, they need to be liable.  
> 
>     Hence, his response that the purpose of said software should be
>     taken into account, something that you did not mention at all. Thus,
>     while I am not taking sides in this, I would argue that his argument
>     was not in fact flawed. It bothers me to see entire points thrown
>     out like this by the first party when said first party did not
>     bother to look at their own words first. If his argument was flawed
>     then so was yours. 

Pardon me, I should have said "your above argument".  It was flawed
because it was primarily based on someone taking your program or code, and
using it for a something you didn't intend it to be used for.

> 
> > However, if I bought a stand to hold up my car while I worked on it,
> > and the legs bent, crushing me, I would have a right to sue. 
> > Negligence.  A faulty product.
> > 
> > The same can be said for software.  
> 
>     Absolutely. The vendor needs to stipulate valid uses for their
>     products, and if you use their products for one of said valid uses
>     and it fails, they should be held liable. If you knowingly use
>     something with no guarantee, then you knew it had no guarantee to
>     begin with. Hell, read the EULA for winblows. You're not allowed to
>     use it in air traffic control, or any other critical application. MS
>     knows their software sucks and they don't want to be held liable.

Sure, but to go with this there should be limitations to the limitations,
so to speak ;)  For example :

- we'll take exim (as an example)
- open relays or assisting spam is illegal
- exim is configured to not act as an open relay
- exim has an EULA that stats that it is not liable for anything
- since exim's MAIN AND INTENDED purpose is to be a mail server and relay,
and it is buggy, they are liable.

In other words, quality assurance.  As I stated in previous emails, the
onus could be software vendor to PROVE that they took the necessary steps
to debug and code audit the product before its release. 

> 
> > Keep in mind here that I stipulated fault where insufficient care was
> > taken to ensure that the product would be sound and bug free.  Beta
> > software would obviously be exempt, because it is labelled as such. 
> > Only release software would be liable in such a way, and only if
> > sufficent code audits were not done to ensure it's quality and
> > security.
> 
>     I tend to agree, but where does this put open source software? Say I
>     buy a Linux distro from a vendor who guarantees its quality for me,
>     because I'm a big corporation and I demand those kind of guarantees.
>     Now, do I really believe that vendor has gone and inspected every
>     line of code in everything they ship to me? It's not likely. I
>     realize that, chances are, it's been looked at a lot. However,
>     "chances are" isn't good enough. How could I, as CTO for a big
>     company, recommend an open source product when I know that there
>     were no real standards behind its construction besides, "chance
>     are"?
> 
>     I ask this because I get asked that all the time at work. :)
> 
>     Mike
> 

Right now, things are as they are.  However, under our current legal
system, liability is not tied to the cost of a product.  Keep in mind that
if someone tried to sell (again) a device that was intended to hold your
car up, and inside the box had an EULA that stated "We are not liable if
this does not hold up your car, and kills you".. tough, heh.  They're
liable.  Cases like these have been through the court system.

As for the above CTO scenario, it's quite clear that M$ doesn't stand
behind their product either.  I want to change this ;) 