Update (October 2002): Verio ultimately cut off my entire Internet access. I went without net access for a while, consulted lawyers about antitrust suits, and ultimately found a supplier who wouldn't censor me. So now my net connection is via United Layer. Let me encourage everyone to NOT get Internet service from Verio. They employ some of the nastiest people I've ever met in the ISP industry.
Update (8 Mar 2002): A virus author included my site in a list of 25 sites that it may use to send email (if it can't send email in the usual way configured on the virus-infected machine). This prompted a news story and a slashdot rant. Most contributors to the ranting missed the point.
The point is that contract terms created by negotiation are fair, but contract terms imposed by blacklisting anyone who won't accept them ("refusal to deal") are a violation of antitrust law, if those who are doing the blacklisting have market power. For Joe Blow to refuse emails is legal (though it's bad policy, akin to "shooting the messenger"). But if Joe and ten million friends all gang up to make a blacklist, they are exercising illegal monopoly power. Particularly when they add to their "gang" by threatening each outsider in turn with being blacklisted until they join the gang. The contract term I'm referring to is the prohibition of "open relays", but this would apply equally well to any term, such as prohibiting sending unsolicited mail, requiring "opt-in", prohibiting providing DNS or web service to certain disfavored races/religions/occupations, prohibiting P2P services, or prohibiting holding your breath until your face turns blue.
There are other points that got lost in the shuffle too. Like: it's easy to spam from any open 802.11 network, which are easy to find just by driving around with a laptop and NetStumbler. So should everybody who has an open 802.11 network be kicked off the Internet until they "close their open relay"? Trivial authentication solutions for 802.11 are readily available...as hundreds of people have pointed out about SMTP. Nobody mentions how painful authenticated networks are to operate and administer, particularly for occasional traveling guests who you can barely communicate with because their outgoing email isn't working.
What's the difference between an "open router" and an "open relay"? An open router takes any packet that you send it, and forwards it toward its destination. An open relay takes any email that you send it, and forwards it toward its destination. They're the same thing, just operating at different levels of the protocol stack. Should we outlaw open routers? Look at all these evil guys on the Internet backbone, all over companies and campuses, and even in private homes! They're routing packets without authenticating who sent each one! They'll accept packets from ANYWHERE ON THE INTERNET, and just send them onward, even if they contain spam or viruses! There oughta be a law!!! If we just shut down all those guys with their big Cisco spam tools, then we wouldn't get any spam any more. Let's all black-hole every packet that comes from any ISP that doesn't authenticate every packet. We have perfectly good standards for authenticating packets (IPSEC -- I even funded the free Linux implementation, called FreeS/WAN.) so lack of standards is no excuse. Come on guys, if we apply your rationale about open relays just two levels down in the protocol stack, we ought to shut down the entire Internet. What makes the application-level email service on port 25 so special? (Both sarcasm and logical argument are probably lost on this audience, but I'll give it a try.)
The Internet wouldn't even exist if the telephone networks had been able to impose arbitrary conditions on what its customers could send down their telephone lines. Indeed, until the FCC's Carterfone decision, even modems were illegal to attach to a Bell System phone line. Even acoustic couplers! Telcos fought the Internet tooth and nail, but the users won because the telcos were forced to be Common Carriers, who had to carry whatever traffic you wanted to communicate, from anybody who paid their bills. ISPs should act like common carriers; every "term and condition" that limits what kind of traffic you can push through their service violates the philosophy of openness and freedom that let the Internet flourish while riding atop the previous generation of communications infrastructure. I co-built an ISP in the San Francisco area that deliberately let its customers do whatever they wanted -- including "reselling the service", running servers, whatever. This was controversial and got us in trouble with our provider, UUnet, which had encouraged us originally, but didn't want us to be competing with it (eventually we switched to using Sprint -- uh, a common carrier). The result of our open "carry anything" policy was that many dozens of little ISPs sprang up in the area, using us as their backbone. UUnet had hoped to monopolize the service, and the NSF-funded regional network (BARRNET) was clueless and had similar restrictions on resale. We were the only game in town for these ISPs, but luckily we were honest and open. Internet consumers got lots of choices, and some of those little ISPs are still alive today. If you let ISPs dictate what you can do with your net connection, they'll use that ability for THEIR benefit, not for yours. Spam is distasteful, but if you punch a "spam sized hole" in your right to communicate, you will discover that you've given ISPs the power to disable competition for the next generation of communication services.
Update (7 Mar 2002): Added a pointer to Grokmail, which is a tool under development for reading messages when there's a lot more noise than signal. There's also a message that explains my motivation for building it. Here's an excerpt:
We have built a communication system that lets anyone in the world send information to anyone else in the world, arriving in seconds, at any time, at an extremely low and falling cost. THIS WAS NOT A MISTAKE! IT WAS NOT AN ACCIDENT! The world collectively has spent trillions of dollars and millions of person-years, over hundreds of years, to build this system -- because it makes society vastly better off than when communication was slow, expensive, regional, and unreliable. ... Yet despite this immense value, it should not surprise us that most of the things that others would want to say to us are not things that we wish to hear -- just as we don't want to read the vast majority of the books published, or the newspaper articles. The solution is not to demand that senders never initiate contact with recipients -- nor to demand that senders have intimate knowledge of the preferences of recipients. ... THE REAL SOLUTION is to build and use mail-reading tools that learn the reader's preferences, discarding or de-prioritizing mail that the reader is unlikely to care about. ... This overload problem is not unique to email; it will come up with instant messaging, with phone calls, with postal mail, and with any other medium whose costs drop and whose reach improves. ... We had better solve it, rather than sweeping it under the rug.
Update (5 August 2001): After some interaction among me, Verio, and lawyers from Stanford Law School's Internet and Society law clinic, Verio agreed to not immediately terminate my service if I modified my mailer software to avoid forwarding large quantities of email from single addresses over short periods of time. This mailer change permits ordinary users to send a backlog of queued email, such as after reconnecting a Eudora laptop after a few days, but doesn't permit mass spamming. Verio was unwilling to concede their 'right' to decide I'm a bad guy at any moment and terminate my service, but they're on notice that I have reputable and capable legal representation, and will not hesitate to make both a big legal issue and a big press issue out of their censorship campaign if they try to impose it on me again.
Update (26 March 2001): The block against outgoing mail suddenly dissolved without warning at 12:47 PM Monday. I don't know why it disappeared, whether it will be back, or whether they still plan to terminate my entire Internet service as previously announced.
Update (21 March 2001): Verio plans to TERMINATE my T1 service on April 4, ending not just my outgoing email, but this web site, my customers' Internet service, etc. If this site disappears, see the mirror at http://cryptome.org
I am not a spammer, and have never sent any spam. I've had this same Internet connection since long before Verio even existed (they eventually acquired the ISP I cofounded). I've been paying them for the connection despite their billing department's incompetence about invoicing me for it. But under pressure from anti-spam organizations, Verio has blocked outgoing email from my machine. I am not able to send person-to-person email to my friends, my colleagues at EFF, or anyone else -- including you. Now they threaten to terminate my Internet service, which supplies not only me but my customers and users.
I think this is wrong, and that the anti-spam pressure tactics behind it are wrong. Any measure for stopping spam should have as its first goal "Allow and assist every non-spam message to reach its recipients." No current anti-spam policy I know of, including Verio's, SpamCop's, or MAPS's, even views this as a desirable goal, let alone implements it.
I'm pushing back by publicizing the problem, and meanwhile allowing their censorship to take effect. If you ever want to get an email from me again, it's time to speak up about this!
If you send me email, don't expect an email reply. Include some contact information for an uncensored medium, where the providers are common carriers, take no notice of the content of messages, and don't put arbitrary restrictions on what their customers are permitted to communicate. Leave me a phone number and/or a postal address.
While I was on the Verio network, I previously suggested that people contact Verio. I still think it's worthwhile to complain to them: Write, email, fax, or phone to Darren Grabowski of "Verio Security". Tell him that punishing innocents if you can't find the guilty is not the right way to run a network. Please send me a copy at <email@example.com>.
Thanks for your support! Here's Darren's threat to terminate my service, including his contact info:
Date: Wed, 21 Mar 2001 17:18:24 +0000 From: Darren Grabowski <firstname.lastname@example.org> To: John Gilmore <email@example.com> Cc: NOC Security <firstname.lastname@example.org>, Vantive Updates <email@example.com> Subject: [v-1046855] Termination notice Message-ID: <20010321171824.K19361@verio.net> References: <20010222182001.B2339@verio.net> <200102231403.GAA15314@toad.com> In-Reply-To: <200102231403.GAA15314@toad.com>; from firstname.lastname@example.org on Fri, Feb 23, 2001 at 06:03:33AM -0800 X-Disclaimer: My opinions are my own and do not reflect those of anyone. Mr. Gilmore, You are in violation of the Verio Acceptable Use Policy which clearly states that maintaining an open mail relay is a prohibited. We have given you plenty of time to fix this mail relay, and it is obvious that you refuse to do so. We no have no choice but to terminate your services with Verio. We will terminate your services on April 4th, 2001. Feel free to contact me at the numbers below if you wish to discuss this. Thank you. darren -- Darren Grabowski email@example.com Team Lead - Verio Security http://www.verio.net office: 214.290.8680 fax: 214.800.7771 "Carpe Diem Baby" - J. HetfieldMr. Grabowski's claim that I am "maintaining an open relay" is false. This relay has not been running since March 14th, when Mr. Grabowski put a filter on my outgoing Internet traffic.
His claim that "We no [sic] have no choice but to terminate your services" is also false. He had already found a minimally intrusive solution to the open relay problem (the filter), which did not block my Web access, remote logins, incoming email, domain service, other customers, etc. There is no pressing reason to terminate my service, except to censor my web site and my other forms of communication, which document Verio as censoring my email. While Mr. Grabowski may not want the world to know what he is doing to me, that is not a valid reason to terminate my Internet service.
Spam war gags Gilmore, by Kevin Poulsen at Security Focus.
Verio gags EFF founder over spam, Kevin Poulsen, republished by The Register.
Here's a copy of the terms and conditions of The Little Garden (TLG), the ISP that I co-founded with Tom Jennings (creator of the FidoNet), and which I bought my T1 service from. (TLG was bought by Best, which was bought by Hiway, which was bought by Verio.) Here's an excerpt:
TLG exercises no control whatsoever over the content of the information passing through TLG. You are free to communicate commercial, noncommercial, personal, questionable, obnoxious, annoying, or any other kind of information, misinformation, or disinformation through our service. You are fully responsible for the privacy of, content of, and liability for your own communications.
That is how an ISP ought to be run. Unfortunately a set of anti-spam extortionists have been blacklisting ISPs that have policies like this, until it's very hard to find a network like this that actually connects to the rest of the Internet.
These extortionists claim that what they want is to control their own computers. But their approach is to disconnect from any ISP that refuses to impose THEIR SET OF TERMS on the ISP's customers. This was merely an annoyance when they were 1% of the Internet. Now they are 40% or more, turning a cut-off-our-nose-to-spite-our-face policy into a "refusal to deal" antitrust issue.
The terms that these extortionists desire to impose is constantly changing, becoming more and more stringent. First an ISP had to terminate accounts for actual spammers who were sending unsolicited bulk email via the ISP. This was even half-reasonable, and many people agreed. Then as they got more acceptance, their demands escalated. You had to cut off people who never sent spam, but whose services in some way "aided" spammers -- like my open relay. You had to cut off Web service for any URL that was merely *mentioned* in a spam sent anywhere in the world. You had to turn off DNS service that served any web site mentioned in any URL in any spam sent anywhere in the world. You had to cut off any customer who is alleged to have sent spam anywhere, whether or not the allged spam ever went through your (ISP's) system.
Common wisdom when dealing with a blackmailer is that their demands will escalate until you show strong resistance. If you keep agreeing, they'll make greater and greater demands.
The current list of anti-spam restrictions is not written down anywhere that I could find; you only find out when a blacklist notice appears in your inbox, telling you that you are going to be thrown off the Internet unless you immediately change. Next week they could demand that any ISP which is also a phone company must cut off phone service to alleged spammers; the following month demand that every ISP turn over credit card and/or customer address information on demand. (Some people claim that thir "fee" for reading a spam is $50 or $500; I'm sure they would like to immediately charge somebody's credit card for it,and let the details and legalities sort themselves out later).
The fact that the actual current rules punish non-spammers like me is only a minor problem. The bigger problem is that the process used to define the rules is arbitrary. It's controlled by a tiny number of people , most of whom work for MAPS. They happen to be virulently anti-spam rather than e.g. zealously pro-freedom. This is not good for freedom.
When thugs come onto your block and go from door to door telling you that if you don't change how you run your business, your knees will be broken, and your children harassed until you leave town, what do you do? Lots of people change their business or quietly leave town. I refuse to let people like that run my society. (Politicians are bad enough; I draw the line at dictators.) I don't want to exist on "their kind" of Internet.
I don't even want a "tyranny of the majority", if the majority happens to prefer to smash spammers (and suspected spam-sympathizers). I don't want a rerun of Joe McCarthy's witch-hunt, with spammers in place of Communists. I want to have everyone's right to communicate with each other protected, whether or not they disagree with the majority. About whether to forward email to its destination! It's as crazy as Jonathan Swift's fictional war over which end of an egg you crack open to eat it!
I could evade Verio's block in a dozen different ways -- after all I'm a lot smarter than most spammers, and even THEY get their mail through -- but that would let people keep evading the philosophical issue of whether pressure groups of ISPs, acting in unison, can or should control the behaviour of the citizens.
If what I am doing, by runing a machine that forwards email, is illegal, then sue me or file criminal charges, and I'll defend myself in court. I know of no law against it. I believe that what I am doing is not only legal, but beneficial. If I'm wrong, take me to court and prove it.
If what I am doing is not illegal, then why am I being harassed, and driven off the Internet? Because I am annoying? Not even. The open relay doesn't annoy anybody. It's like saying that your phone line sent you that annoying spam, because the spam came in over your phone line on its way to you. SOME SPAMMER sent you that spam, but it wasn't me. I'm being harassed because I broke a rule that was dreamed up by people who were casting about for anything they could think of to make the lives of spammers harder -- whether or not it makes the lives of ordinary people harder too.
I can't exercise my right of free expression -- to send ordinary person-to-person email to my friends and other correspondents? Because I broke some rule that doesn't actually stop spammers anyway? A quick glance at US censorship law cases will tell you that a rule which limits free expression AND IS NOT EFFECTIVE AT ACCOMPLISHING ITS STATED PURPOSE ANYWAY is not a valid restraint on free expression. (Yes, the anti-spam rules were are imposed by private parties, not governments, so these cases don't directly apply. But the reason the courts decide that way is because it makes sense. It's stupid to let arbitrary rules, that don't work, impede ordinary peoples' lives.)
Oh yes, before you send me an indignant, patronizing, or even a helpful email about how I'll be welcome again on the Internet -- if I just reform my attitude about anti-spam measures, and take your advice about how to administer my own machines -- think about how you would feel if you couldn't just fire up your computer and send me that email message.
That's how I feel already.
If you send me email, you're arguing with someone who can't argue back. Doesn't that make you feel superior? I'm sure you think you're winning the argument. But it's hard to tell when the other side is wearing a gag.
You and I may not agree on everything (or one of us is redundant!). But we should all be able to send email to each other.
MAPS versus Exactis, where MAPS is losing in Federal court against someeone who accuses them of racketeering. The judge has issued a temporary restraining order and a preliminary injunction preventing MAPS from blacklisting Exactis. The trial is set for July 2001. (PS: You won't find any of this later coverage -- that shows MAPS losing -- in the MAPS web pages.) You will find on the MAPS web site the motion papers filed by Exactis, detailing MAPS's capricious threats and non-negotiable demands, though curiously that document doesn't appear in the index of http://mail-abuse.org/lawsuit/.
Q&A with Tim Pozar on sendmail.net where he mentions my open relay and my efforts to run it without making it available to spammers.
Larry Lessig on the Spam Wars and on what's wrong with rules made by unaccountable vigilantes.