Re: [Asrg] draft-irtf-asrg-bcp-blacklists-07 [re-send]

[Joe Sniderman <joseph.sniderman@thoroquel.org>]

On 03/01/2011 10:21 AM, Neil Schwartzman wrote:
> 
> On Feb 28, 2011, at 5:49 PM, Richard Welty wrote:
> 
>> please list me as being in favor of this draft.
> 
> <aol> +1, and agreed. Heck, I may have even been the person to
> suggest this clause, some years ago at the IRTF meeting when the ASRG
> was resurrected. Charging for delisting is just plain bad business.

> Allow me to take a brief moment to draw a significant line between
> the Spamhaus business model, and one based upon delisting. For those
> too drunk, blind, or somehow mentally deficient to spot it for
> themselves, it is simple. One charges the beneficiaries of a given
> DNSBL (Spamhaus) and thus motivates a blacklist operator to run the
> very best product possible.

Yes, and this is a good thing. It encourages the provider of the data
(the DNSxL) to be loyal to the consumer of the data, rather than the
subject of the data.

Spamhaus charges to query its blocklists. Hypothetically, if Spamhaus
were to begin listing IPs (or domains on DBL) that did not meet the
listing criteria, it would risk losing paying customers. This applies to
any DNSxL (positve reputation included) that is funded primarily by its
users rather than its listees.

> The other, such as previously done by
> SORBS, or now UCE Protect, motivates the DNSBL operator to list as
> many IPs as possible (1) for financial profit.

Yes - in theory (the lists mentioned are not prime examples IMHO), and
this applies to whitelists as well.

That said, UCEProtect has previously been very quick to ban listees from
having the option of paying for delisting, and from what I understand
also sells hardware filtering appliances so it would hurt that end of
its business if it listed IPs that didnt meet its listing criteria.

The "fine" SORBS used to charge, IIRC was required to paid to charity,
*not* to SORBS itself, so there would be little or no financial motive
there to list IPs that did not meet its listing criteria.

There are some rare DNSxL's that have managed to be listee-funded and
maintain impartiality. ISIPP is probably a prime example. Listee pays to
be listed, AFAIK list operators determine the category. Some of their
categories make excellent whitelists, while others make excellent
blacklists.

The risk that a blocklist will list IPs solely to collect a delisting
fee, or that a whitelist will list non-qualifying IPs solely to collect
an accreditation fee, is to some extent mitigated by the fact than a
DNSxL doing so will be less widely used, and therefore there will be
less incentive for a listee (or hopeful listee, in the case of a
whitelist) to pay up.

No matter how its sliced up though, its *usually* a really bad idea.

> (Tangentially, were I an employee, particularly senior
> middle-management, like a Director, of a firm where presumably
> non-unionized staff went on 'strike' I would find that reason to
> rouse the CEO from his nightly reveries, not sit back and watch
> things play out. 

Agreed.  Frankly I think it stinks far worse than any delisting fee
possibly could.  I'm highly disappointed to say the least.. I've been a
real "fan" (for lack of a better word) of UCEProtect up until this escapade.

> As it stands, the unanimity of the vote is
> noteworthy, and I doubt Messagelabs and Nortel are going to take this
> lying down. An abnegation of professional responsibility, in my
> mind.)

Quite the contrary, I suspect (and hope) that both Messagelabs and
Nortel will see it for the nastiness and absurdity that is, and take the
high ground by not getting all macho or legalistic about it.

-- 
Joe Sniderman <joseph.sniderman@thoroquel.org>