jrudd at ucsc.edu
Wed Sep 13 21:07:21 IST 2006
On Sep 13, 2006, at 10:19, Rick Chadderdon wrote:
> Jethro R Binks wrote:
> > But the problem isn't autoresponders themselves.
> No, it's the people who insist on using them.
No, the problem is spam.
The secondary problem are people who use a tool without understanding
it and using it responsibly. (and/or people who distribute versions of
the tool which are difficult or impossible to use responsibly)
In neither case is the problem the autoresponder tool itself, nor is
the problem "people who insist on using the autoresponder tool".
> I acknowledge that the *root* problem is the desire to do a
> particular thing with a system that was not designed to do so either
> intelligently or securely in a world with spam. This does not mean
> that one should rush in with a flawed solution when other people are
> going to be required to deal with the consequences of said solution.
That's the tail wagging the dog. Autoresponders predate the spam
problem. By a lot.
So, it's not that someone rushed into a world with spam and added a
flawed solution to a timeliness of email response problem. They
created a timeliness of email response solution, then spam came into
the world, and arguably not everyone implementing that solution has
updated themselves to address that change in the world.
Advocating banning of autoresponders says that no such adaption can
possibly happen, and that the autoresponders themselves are the
problem. I think both of those statements are fundamentally flawed.
> >> I find that most people who defend autoresponders are in a way akin
> >> to the spam pundits who say, "Just hit delete!"
> > Ridiculous analogy.
> No, it's not.
> 1. You have something you want to do. This thing benefits you.
> (Send UCE. Send Autoresponses.)
It also potentially benefits the sender, as they may want to know that
any time-critical or business-critical process will be on hold while
I'm away ... and that they therefore should have contacted someone else
(which is hopefully specified in the message), or be given a time frame
before I'll be able to respond. It is NOT just something that I want
to do (my managers and customers impose it upon me, actually), and it
is NOT just something that benefits me (it actually provides me with no
benefits other than getting my manager off of my back), it also
benefits my customers.
(my customers in this case being the faculty, staff, and students of
> 2. The thing you want to do affects others without their consent.
> (Processing unwanted mail, regardless of content.)
With their consent. If someone sends me email, they give implicit
consent to receiving a reply from me. I would agree that there should
be some diligence in ensuring that the sender is actually the sender.
For a non-autoresponder that's easier: read the message, see whether it
appears to be legit or not. For an autoresponder, what is due
diligence? (I offer an answer at the end)
> 3. Your response when asked to stop or find a better solution is,
> basically, "No. I (and others) need to do this. You're running a
> mail server. *You* solve it, or just deal with it, but I won't
> stop." (Same response I hear from spammers.)
If the argument here was "refine the autoresponder solution", that
would be one thing. For one, it is not the same as "autoresponders are
evil and should be banned". It would be more like "autoresponders need
to be used responsibly". I don't think I've seen _anyone_ here argue
against them being used responsibly.
The argument here is whether or not it is reasonable to advocate
banning autoresponders outright. It is not.
(some suggestions that I would make for refining the autoresponder
solution, and what constitutes due diligence for autoresponders, are:
making sure that your autoresponder doesn't reply to things which your
own system believes to be spam (ie. your own anti-spam solution marked
it as spam), and tries to do another step in validation with something
like domain keys, when that's available (maybe SPF, but SPF has its own
set of limitations which may make it an unreasonable requirement); IMO,
if possible, set up Spam Assassin to do DomainKeys and SPF checks; if
the message is marked as spam by SA, don't let your autoresponder reply
to it; otherwise, if SA doesn't mark it as spam, you've done due
diligence in attempting to discern whether or not it should be
responded to, and you can feed it to your autoresponder ... if you want
to be extra diligent, you could set your "do or don't autorespond"
threshold to be lower than your spam threshold (3 or 4, instead of
More information about the MailScanner