Autoresponder Evils?

[John Rudd]

On Sep 13, 2006, at 10:19, Rick Chadderdon wrote:
> Jethro R Binks wrote:
>
> > But the problem isn't autoresponders themselves.
>
> No, it's the people who insist on using them.

No, the problem is spam.

The secondary problem are people who use a tool without understanding 
it and using it responsibly. (and/or people who distribute versions of 
the tool which are difficult or impossible to use responsibly)

In neither case is the problem the autoresponder tool itself, nor is 
the problem "people who insist on using the autoresponder tool".


> (sigh)
>
>  I acknowledge that the *root* problem is the desire to do a 
> particular thing with a system that was not designed to do so either 
> intelligently or securely in a world with spam.  This does not mean 
> that one should rush in with a flawed solution when other people are 
> going to be required to deal with the consequences of said solution.

That's the tail wagging the dog.  Autoresponders predate the spam 
problem.  By a lot.

So, it's not that someone rushed into a world with spam and added a 
flawed solution to a timeliness of email response problem.  They 
created a timeliness of email response solution, then spam came into 
the world, and arguably not everyone implementing that solution has 
updated themselves to address that change in the world.

Advocating banning of autoresponders says that no such adaption can 
possibly happen, and that the autoresponders themselves are the 
problem.  I think both of those statements are fundamentally flawed.


> >> I find that most people who defend autoresponders are in a way akin
> >> to the spam pundits who say, "Just hit delete!"
> >
> > Ridiculous analogy.
>
> No, it's not. 
>
>  1.  You have something you want to do.  This thing benefits you.   
> (Send UCE.  Send Autoresponses.)

It also potentially benefits the sender, as they may want to know that 
any time-critical or business-critical process will be on hold while 
I'm away ... and that they therefore should have contacted someone else 
(which is hopefully specified in the message), or be given a time frame 
before I'll be able to respond.  It is NOT just something that I want 
to do (my managers and customers impose it upon me, actually), and it 
is NOT just something that benefits me (it actually provides me with no 
benefits other than getting my manager off of my back), it also 
benefits my customers.

(my customers in this case being the faculty, staff, and students of 
the university)


>  2.  The thing you want to do affects others without their consent.  
> (Processing unwanted mail, regardless of content.)

With their consent.  If someone sends me email, they give implicit 
consent to receiving a reply from me.  I would agree that there should 
be some diligence in ensuring that the sender is actually the sender.  
For a non-autoresponder that's easier: read the message, see whether it 
appears to be legit or not.  For an autoresponder, what is due 
diligence? (I offer an answer at the end)


>  3.  Your response when asked to stop or find a better solution is, 
> basically, "No.  I (and others) need to do this.  You're running a 
> mail server.  *You* solve it, or just deal with it, but I won't 
> stop."  (Same response I hear from spammers.)

If the argument here was "refine the autoresponder solution", that 
would be one thing.  For one, it is not the same as "autoresponders are 
evil and should be banned".  It would be more like "autoresponders need 
to be used responsibly".  I don't think I've seen _anyone_ here argue 
against them being used responsibly.

The argument here is whether or not it is reasonable to advocate 
banning autoresponders outright.  It is not.


(some suggestions that I would make for refining the autoresponder 
solution, and what constitutes due diligence for autoresponders, are: 
making sure that your autoresponder doesn't reply to things which your 
own system believes to be spam (ie. your own anti-spam solution marked 
it as spam), and tries to do another step in validation with something 
like domain keys, when that's available (maybe SPF, but SPF has its own 
set of limitations which may make it an unreasonable requirement); IMO, 
if possible, set up Spam Assassin to do DomainKeys and SPF checks; if 
the message is marked as spam by SA, don't let your autoresponder reply 
to it; otherwise, if SA doesn't mark it as spam, you've done due 
diligence in attempting to discern whether or not it should be 
responded to, and you can feed it to your autoresponder ... if you want 
to be extra diligent, you could set your "do or don't autorespond" 
threshold to be lower than your spam threshold (3 or 4, instead of 
5?)).