Autoresponder Evils?

Rick Chadderdon mailscanner at yeticomputers.com
Thu Sep 14 21:31:45 IST 2006


John Rudd wrote:

>> I acknowledge that the *root* problem is the desire to do a
>> particular thing with a system that was not designed to do so
>> either intelligently or securely in a world with spam.  This does
>> not mean that one should rush in with a flawed solution when other
>> people are going to be required to deal with the consequences of
>> said solution.
> (sigh)
>
> That's the tail wagging the dog.  Autoresponders predate the spam
> problem.  By a lot.

I wasn't intentionally implying that they didn't.  I was stating that
they were designed at a time where the spam problem didn't exist.  SMTP
itself suffers from the same thing.  I can see now that the last
sentence of my statement could have been better phrased.

>>> Ridiculous analogy.
>>
>> No, it's not.
>>
>> 1.  You have something you want to do.  This thing benefits you.
>
> It also potentially benefits the sender, as they may want to know
> that any time-critical or business-critical process will be on hold
> while I'm away ...

<snip>

>
>> 2.  The thing you want to do affects others without their consent.
>
> With their consent.  If someone sends me email, they give implicit
> consent to receiving a reply from me.

<snip>

>
>> 3.  Your response when asked to stop or find a better solution is,
>> basically, "No.  I (and others) need to do this.  You're running a
>> mail server.  *You* solve it, or just deal with it, but I won't
>> stop."
>
> If the argument here was "refine the autoresponder solution", that
> would be one thing.  For one, it is not the same as "autoresponders
> are evil and should be banned".  It would be more like
> "autoresponders need to be used responsibly".  I don't think I've
> seen _anyone_ here argue against them being used responsibly.

<snip>

Every argument you use here has been used by spammers, as well.

1.  It benefits the recipient of my autoresponse = it benefits the
recipient of my spam.
2.  With their consent = many of these people want my spam.
3.  Autoresponders used responsibly aren't bad = spam sent responsibly
isn't bad.

I tend to overstate things to make a point since I'm an absolutist, but
I do recognize that those who use sensible autresponders aren't "as bad"
as most spammers.  Would we complain about spam if it was always sent
responsibly?  If every piece of UCE was clearly labeled in such a way
that it could be reliably filtered?  I think that most people who think
of autoresponders as a necessary tool would have little problem with
spam under those conditions.  I'd be a lot happier than I am now, but
I'd still have a problem with spammers.  They'd still be using my
resources without my consent. 

Even well the best configured autoresponders will quite happily consume
the resources of others *without their consent* if triggered in the
right (wrong?) way by a spammer.  If you have a system in place which
uses my resources without my consent, I will complain.  I'm not talking
about implied consent.  I don't mind if I get an autoreply to something
I sent.  I don't tend to think much of the person who set it up, but
that's my personal issue.  If your autoresponder spams me, expect me to
get annoyed.   If someone develops a new exploit and a web form that I
control spams you, I expect *you* to complain, perhaps even banning me
until I fix it.

My issue with autoresponders is that most people will not admit that
they're broken, even in their best configurations.  Let's say that your
autoresponder sends my mail server a few thousand out-of-office or
informational messages that hit throughout a large portion of my
userbase on a given domain.  Let's say that I end up fielding a few
dozen phone calls over the course of that day because of this flood. 
And let's say I ask you to fix your broken autoresponder because I have
other things I'd rather be doing than explaining to a couple of dozen
users that someone didn't hack their accounts and send mail from them. 
Would you make changes to fix the problem (even if was simply
blacklisting my domain in your server) or would you ignore the issue,
believing that you'd already made your best effort?

Your suggestions for refining autoresponders were all great.  Mmmm... 
Maybe I'd even consider a system which used them all as sensible enough
to put in production.  Maybe I'll build one.  I'm trying to put together
a standalone system that uses Postfix, Cyrus IMAP, a database for the
account info (currently MySQL), Apache, MailScanner and the like.  I've
used web-cyradm for a long time, but have grown discouraged with it in
many ways, and it's not really (in my opinion) enterprise ready.  But
sieve would be a good way to implement your suggestions in an autoresponder.

Nothing is without flaws, obviously.  The question when deploying a
solution is, I guess, "How do the benefits compare to the risks?" 
Automobiles, airlines, guns, recreational drugs...  All much more
socially important than this issue, but arguably all with benefits and
risks.  There are people who would ban any one of them, claiming that
the risks were too great.  I'd ban none of them.

Would I ban all autoresponders?  (sigh)  Honestly?  (grrrrr...)  No. 
No, but I would certainly ban one that flooded my server and whose
operator told me he'd done nothing wrong.  And, vindictively, I would
probably report that server to any RBL that likes to ban
autoresponders.  Do the benefits of autoresponders outweigh their
flaws?  Not as most of them are currently implemented, I believe, but
the risks aren't great enough to implement a generic ban.  The one you
suggest, John?  Maybe.  Now you made more work for me.  I hope you're
happy.  :P

Rick


More information about the MailScanner mailing list