[RFCI-Discuss] Posit: abuse@aol.com

Vincent Schonau vince at niet.net
Tue Feb 28 06:44:14 EST 2006 

Derek J. Balling wrote:
> 
> On Feb 27, 2006, at 10:07 AM, Vincent Schonau wrote:
>> $VICTIM complains that the messages he's receiving constitute (part 
>> of) a DDoS attack. If we accept it is, then as the volume of message 
>> redirected by $VICTIM's actions to AOL's abuse-address is of the same 
>> order of magnitude, is abusive, and AOL is entitled (expected?) to 
>> defend against it.
> 
> Whoa whoa whoa, that logic doesn't hold up.
> 
> If we accept that "trying to shoot an innocent person is murder", then 
> using your logic, he who fires back in self-defense is *also* a 
> murderer,  which is clearly not right. Also, it would predicate that if
> somehow the victim could miraculously bounce those messages right back 
> at the shooter, that would also somehow make the victim into the "bad guy".

*shrug*, analogies and stuff. That's not my logic. abuse at aol is the 
police, not the person trying to shoot $VICTIM.

If $volume of mail is abusive and/or constitutes a DDoS attack, AOL is 
(should be, IMO) entitled to defend it's abuse-handling infrastructure 
against it.

No-one sane would argue that directing $volume of mail is anything other 
than an attempt to retaliate - it certainly isn't an effective way of 
addressing the problem.

>> I have sympathy for $VICTIMs predicament, and think his complaint is 
>> legitimate. I don't think the fact that AOL protected their 
>> abuse-handling infrastructure against his or similar attacks makes 
>> them rfc-ignorant (quite the opposite: the fact that they're taking 
>> such measures underscores their understanding of the importance of an 
>> available and working abuse@ contact).
> 
> I agree that they clearly think it's important, but isn't their 
> rejecting of his -- perfectly legitimate and independent -- complaint 
> messages simply rejecting an abuse complaint "because it looks like spam"?

We don't consider each message independantly when we examine something 
to find out if it's spam, we consider the total volume. We have to, or 
anything with only one RCPT TO couldn't be spam.

The messages being redirected are NOT independant, they're are part of 
the same attack that $VICTIM is complaining about. If they *were* 
independant, then there would be no attack, so no complaint.

>> It makes no sense for rfc-ignorant.org to consider filtering for 
>> *general* abuse (ie; DNS blocklists) acceptable, but filtering for 
>> specific attacks directed at the mailbox in question.

> Well, we do have a common sense clause about how you can't block abuse@ 
> because the message "looks like spam" (otherwise, how would you ever 
> forward a spam message to the sending ISP's abuse department). Isn't 
> this essentially the same thing?

I just said it's the same thing as rejecting mail to abuse@ from known 
spam-sources. No, it's not the same thing as rejecting a message because 
it 'looks like spam'. It's rejecting further mail from a host known to 
send an excessive volume of messages to your abuse-handling infrastructure.

> Again, to be clear, I sit firmly on the fence on this one, I'm not 
> trying to "sway" in either direction, because I think both sides have a 
> really compelling case for the (guilt,innocence) of AOL in this case.

I find the 'case' for the 'guilt' of AOL in this case to be far-fetched, 
not compelling at all. If I can't protect my abuse-handling 
infrastructure from attacks because it *might* mean rfc-ignorance if 
someone decides to mailbomb me, then rfc-compliance has no relevance to 
operational reality.

More information about the RFCI-Discuss mailing list