[svfig-open] White lists

Kevin Appert forther at attbi.com
Thu May 15 14:16:51 PDT 2003

Here is a column from a collimated columnist of interest.

Delivered-To: edfoster at gripe2ed.com
Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [])
	by gripe2ed.com (Postfix) with ESMTP id CE4448F75D
	for <edfoster at gripe2ed.com>; Thu, 15 May 2003 09:55:26 -0700 (PDT)
Received: from gripe2ed.com (adsl-67-124-237-167.dsl.snfc21.pacbell.net
	by mta4.rcsntx.swbell.net (8.12.9/8.12.3) with ESMTP id h4FGtOWf004280
	for <edfoster at gripe2ed.com>; Thu, 15 May 2003 11:55:24 -0500 (CDT)
Message-ID: <3EC3C7AE.6040605 at gripe2ed.com>
Date: Thu, 15 May 2003 10:00:30 -0700
From: Ed Foster <foster at gripe2ed.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3) Gecko/20030312
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: edfoster at gripe2ed.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Ed Foster's GripeLog] The GripeLog Column: "Just Say No"
X-BeenThere: edfoster at www.gripe2ed.com
X-Mailman-Version: 2.1.2
Precedence: list
List-Id: The GripeLog Column  <edfoster.www.gripe2ed.com>
List-Unsubscribe: <http://www.gripe2ed.com/mailman/listinfo/edfoster>,
	<mailto:edfoster-request at www.gripe2ed.com?subject=unsubscribe>
List-Archive: <http://www.gripe2ed.com/pipermail/edfoster>
List-Help: <mailto:edfoster-request at www.gripe2ed.com?subject=help>
List-Subscribe: <http://www.gripe2ed.com/mailman/listinfo/edfoster>,
	<mailto:edfoster-request at www.gripe2ed.com?subject=subscribe>
Sender: edfoster-bounces at www.gripe2ed.com
Errors-To: edfoster-bounces at www.gripe2ed.com

The Reader Advocate Column

Thursday, May 15, 2003
By Ed Foster

Just Say No to "White List" Services

Perhaps the worst thing about the spam plague is the desperate protection 
measures it's driving people to adopt.  And perhaps the worst of those 
protection measures is the growing number of "white list" or 
"challenge/response" anti-spam services that block messages from unlisted 

This first came to my attention earlier this year when readers started 
complaining about a white list outfit called Spam Arrest. "I recently sent 
an e-mail to a person I'd just met, and received an email from Spam Arrest 
saying that because I was someone new, my e-mail was on hold until I 
clicked a link to prove I was a human and not some kind of spammer," wrote 
one reader. "Fair enough. About 30 seconds later my e-mail was delivered 
...So it's now about a month later and 'Spam Arrest' is spamming me. They 
don't fake headers and the subject includes 'ADV', but that doesn't change 
that is, without any doubt, unsolicited commercial e-mail."

So Spam Arrest had decided it was within its rights to send out an e-mail 
promoting its service to the email addresses of all of its customers' 
approved correspondents.  And, under its privacy policy 
(http://spamarrest.com/privacy.jsp), there was no question it did, since it 
states explicitly that it applies to both customers who paid for the Spam 
Arrest service and "senders" who e-mailed those customers. The senders did 
not quite see it that way, though, and the resulting hue and cry quickly 
forced Spam Arrest to issue an apology. It was inappropriate thing for the 
company to do, Spam Arrest acknowledged somewhat reluctantly, and it 
wouldn't happen again.

But if Spam Arrest had at least learned not to be so blatant, some readers 
continued to be concerned about the company's privacy policy. After close 
study, one reader noted several disturbing things. "First off, they 
basically lay claim to all e-mail addresses on their customers' white 
lists, even those that the customers put on without knowledge of the 
'sender,' " the reader wrote. "How can they do that when the sender may not 
even be aware that he or she is on the list? But their policy says they can 
use that address for marketing/promotional purposes, including advertisements."

The same reader also questioned another part of the privacy policy that 
states: "Sender's information may also be sold or otherwise provided to 
Spam monitoring or compliance agencies or organizations..."  What was that 
about, the reader wondered. Could a bulk e-mail outfit be considered a 
spam-monitoring organization? Was there an implicit threat that those who 
didn't sign on with Spam Arrest might be reported as spammers?

A Spam Arrest spokesperson told me that, while the company will indeed 
refrain from sending out any more spam, they still retain the right to 
market to the senders. "The bottom line is that we are an anti-spam company 
but we are not an anti-marketing company," she said.

As for the bit about selling senders' information, I was referred to the 
company's outside counsel who had devised the privacy policy. "Spam Arrest 
has never sold information and has no intent to do so," he said.
The clause was written to allow Spam Arrest discretion to work with a 
government organization or industry association that might evolve in the 
future to have a legitimate spam-policing role.

OK, it's a lawyer's job to anticipate every eventuality and give the client 
as much latitude as possible in its legal boilerplatese.  So maybe that 
ominous language was not motivated by malevolent schemes.
And maybe Spam Arrest will indeed refrain from any further spamming of its 
customers' e-mail correspondents.

But why should we have to worry about these things at all? Remember, we're 
not talking about Spam Arrest's customers -- we're talking about people who 
just wanted to send a legitimate e-mail to one of those customers. Or, 
worse yet, a person who was unknowingly on the white list by that customer 
and never even had the chance to decline.

Think about it. If you sign up with one of these services -- and there's a 
whole bunch of them out there now -- you aren't just trusting the company 
for yourself. You are putting your e-mail correspondents in the position of 
having to choose whether to trust the service as well or not sending you a 
message you might want to receive.  Is that something you want to do to 
your friends and business associates?

There are many aggressive anti-spam approaches (including, if you must, 
implementing white lists on your own server without a third party) that can 
be just as effective as what these companies can give you.  I don't know if 
Internet e-mail can ultimately be saved from the spam curse, but I do know 
these white list and challenge/response services are not the way to do it. 
Just say no.

In the GripeLog weblog this week at http://www.gripe2ed.com:

Cisco Resales
Readers react to Cisco's policy of requiring customers to re-license 
software when they purchase a used router. 

Printer Drivers
Which printer companies do the worst job of updating their drivers for new 
versions of the operating system?


If you have any comments, questions, problems or gripes about this 
newsletter, please write me directly at foster at gripe2ed.com.  Thanks for 
your interest.

Ed Foster

To subscribe or unsubscribe to this newsletter, please visit:

Edfoster mailing list
Edfoster at www.gripe2ed.com

More information about the svfig-open mailing list