MAPS and Experian Settle Lawsuit

dbrower writes: "Experian is trumpeting a settlement with MAPS here, where MAPS agreed not to blackhole them without a court order, and agreed that Experian didn't need to do opt-in. Looks like a loss to me."

winners or loosers?

[Rev.LoveJoy]

I have a hard time looking at MAPS vs. the spammers as us agsinst them anymore. For me this has turned into one of those moral dilemas wherein the actions taken by maps are nearly as deplorable as those they are attempting to defeat.

Do not misunderstand, I am no sympathizer of the spammers. I do not think what they do warrants first ammendmend protection. However, I do not think that MAPS arbitrarily black holing companies who it cannot strong arm with threats really deserves our respect anymore.

A good idea gone awry.

Cheers,
- RLJ

They didn't say there's no opt-in

[GrenDel Fuego]

They said that they don't have to use a double opt-in. In other words, no confirmation step of the opt-in.

access.db

[jmd!]

Well, experian.com just made it in to my access.db, along with everyone else who's sued maps in the past. Do they have any mail servers outside that domain, anyone know?

Here's a list of some other companies not understanding what MAPS is and trying to stop them with bogus lawsuits. I hope they don't accidently wind up in your access.db (or whatever your MTA uses).

yesmail.com
harrisinteractive.com
blackice.com
media3.com
247media.com
experian.com
exactis.com
liveprayer.com <--- accused MAPS of being an agent of Satan

To block these in sendmail, use the 550 5.7.1 error code in your access.db file, like so:

yesmail.com <tab> 550 5.7.1 Spammer suing MAPS.

Re:Double opt-in? What the hell?

[AndyS]

If I don't sign up for a mailing list, I should not suffer hundreds and hundreds of spam from it.

If I signed you up to 100 such mailing lists, would you rather get 100 verification mails that you could just delete, or 10,000 mails from the mailing lists that you'd have to unsubscribe from manually?

The idea of double opt-in isn't designed to make people's lives inconvenient - all it needs is a quick reply. It's pretty easy, I do it all the time. You can even do it from a different e-mail address. However, it does protect those who suffer from massive mailbombing.

History on this case

[hillct]

In the spirit of Karma Whoring :-)

Here's some history on this case [dotcomeon.com]. It features articles from various stages in the case. Has anyone found the text of the complaint or injunction? still looking...

--CTH

Re:Double opt-in? What the hell?

[gol64738]

what? do you have any idea what you're talking about? obviously not.

look, MAPS by itself affects no one. It's the ADMINS that make MAPS work. an ADMIN must implement the blackhole list via DNS or sendmail for anything to happen.

don't you think that ADMINS know what's best for the network they control? you obviously know nothing about system administration, go crawl into a hole.

Other filter lists...

[gavcam]

If a spammer gets taken out of one filter list then you can always rely on it still being in the other lists.

I use

• relays.ordb.org
• or.orbl.org
• inputs.orbz.org
• outputs.orbz.org
• spews.relays.osirusoft.com

to keep my inbox clean.

Winning one battle doesn't win the war!

Re:winners or loosers?

[Anonymous Coward]

As I understand it MAPS are just providing a list of IP's/Domain names from which SPAM is likely to come, it is still up to each individual sysadmin to use or not use that list. So I do not think it is fair to demonize MAPS in this way.

maybe a blacklist would work on a web page

[mj6798]

Currently, to many lawyers and judges, MAPS probably looks like an obscure, deeply technical means by which some group of people is "preventing" another group of people from getting mail.

But these people understand the concept of a "web page". If, instead, something like MAPS were based on a list of domain names found on web pages, I think people would have a much harder time "shutting it down". After all, it would be human readable speech, and if people mine that data for their E-mail programs, well, so be it.

Re:MAPS settled

[Rick the Red]

As a victim of MAPS, I know quite a bit about it. I'm not a spammer, I just noticed one day that my brother wasn't getting any of my email. Turns out his ISP was using MAPS's "service" and my ISP got on MAPS's shit list. When I contacted MAPS about it to find out what happened and how to fix it, the bottom line was this: MAPS lied to me about what they did and how it worked. They left me with one choice: find a new ISP. I refused; my brother found a new ISP, one that would allow him to receive my mail. My ISP does not use MAPS and guess what? I am not flooded with spam. Not one bit. You do not need MAPS to avoid spam.

P.S. I did not get "flamebaited," I got modded down. Go ahead, mod this down, too. I'm not a karma whore.

Dynamic DNS Services get blackholed too!

[mtgstuber]

Don't get me wrong, I'm no fan of SPAM, but given that MAPS and services like it, automatically blackhole email from dynamically served DNS entries, I am quite happy to see them sued, sued into oblivion even. MAPS decreases freedom on the net. I have a DSL connection through a local carrier who shall remain nameless. I run a web server on my connection, largely for family and friends. If I get a business connection where I can get a properly registered DNS entry, I have to pay twice as much for half the bandwidth. So I use dynamic DNS services. Thanks to MAPS its about impossible for me to send email directly from my server. Instead I am forced to use the email account of my service provider. (Ironically, I can send email from SPAM ridden web mail services any time I want.) I resent MAPS's heavy handed self righteous policing of the net, even more than I resent the bandwidth wasting spammers. I would rather delete some extra #$%^ and have freedom, than have somebody tell me what I can and can't do.

Re:Double opt-in? What the hell?

[Jay Carlson]

That's fine if you're the one who actually signed up. Me, nop@nop.com, and my friend ben@ben.com, get truly fascinating spam by way of people who are enticed to give some email address in return for something; somewhat believably, people will use fake email addresses under duress.

In addition to all the random female-depicting porn you're familiar with, I get aluminum market newsletters, British SMS-music-info-service announcements, and some very tasteful Swedish news mailings. Oh, and for a while nop@nop.com was listed as the contact address for a gay personals service ad in Portugal. The letters I got were very sweet, but my wife still thought it was funny...

My favorite is when people buy unlock codes for commercial software, giving my email address. I've got a whole folder full of registration codes that I didn't pay for and will never use....

Oh right, back to opt-in. So here's what's going on.

• When spammers say "opt-in" they mean that at least somebody typed an email address into a web page somewhere.
• When spammers say "double opt-in" they mean the horrible, onerous, business-destroying requirement to confirm that the person receiving mail at an email address wants to receive their mail. Anti-spammers prefer to call this "verified opt-in", and I like that term better, but it doesn't matter what you call it.

So when somebody types nop@nop.com into the signup for Goatmail (intentionally goating me or not), a verified opt-in system sends nop@nop.com a message saying "hi! hit reply to this message to confirm and enter the wonderful world of goats!" With non-opt-in systems, I'm in Goatland without any further delay. Sort of like when my "friends" sent all the "I'm interested!" postal reply cards to the Navy recruiters AND the dental post-doc programs with my address on them. Took years to get rid of them.

But I digress again. Here's the summary:

• Unverified opt-in means someone wishes for an email address to receive spam.
• Verified opt-in means the recipient of mail sent to an address wants spam.

That clear things up?

Re:Double opt-in? What the hell?

[oldperson]

Double opt-in is marketing speak from the DMA (that's Direct Marketing Association, a group which includes a number of mainstream corporations considering spam.)

The term entered debate when Congress invited representatives of the DMA and MAPS to address a panel. It's been relentlessly pushed by the PR flacks and looks like it might be taking hold in the technical world as cybersquatting did. (Another spin term foisted into use by relentless marketing from the IP lobby.)

The spinless and more acurate term is "opt in with confirmation." It doesn't include the false and spin-driven connotation that people have to sign up twice and it accurately describes what MAPS considers ideal.

The DMA doesn't like "opt in with confirmation" because it polls much more favorably than "double opt-in" and they'd rather people used terms that favored their side of the debate.

Re:Advertising is Pollution

[dgreenwood]

MAP's take on this is here [mail-abuse.org]
EXACTIS SUIT AGAINST MAPS DISMISSED October 3, 2001 - REDWOOD CITY, CA - Mail Abuse Prevention System, LLC (MAPSSM) announced today that Experian Emarketing, Inc. (formerly Exactis.com) has dismissed all of the claims which it had previously filed against MAPSSM. "A settlement has been reached in which Experian has committed to requiring their clients to provide them with lists which contain only those email addresses for which they have obtained the addressee's permission to send them email", explained Anne P. Mitchell, Esq., MAPS'SM Director of Legal and Public Affairs. "They have further committed to address and resolve any complaints and concerns which may arise as a result of any mailings they do for either themselves or their clients."

Re:Other filter lists...

[owlorc]

hmmm ... missed a couple ...

The osirusoft.com and orbz.org lists by themselves are awfully good ad excising unwanted UCE content.

rbl.maps.vix.com
orbs.dorkslayers.com
or.orbl.org
inputs.orbz.org
outputs.orbz.org
relays.ordb.org
relays.osirusoft.com
bl.spamcop.net
spews.relays.osirusoft.com
ipwhois.rfc-ignorant.org

The rblcheck package, now at sourceforge is a bit out of date, and you'll want to patch new DNS based filters into the source.

Re:Other filter lists...

[VB]

(The parent has not been modded high enough yet as of this post)

Regardless of the legal dispute, MAPS should have their implementation for filtering spammers removed from all MTAs. This is a frustrating problem, and is a major time-eater for diligent admins and an even bigger one for end-users on networks not overseen by such admins. Sendmail has removed MAPS support, reaffirming my commitment to stick with it since Sendmail's [sendmail.org] security record as been much improved over the past 3 years and it is great free software. A bitch to configure, but hey; when you run Slackware you know what you're getting into. I found it very alarming and frustrating when I decided to put a stop to what appears to be a significant increase in spam lately by finally getting around to implementing MAPS, only to discover the new fee-based implementation of MAPS. This pricing/policy change is completely antithetical to what anti-spam software should stand for! They started out as this "crusader" organization making software to rid the 'Net of the filth that proliferates as spam, then stick you with a fee? Quite unsamaritan and anti-community for a service that purports to assist the community, only to later suck you into payments once they've garnered enough of a following. Exploitative in the vilest sense.

ORDB [ordb.org] is a godsend! I put this on my servers 2 days ago and spam has all but ceased. 10 trickled through the first day and were added to the list. ORDB's policy is effective, efficient and fair and it doesn't bog down the server or the network in any noticeable way. It's a quick 30 minute configure for a moderate sendmail admin, and yields immediate results. Granted it doesn't provide known spammer protections, but how can you do that?

The onus on stopping spammers is on ISPs through their AUPs. Once they make it crystal clear that using their network services for stupid things like Spam, port scanning, and defacing web-pages is going to immediately ban them from that service, the Spam and other useless 'Net activities will stop and these idiots will quietly go back to the middle-high school where they once worked and pick up their green weenies, Mr. Clean, and get those toilets clean and those hallway tiles shiny again, where their skills/socialization are most appropriate.

Clearly, we can't count on our Congress to improve the Spam sitation... [zdnet.com]

Re:MAPS settled

[djmurdoch]

When I contacted MAPS about it to find out what happened and how to fix it, the bottom line was this: MAPS lied to me about what they did and how it worked.


My experience with them is that they're extremely honest, that they bend over backwards to avoid listing someone, and they'll remove you from their list at the first sign that you've done something to fix the problem. However, they're overworked, and occasionally make mistakes.

Generally innocent web sites only get blackholed when they're on the same netblock as a bunch of spammers. The idea is that blackholing each of the spammers' addresses is having no effect, so the host must be profiting from the spam: and MAPS blackholes the entire block to try to get the host to act more responsibly. If you happen to be innocent and in the same block, then you're obviously not going to be too happy about it, but you shouldn't have been dealing with sleazebag spam supporters.

I'd like to hear the details of what went wrong in your case. What did they tell you that was a lie?

Re:I don't get it!

[pjrc]

MAPS only maintains a database that provides information to others, who seek that information.

Vixie (who runs MAPS) is the CTO of a backbone internet provider (abovenet) which just happens to be one of those who "seek information". They have a regular history of blocking traffic... of course without explicit permission (and usually without even the knowledge) of downstream ISPs and their unsuspecting customers.

This is quite a bit different than end users making an informed decision to subscribe to the "service". Likewise, some ISPs subscribe to MAPS on their user's behalf, sometimes without informing them, and other times while leading them to believe the service doesn't impact non-spam messages.

That database expresses an opinion: in the opinion of MAPS, the networks listed in the database are suspected of passing through or generating spam.

This is true. ...at least true if "passing through" includes lots of unsuspecting non-spam businesses and users who simply connect to those spamming-suspected networks.

The lie is in much of the promotion regarding how accurate these opinions are, and the lack of disclosure regarding the non-spam users who are also intentionally blocked. It's quite questionable how well MAPS blocks spam [cnet.com]. At the same time, there is no question that MAPS has been responsible for disrupting non-spam communication time and time again.

For a good taste of the deceptive nature of MAPS, check out their Realtime Blacklist Policy Page [mail-abuse.org]. They claim four there are four ways to become blacklisted:

• Spam Origination
• Spam Relaying
• Spam Support Services
• Netblock Inheritance

The section about "netblock inheritance" claims that some unsecting users obtains IP address space that was once occupied by a spammer. Note that it doesn't say that they will discontinue listing the non-spammer who is blocked due to "netblock inheritance". But that's only scratching the surface of the deception.

What that MAPS policy page doesn't clearly explain (or really explain at all) is their regular practice of listing large netblocks, which contain large numbers of non-spammers. It isn't explained that MAPS uses this strong-arm tactic to pressure ISPs that are hosting some spammers by blocking not only the spammer but all of the ISP's unsuspecting non-spam customers.

MAPS's policy page also doesn't explain that there is no notification to these innocent and unsuspecting bystanders that their communication is being intentionally disrupted simply because some other customer at their ISP is sending spam.

MAPS's policy page doens't state that they will refuse to stop discrupting messages to non-spammers when it is brought to their attention that a non-spammer has been affected by a netblock that also contains a spammer. (yes, believe it or not, Vixie/MAPS has a long history of refusing to un-block non-spam users when they complain that they are blocked) It certainly doesn't state that it is their intention to block messages to non-spammers and spammers alike, if they happen to be hosted at an ISP that (in MAPS's rather extreem and un-accountable opinions) isn't working hard enough to stop spam.

Sure, MAPS is entitled to their opinions, and they have the free speech right to share those opinions. Where the line is crossed (IMHO) is:

• Upstream providers, not end users, subscribing to the service... thereby forcing MAPS's rather extreem opinions on end users without giving them a choice.
• Misrepresenting their blacklisting policy to imply that they only target spammers and those directly involved in spam... when in truth they intentionally target unsuspecting non-spammers (and never even notify them) simply because they inadvertently chose the same ISP as a spammer did (and the ISP didn't respond by immediately cutting service to an existing customer who MAPS says is a spammer)

Re:I don't get it!

[pjrc]

And while I'm on my soapbox... take a look at this this MAPS press release [mail-abuse.org]. They write:

...the RBL, MAPS' database of IP addresses which have been proven to originate or facilitate the sending of unwanted email...

Even without the words "have been proven", this is an bold faced LIE. MAPS has a regular practice of blocking large groups of IP numbers (often an entire ISP), with the intention of disruption to the spammer and many non-spammer customers at that same ISP.

When these non-spammers complain to MAPS that their IP numbers, which certainly don't originate spam and don't facilitate the spammer's activity, have been blocked, the response from MAPS it that these non-spammer need to seek a different ISP.

To even get close to the truth of how MAPS really operates, perhaps it should read:

...the RBL, MAPS' database of IP addresses which may be originating or facilitating unwanted email, or have some loose association with present or prior unwanted email, including unsuspecting users and businesses who happen to be customers at the same ISP as a suspected spammer.

Of course, there's no requirement to tell the truth in a press release... but this lie is about as blantant as Microsoft's recent press releases claiming IIS is attacked because it's the market leader (when apache is the #1 web server by a considerable margin).

Re:Dynamic DNS Services get blackholed too!

[supine]

It is likely that you have not been blackholed by MAPS's RBL but by MAPS's DUL. The distinction is important.

The RBL is for servers known to be relaying or originating spam and is generated by testing of the server in question.

The DUL is for IP ranges that ISPs submit as "dial-up". This encourages their dynamic IP customers to utilise their SMTP server.

For a better explanation of the difference compare these two descriptions RBL [mail-abuse.org] and DUL [mail-abuse.org].

marty