Tony Finch - Blaming the spam victim

dotatfanf wrote
on 8th June 2012 at 02:21
Previous Entry Share Next Entry

Blaming the spam victim

A couple of weeks ago I read a blog post by Terry Zink titled "spammers ruining it for everyone" which annoyed me. If I understand it correctly, Terry is a senior anti-spam person at Microsoft FrontBridge, dealing with their hosted Exchange service - nothing to do with Hotmail.

What annoyed me about his article was that it was blaming the victim. The spam recipients' natural reaction - to block mail from the site that spammed them - was, according to Terry, wrong. It wasn't Microsoft's fault that they spammed these victims: it was an "incident" with one of their customers. Perfectly normal, rather difficult to deal with, but Microsoft are not spammers so it is completely unfair to blame them and cause all this difficulty for their other customers.

Now I hesitate to say the following, because the juxtaposition belittles problems that are much more serious than spam. But I would not be so aware of the victim-blaming pattern of argument if I had not paid attention to the bad consequences that happen when complaints are easily dismissed by "oh, it was just a bit of fun" (no, it was sexual assault) or "sorry, mate, I didn't see you" (whoops! vehicular homicide). The second stage of blaming the victim is "you should dress more modestly" or "you should have bright lights and high-viz clothes" or "you should have better spam filters". Never mind the fact that the person responsible should not have allowed the bad thing to happen in the first place.

I had a discussion about Terry's blog post with some friends after the pub this evening. One of us was arguing in support of Microsoft's position - and more generally: he seemed to say it is wrong to blame a group for the bad behaviour of its members. Instead everyone should assess each individual they deal with separately, regardless of the reputation of others in the same group. The rest of us argued that you should encourage good people to improve the behaviour of their groups and avoid bad ones. Of course this counter-argument only works when the people suffering collateral damage have enough agency to improve or move - and that is the case for Microsoft's email services.

When we argued that people in a position of responsibility need to police bad behaviour, he brought up the vexed question of censorship and universal service obligations. Really this kind of argument is just a distraction unless the so-called censor actually has a monopoly on communications. If there is a market of comms providers (as there is for email) and you want signal rather than noise then you have to moderate bad behaviour - and even if you are being too harsh in your assessment that noise is unwanted, you aren't censoring it by making it go elsewhere.

Being a service provider is a moral quicksand. Your aim is to do a good job for your customers, but this normal human imperative to be helpful is sorely tried when one of your customers turns out to be despicable - and not everyone can stand their ground. It is even harder if everyone around you acts as if bad behaviour is OK.


(Leave a comment)
From:cartesiandaemon
Date:2012-06-08 07:41 (UTC)
(Link)
"an incident with our outbound reputation" sounds like it was an act of God, does that mean "one of our customers spammed a lot of people and we got on a lot of blacklists before we noticed and shut it down"?
(Reply) (Thread)
From:cartesiandaemon
Date:2012-06-08 09:02 (UTC)
(Link)
Hm, I agree very much about victim blaming: he definitely puts the onus on the recipient, and I agree that we should avoid victim blaming as habit, small or large.

But while the sender can't shrug off responsibility, I'm not sure the receiver can either: if senders can be forced to perfectly eliminate outbound spam, that would be amazing, but it seems like it's probably _not_ possible, in which case receivers _should_ be filtering as best they can too.
(Reply) (Parent) (Thread)
From:simont
Date:2012-06-08 09:09 (UTC)
(Link)
It's interesting that you say "sender" here meaning the middleman. From my perspective, the sender is the person who deliberately committed spamming!
(Reply) (Parent) (Thread)
From:cartesiandaemon
Date:2012-06-08 09:25 (UTC)
(Link)
Oh yes, I was thinking of the two providers, I realised that was somehow ambiguous.

And yes, this is another case of blame not having to add up to 100%. I think the spammers can safely be assigned 100% of the blame, but whoever is relaying it has a fairly large (75%?) responsibility not to let spam out, and whoever is running the mail server at the other end (for themselves or someone else) some responsibility to avoid deleting legitimate mail, etc, etc.

In fact, it sounds in this case like the actual sender may have done something stupid rather than malicious, if that makes a difference assigning them less of the blame (although I don't know if that's true, or just the blog post giving the best spin it can).
(Reply) (Parent) (Thread)
From:simont
Date:2012-06-08 08:41 (UTC)
(Link)
Never mind the fact that the person responsible should not have allowed the bad thing to happen in the first place.

Hm. A pertinent difference between this and the other cases of victim-blaming you mention is that typically in the other cases the appropriate response is to attach the blame to the person who actually did the immoral thing – the attacker, the burglar, the careless driver. Those people who made inadequate efforts to defend against it (by not wearing hi-vis, not locking their doors, walking alone at night, etc) are perhaps tactically unwise but not morally bad, and even then it's considered in poor taste to dwell on their tactical unwisdom as the most significant aspect of the incident.

But in this case, surely that principle should argue in favour of the real culprit being considered the spammer, rather than the ISP who failed to stop one of their customers behaving antisocially?

I wonder, actually, if this isn't a recurrence of the same problem that used to be solved using identd. If I'm a site with many users and one of them misbehaves before I can stop them, then people dealing with me have to block my whole site for their own protection – unless I give them enough information to distinguish my users from each other, in which case it becomes feasible for them to only block the misbehaving user. Does anyone still use identd these days?
(Reply) (Thread)
From:nonameyet
Date:2012-06-09 07:54 (UTC)

Identd

(Link)
I still use identd on our mailserver (and only exempt one host because
it will time out).

There are three users recorded in the headers of the 1400+ messages in my inbox:
the sending mail daemon on our workstations sending mail to our smarthost,
the RT user on our helpdesk system,
and the user sending Mike Cardwell's Email Privacy Tester emails.

These aren't necessarily responses to identd queries from my server - some are responses on previous hops.
(Reply) (Parent) (Thread)
From:phillipbaker
Date:2012-12-05 02:09 (UTC)
(Link)
Realise this is an old post but have stumbled upon your LJ through googling for something totally unrelated and then wound up reading other things as we're both in the same industry.

Just thought that I'd mention that this gave me the most wonderful bout of Schadenfreude. How fun that someone at Microsoft should get a taste of what their Hotmail team inflict on systems admins around the globe who have to put up with complaints from end users about not being able to mail hotmail addresses because Hotmail has blacklisted an outbound relay after a customer got exploited and relayed a load of junk through it and be faced with a "computer says no" response. Delicious. May it happen once a week until the end of time, or until Hotmail Postmaster start engaging brain, whichever comes first.
(Reply) (Thread)

(Leave a comment)

Powered by LiveJournal.com