Log in

No account? Create an account


Blaming the spam victim

« previous entry | next entry »
8th Jun 2012 | 02:21

A couple of weeks ago I read a blog post by Terry Zink titled "spammers ruining it for everyone" which annoyed me. If I understand it correctly, Terry is a senior anti-spam person at Microsoft FrontBridge, dealing with their hosted Exchange service - nothing to do with Hotmail.

What annoyed me about his article was that it was blaming the victim. The spam recipients' natural reaction - to block mail from the site that spammed them - was, according to Terry, wrong. It wasn't Microsoft's fault that they spammed these victims: it was an "incident" with one of their customers. Perfectly normal, rather difficult to deal with, but Microsoft are not spammers so it is completely unfair to blame them and cause all this difficulty for their other customers.

Now I hesitate to say the following, because the juxtaposition belittles problems that are much more serious than spam. But I would not be so aware of the victim-blaming pattern of argument if I had not paid attention to the bad consequences that happen when complaints are easily dismissed by "oh, it was just a bit of fun" (no, it was sexual assault) or "sorry, mate, I didn't see you" (whoops! vehicular homicide). The second stage of blaming the victim is "you should dress more modestly" or "you should have bright lights and high-viz clothes" or "you should have better spam filters". Never mind the fact that the person responsible should not have allowed the bad thing to happen in the first place.

I had a discussion about Terry's blog post with some friends after the pub this evening. One of us was arguing in support of Microsoft's position - and more generally: he seemed to say it is wrong to blame a group for the bad behaviour of its members. Instead everyone should assess each individual they deal with separately, regardless of the reputation of others in the same group. The rest of us argued that you should encourage good people to improve the behaviour of their groups and avoid bad ones. Of course this counter-argument only works when the people suffering collateral damage have enough agency to improve or move - and that is the case for Microsoft's email services.

When we argued that people in a position of responsibility need to police bad behaviour, he brought up the vexed question of censorship and universal service obligations. Really this kind of argument is just a distraction unless the so-called censor actually has a monopoly on communications. If there is a market of comms providers (as there is for email) and you want signal rather than noise then you have to moderate bad behaviour - and even if you are being too harsh in your assessment that noise is unwanted, you aren't censoring it by making it go elsewhere.

Being a service provider is a moral quicksand. Your aim is to do a good job for your customers, but this normal human imperative to be helpful is sorely tried when one of your customers turns out to be despicable - and not everyone can stand their ground. It is even harder if everyone around you acts as if bad behaviour is OK.

| Leave a comment |

Comments {7}


from: cartesiandaemon
date: 8th Jun 2012 07:41 (UTC)

"an incident with our outbound reputation" sounds like it was an act of God, does that mean "one of our customers spammed a lot of people and we got on a lot of blacklists before we noticed and shut it down"?

Reply | Thread


from: cartesiandaemon
date: 8th Jun 2012 09:02 (UTC)

Hm, I agree very much about victim blaming: he definitely puts the onus on the recipient, and I agree that we should avoid victim blaming as habit, small or large.

But while the sender can't shrug off responsibility, I'm not sure the receiver can either: if senders can be forced to perfectly eliminate outbound spam, that would be amazing, but it seems like it's probably _not_ possible, in which case receivers _should_ be filtering as best they can too.

Reply | Parent | Thread

Simon Tatham

from: simont
date: 8th Jun 2012 09:09 (UTC)

It's interesting that you say "sender" here meaning the middleman. From my perspective, the sender is the person who deliberately committed spamming!

Reply | Parent | Thread


from: cartesiandaemon
date: 8th Jun 2012 09:25 (UTC)

Oh yes, I was thinking of the two providers, I realised that was somehow ambiguous.

And yes, this is another case of blame not having to add up to 100%. I think the spammers can safely be assigned 100% of the blame, but whoever is relaying it has a fairly large (75%?) responsibility not to let spam out, and whoever is running the mail server at the other end (for themselves or someone else) some responsibility to avoid deleting legitimate mail, etc, etc.

In fact, it sounds in this case like the actual sender may have done something stupid rather than malicious, if that makes a difference assigning them less of the blame (although I don't know if that's true, or just the blog post giving the best spin it can).

Reply | Parent | Thread

Simon Tatham

from: simont
date: 8th Jun 2012 08:41 (UTC)

Never mind the fact that the person responsible should not have allowed the bad thing to happen in the first place.

Hm. A pertinent difference between this and the other cases of victim-blaming you mention is that typically in the other cases the appropriate response is to attach the blame to the person who actually did the immoral thing – the attacker, the burglar, the careless driver. Those people who made inadequate efforts to defend against it (by not wearing hi-vis, not locking their doors, walking alone at night, etc) are perhaps tactically unwise but not morally bad, and even then it's considered in poor taste to dwell on their tactical unwisdom as the most significant aspect of the incident.

But in this case, surely that principle should argue in favour of the real culprit being considered the spammer, rather than the ISP who failed to stop one of their customers behaving antisocially?

I wonder, actually, if this isn't a recurrence of the same problem that used to be solved using identd. If I'm a site with many users and one of them misbehaves before I can stop them, then people dealing with me have to block my whole site for their own protection – unless I give them enough information to distinguish my users from each other, in which case it becomes feasible for them to only block the misbehaving user. Does anyone still use identd these days?

Reply | Thread



from: nonameyet
date: 9th Jun 2012 07:54 (UTC)

I still use identd on our mailserver (and only exempt one host because
it will time out).

There are three users recorded in the headers of the 1400+ messages in my inbox:
the sending mail daemon on our workstations sending mail to our smarthost,
the RT user on our helpdesk system,
and the user sending Mike Cardwell's Email Privacy Tester emails.

These aren't necessarily responses to identd queries from my server - some are responses on previous hops.

Reply | Parent | Thread

Phillip Baker

from: phillipbaker
date: 5th Dec 2012 02:09 (UTC)

Realise this is an old post but have stumbled upon your LJ through googling for something totally unrelated and then wound up reading other things as we're both in the same industry.

Just thought that I'd mention that this gave me the most wonderful bout of Schadenfreude. How fun that someone at Microsoft should get a taste of what their Hotmail team inflict on systems admins around the globe who have to put up with complaints from end users about not being able to mail hotmail addresses because Hotmail has blacklisted an outbound relay after a customer got exploited and relayed a load of junk through it and be faced with a "computer says no" response. Delicious. May it happen once a week until the end of time, or until Hotmail Postmaster start engaging brain, whichever comes first.

Reply | Thread