Mailing List Archive

On 4/6/12 9:49 AM, George Herbert wrote:
> This seems like a very 1999 anti-spam attitude.
>
> I have been doing anti-spam a long long time - literally since before
> Canter and Siegel (who I had as customers...) and
> beforejj@cup.portal.com.
>
> It's not 1999 anymore. Patrick is not the enemy. Your attitude is
> worrying. The "I am not responsible for who uses the blacklist or
> what that means" isn't good enough anymore.


I know he's not the enemy. Hate the idea that he would be.

The only reason why I responded the way I did, was because I sit here,
watching everyone talk about how SORBS is bad this, how they are bad
that, how they need to change this, and how they need to change how they
operate to their guidelines, not SORBS's guidelines.

Its not directed at Patrick. I just got the feeling like he was saying
its okay for these people to dictate how SORBS operates.

Like its been said, DNSbl's have a right to run as they see fit, and
handle removals as they see fit. Just like every ISP has the right to
run their network as they see fit, and refuse to remove spamming
customers and deal with network abuse.

I've been working on variations of the AHBL since 1998 or so under
different names, so if I seem 'old school' in my beliefs how the DNSbl
is run, that's probably why.

Reality is, people use a DNSbl how they see fit. I can't really control
that without restricting access, requiring payments or registration,
etc. I gave up years ago trying to tell people how not to use it, since
noone actually listens.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org

On 4/6/12 10:02 AM, Michael Thomas wrote:
>
> I wonder how long a popularish blacklist operator would last if they,
> oh say, blacklisted all of google or microsoft before they got some
> very threatening letters from their legal staff. An hour? A day? A week?
>
> You may have the right to list them and change your mind in your own
> good time, but they also have the right to defend their reputation civilly
> too. With great power comes great responsibility and all that.

Slippery slope.

For large providers who depend alot on spam filters, thats one huge door
to open that could get very ugly very quick in the reverse path.
Imagine every ISP suing hotmail and google for blocking messages for
arbitrary reasons with no apparent justification.

What's good for the goose is good for the gander.

There's also USC 47,230 to contend with.




--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org

On Fri, 06 Apr 2012 09:55:35 -0400, Drew Weaver said:
> That is again, not true.
>
> Senderbase's listings don't correlate to any public information so it's pretty
> much impossible to pro-actively protect ourselves from having our IPs set to poor.

You missed the point - if it was industry standard practice, reputation lists
at Senderbase, Spamhaus, and SORBS would *all 3* be out of business, because
the average spammer's lifespan at a provider would be less than the time it
takes the average reputation list to put up an entry.

On 04/06/2012 09:17 AM, Brielle Bruns wrote:
> On 4/6/12 10:02 AM, Michael Thomas wrote:
>>
>> I wonder how long a popularish blacklist operator would last if they,
>> oh say, blacklisted all of google or microsoft before they got some
>> very threatening letters from their legal staff. An hour? A day? A week?
>>
>> You may have the right to list them and change your mind in your own
>> good time, but they also have the right to defend their reputation civilly
>> too. With great power comes great responsibility and all that.
>
> Slippery slope.
>
> For large providers who depend alot on spam filters, thats one huge door to open that could get very ugly very quick in the reverse path. Imagine every ISP suing hotmail and google for blocking messages for arbitrary reasons with no apparent justification.
>
> What's good for the goose is good for the gander.
>
> There's also USC 47,230 to contend with.
>

It's more of an arms race than a slippery slope, but my point is that a
big enough company would absolutely respond if they felt a big enough
blacklist was being capricious in a way that was affecting their making
money.

I sympathize with "my blacklist, my donated time, my rules", but when
you're affecting their business, you better get it right and better respond
reasonably when the inevitable screwups happen. The one absolute right you
have is to not be in the blacklist business (paid or not) at all. Beyond that,
you have responsibilities too, and it would be best for everybody to not
take them lightly causing the entire thing to get escalated to the legal
domain where everybody most likely loses.

Mike

On Fri, Apr 6, 2012 at 7:31 AM, Drew Weaver <drew.weaver@thenap.com> wrote:
> That's just not true, we would much rather be notified of
>something that a reputation list finds objectionable and take
>it down ourselves than have Senderbase set a poor
>reputation on dozens of IaaS customers.

I think the idea is that you're supposed to proactively monitor your
systems for abuse and generally make your network inhospitable to
spammers, not just reactively move the customer to a new IP address
when the unpaid anti-spammers kindly let you know you've been
detected.

Personally I see SORBS as the canary in the coal mine. Except for the
DUHL (which identifies dynamic IPs, not spamming activity) nobody
serious relies on SORBS' data. So, it doesn't much hurt when they list
you. But, like the canary that dies first if the air turns bad, if
you're careful to watch SORBS you know when you're headed for problems
which will get you listed by a real RBL.

Regards,
Bill Herrin



--
William D. Herrin ................ herrin@dirtside.com  bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

So you're suggesting that hosting companies do what?

How many emails or port 25/587 connections a (day, week, hour) makes someone a spammer if there are no objections being lodged at the abuse department?

Are we supposed to do DPI on every email that a dedicated server sends out and then decide whether it's spam?

My point is if a list has a problem with a /32 they could have the courtesy to contact the ISP/host prior to causing huge problems for a /24

I'm not sure what more can be done than having an abuse department staffed up and checking all published data before accepting a customer.

And I'm mostly just complaining about senderbase, because they seem to be the one that really large companies reference.

Thanks,
-Drew


-----Original Message-----
From: wherrin@gmail.com [mailto:wherrin@gmail.com] On Behalf Of William Herrin
Sent: Friday, April 06, 2012 12:56 PM
To: Drew Weaver
Cc: nanog@nanog.org
Subject: Re: SORBS?!

On Fri, Apr 6, 2012 at 7:31 AM, Drew Weaver <drew.weaver@thenap.com> wrote:
> That's just not true, we would much rather be notified of something
>that a reputation list finds objectionable and take it down ourselves
>than have Senderbase set a poor reputation on dozens of IaaS customers.

I think the idea is that you're supposed to proactively monitor your systems for abuse and generally make your network inhospitable to spammers, not just reactively move the customer to a new IP address when the unpaid anti-spammers kindly let you know you've been detected.

Personally I see SORBS as the canary in the coal mine. Except for the DUHL (which identifies dynamic IPs, not spamming activity) nobody serious relies on SORBS' data. So, it doesn't much hurt when they list you. But, like the canary that dies first if the air turns bad, if you're careful to watch SORBS you know when you're headed for problems which will get you listed by a real RBL.

Regards,
Bill Herrin



--
William D. Herrin ................ herrin@dirtside.com  bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004

On 4/6/2012 12:35 PM, Michael Thomas wrote:
> On 04/06/2012 09:17 AM, Brielle Bruns wrote:
>> On 4/6/12 10:02 AM, Michael Thomas wrote:
>>>
>>> I wonder how long a popularish blacklist operator would last if they,
>>> oh say, blacklisted all of google or microsoft before they got some
>>> very threatening letters from their legal staff. An hour? A day? A
>>> week?
>>>
>>> You may have the right to list them and change your mind in your own
>>> good time, but they also have the right to defend their reputation
>>> civilly
>>> too. With great power comes great responsibility and all that.
>>
>> Slippery slope.
>>
>> For large providers who depend alot on spam filters, thats one huge
>> door to open that could get very ugly very quick in the reverse path.
>> Imagine every ISP suing hotmail and google for blocking messages for
>> arbitrary reasons with no apparent justification.
>>
>> What's good for the goose is good for the gander.
>>
>> There's also USC 47,230 to contend with.
>>
>
> It's more of an arms race than a slippery slope, but my point is that a
> big enough company would absolutely respond if they felt a big enough
> blacklist was being capricious in a way that was affecting their making
> money.
>
> I sympathize with "my blacklist, my donated time, my rules", but when
> you're affecting their business, you better get it right and better
> respond
> reasonably when the inevitable screwups happen. The one absolute right
> you
> have is to not be in the blacklist business (paid or not) at all.
> Beyond that,
> you have responsibilities too, and it would be best for everybody to not
> take them lightly causing the entire thing to get escalated to the legal
> domain where everybody most likely loses.

What grounds would these large senders have to file any legal objections
against an RBL?

RBLs don't block emails. Operators of mail servers who use RBLs block
emails (in part) based on information from RBLs.

Noone has a "right" to send email to anyone else. Email is a
cooperative agreement between sender and receiver. The receiver agrees
to accept the email, but at any time and for any reason the receiver can
stop agreeing to accept emails from a sender. It is completely legal to
decide not to accept (i.e. block) emails from a sender.

RBLs are not beholden to senders. RBLs are beholden to the receivers
who use their RBL to preserve the quality of the RBL. RBLs are a
meritocracy. If an RBL either lists too many valid senders or does not
list enough bad senders, then receivers will notice and stop using the
RBL on their servers.

-DMM

On Fri, Apr 6, 2012 at 8:48 AM, <Valdis.Kletnieks@vt.edu> wrote:
> If it was industry-wide standard practice that just notifying a provider resulted
> in something being done, we'd not need things like Senderbase, which is after
> all basically a list of people who don't take action when notified...
>
[snip]
Pot calling the kettle black. Before we talk about industry-wide
practice about the providers "doing something". We should talk about
industry-wide practice for "Black lists" doing something to correct
entries, instead of just building up indiscriminate or irresponsibly
maintained lists of networks or "scores" of networks that were
targetted by a spammer at one time in the past.

It's just as bad for a blacklist operator to not respond and "do
something" for a network operator legitimately trying to resolve spam
problems with their network and clear the listing as it is for a
network abuse contact to not respond to a network operator.

We should talk about industry-wide practices for how providers should
be notified,
what providers are actually supposed to do to "authenticate reports", because
sometimes the report/notification itself is malicious or false
abusive attempt to
harass an innocent email user, and what exactly providers are
actually expected
to do with certain kinds of notification.

The informal standard of "just call or send an e-mail to an abuse
contact" is poorly
specified. The informal standard of "the abuse contact should
investigate and take
immediate action" is poorly specified.


Some of these things that are not specified by RFC should be specified
by RFC as best practice.
There should be abuse notification and response notification
mechanisms other than free form e-mail.

--
-JH

On Fri, Apr 6, 2012 at 1:01 PM, Drew Weaver <drew.weaver@thenap.com> wrote:
> So you're suggesting that hosting companies do what?

I believe I'm suggesting you use SORBS as your canary in the coal mine
and otherwise ignore them.

But if you're asking what hosting companies could do to proactively
prevent spamming and make their systems inhospitable to spammers, I
might start with blocking non-local outbound TCP 25 by default. Then
have the customer fill out and sign a form. Spell out your bulk email
policies, have the customer specify which of their IPs will originate
email and have them send the form to you signed via U.S. Mail. No
"proof" or other major hoops, just sign and mail the form.

Unless you're *trying* to run a "bulletproof hosting" system, you'll
find the customers who intentionally spam would prefer to stay under
the radar. Forcing them to "out" themselves by telling you they intend
to send mail from every one of their addresses is often enough to
encourage their voluntary departure. And it's certainly enough to tell
you *which* among your thousands of customers you should watch to make
sure they're not spammers.

For the non-spamming customers, you've emphasized that running a well
secured email server is a challenge which takes more than clicking
install.exe. You haven't told them they can't, but you've spelled out
"be careful" in big, bold letters.


> And I'm mostly just complaining about senderbase, because they seem to be the one that really large companies reference.

Meh. If you catch them while they're still just annoying SORBS,
they'll never make it in to senderbase. Canary. Coal mine.

Regards,
Bill Herrin



--
William D. Herrin ................ herrin@dirtside.com  bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

On Fri, 6 Apr 2012, Patrick W. Gilmore wrote:

>> Ever wonder why it takes time for DNSbl's to process removals,
>> sometimes very long periods? Well, someone's gotta pay for that time
>> the removal person does it (and I have yet to see a dime of
>> compensation for the time I spend).
>
> No, they don't. Many DNSBLs use self-service tools. Someone has to
> write the tool, but the rest is automated. Total cost is power & space,
> which is frequently donated (I have personally donated some myself to
> DNSBLs I thought were well run).

This depends on the DNSBL, the type of listing, and that DNSBL's policies.
Some DNSBLs, some listings, automated removal is possible and appropriate.
Sometimes it's not, and a human is needed to make the decision as to
whether a delisting request should be granted or refused.

Even when there is a path for automated removals via a web form, not
everyone will find or use that path.

----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

On Thu, 5 Apr 2012, Landon Stewart wrote:

> If the purpose of blacklist is to block spam for recipients using that
> blacklist then a /32 works. If the purpose of a blacklist is to annoy
> providers then a /24 works. The most reputable and useful blacklists IMHO
> are Spamhaus and Spamcop - they don't block /24s. Spamhaus sometimes does
> if your rwhois shows that a large amount of the /24 is owned by the
> offending party but generally they don't.

Spamhaus may not default to doing /24 listings for a /32 spam emitter, but
they certainly do list /24s or shorter subnets when they feel it's
appropriate. They even do "escalations" to corporate mail servers on rare
occasions when a provider appears to be complicit with spammers and
ignoring their SBLs.

The purpose thing is an interesting question though. Is the purpose of
DNSBLs simply to help admins avoid accepting spam from spammers or to
attempt to prevent spammers from operating on the internet? For most of
the DNSBLs I'm familiar with, I'd say they're trying to do both.

> Spamhaus encourages companies to resolve all the issues while only
> blocking /32s by showing all the listings under your responsibility and
> making nice to see that list empty. Pretty simple. Incidentally SORBS
> usually blocks /24s and, as far as I know, provides no way for you to
> lookup all listings under a providers responsibility (by AS or
> otherwise).

That's really either not true or an oversimplification. Spamhaus blocks
shorter than /32 pretty frequently. You could maybe argue that Spamhaus
works harder to avoid innocent collateral damage. Having not used SORBS
for many years, I couldn't say if that's true or not. The vast majority
of my recent years interactions with SORBS have been trying to get
inappropriately listed IPs removed from their DUHL.

----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

On Thu, Apr 05, 2012 at 06:45:30PM +0100, Nick Hilliard wrote:
> On 05/04/2012 17:48, goemon@anime.net wrote:
> > But they will care about a /24.
>
> I'm curious as to why they would want to stop at /24. If you're going to
> take the shotgun approach, why not blacklist the entire ASN?

It's a balancing act. Too little collateral damage and the provider
hosting the spammer isn't motivated to act. Too much collateral
damage, and no one uses your blacklist because using it generates too
many user complaints, and then your list doesn't motivate anyone to do
anything because there's no real downside to being on the list. Just
the right amount of collateral damage, and your list gets widely used,
and causes enough pain on the other of the /24 that they clean things
up.

I'm not arguing for or against any particular amount of collateral
damage. Just commenting on the effects of varying amounts of
collateral damage.

-- Brett

Jimmy Hess wrote:
>
> On Fri, Apr 6, 2012 at 8:48 AM, <Valdis.Kletnieks@vt.edu> wrote:
> > If it was industry-wide standard practice that just notifying a provider
> > resulted in something being done, we'd not need things like Senderbase,
> > which is after all basically a list of people who don't take action
> > when notified...
> >
> [snip]
> Pot calling the kettle black. Before we talk about industry-wide
> practice about the providers "doing something". We should talk about
> industry-wide practice for "Black lists" doing something to correct
> entries, instead of just building up indiscriminate or irresponsibly
> maintained lists of networks or "scores" of networks that were
> targetted by a spammer at one time in the past.

Sorry, but blocklists _came_into_existance_ ONLY because of large numbers
of providers *ignoring* the problems their networks were causing the
rest of the world.

The very existance of 'widely used' blocklists is a damning indictment of
the entire services provider industry. _Everybody_, including the major
blocklist operators, would prefer that blocklists were _not_ needed -- that
all providers would simply 'do the right thing', and insure that their users
did =not= abuse other people's systems.

Were that pipe-dream to come to pass, the major blocklists would *happily*
shut down. They are all 'money sinks', operating at a loss, 'for the good
of the community as a whole'.

Before blocklists. 'policing your own network' was a pure expense item
with no return. _Not_ policing one's own users *added* to profitability.
There was no 'business incentive' to be a "good neighbor".

With the advent of blocklists, providers have an 'economic self interest'
justification in remaining out of the major/widely used ones. It is still
an expense item, but "not doing anything" costs _more_ in 'lost revenues'.

It is a sad comment on the state of affairs that _all_ the major providers
have repeatedly demonstrated they simply "cannot be trusted to 'do the right
thing'" *without* a loaded gun held to their heads -- but that *is* the
reality of today's marketplace.

Today, for any of the major spam-based blocklists, a single entry consisting
of more than a single address is indiicative of a _failure_ of a provider's
self-policing. It is the height of hubris for a provider to 'demand' (or
even 'expect') prompt/immediate response from a blocklist, *when* the
provider 'demonstrably' couldn't be bothered to act that way themselves.
(What's 'sauce for the goose' _is_ sauce for the gander. :) IF the provider
had been actively self-policing, the blocklist entry would not have been
escalalated to larger than the single offending address.

Yes, it would be "nice" if everybody responded promptly; but, in the real
world, that simply doesn't happen -- on either side of the fence. I
once got an ack about a spam complaint *over*five*months* after sending it.
(For 'some strange reason', that provider is no longer in business. Thank
goodness!

> It's just as bad for a blacklist operator to not respond and "do
> something" for a network operator legitimately trying to resolve spam
> problems with their network and clear the listing as it is for a
> network abuse contact to not respond to a network operator.

This is provably not true.

There is no recourse/remedy for an unresponsive network operator. The
'network abuse' ccontinues to flow, _unabated_, from that network.

A blocklist, on the other hand, tends to be self-regulating. If it is
not responsive to changing conitions, especially the 'cleaning' of formerly
'bad reputation' addresses/blocks, it generates an 'unacceptably high'
number -- as determined by it's USERS, not the senders -- of 'false positive'
evaluations, *wherepon* increasing numbers of users =stop= using that
service. Resulting in an automatic _lessening_ of the impact of being
listed on that blocklist.

See the APEWS list for a 'textbook' demonstration of this self-regulation
in action.

> We should talk about industry-wide practices for how providers should
> be notified, what providers are actually supposed to do to "authenticate
> reports", because > sometimes the report/notification itself is
> malicious or false abusive attempt to harass an innocent email user,
> and what exactly providers are actually expected to do with certain kinds
> of notification.
>
> The informal standard of "just call or send an e-mail to an abuse
> contact" is poorly specified. The informal standard of "the abuse
> contact should investigate and take immediate action" is poorly
> specified.
>
> Some of these things that are not specified by RFC should be specified
> by RFC as best practice. There should be abuse notification and response
> notification mechanisms other than free form e-mail.

It would appear that you are not familiar with RFC 5965.

Brielle Bruns wrote:
> Unfortunately, the apathy of providers, backbones, and network operators
> in general have created an environment that the almighty buck rules
> everything.

I totally agree with pretty much everything in this email.

I also agree that blocking whole /24 or bigger when spam has been
detected to come from such a block is more often than not a necessity.
It's very unlikely to see 1 abuser in between an otherwise perfectly
behaving network neighbourhood.

Greetings,
Jeroen


--
Earthquake Magnitude: 5.5
Date: Friday, April 6, 2012 19:24:11 UTC
Location: Kepulauan Mentawai region, Indonesia
Latitude: -3.3944; Longitude: 100.4205
Depth: 1.00 km

On Fri, Apr 6, 2012 at 8:13 PM, Jeroen van Aart <jeroen@mompl.net> wrote:
> Brielle Bruns wrote:
> to come from such a block is more often than not a necessity. It's very
> unlikely to see 1 abuser in between an otherwise perfectly behaving network
> neighbourhood.

That's kind of vague to say it's "unlikely to see 1 abuser". What is
the probability that
more IPs in the same /24 are likely to harbor abusers, given that you have
received abuse from one IP?

And how have you discovered this?
( What is the criteria used to determine that it is unlikely, and what
is your source of the information?)

Are you assuming that if you've seen the abuse, that you probably
weren't the first victim,
that the ISP has probably already been notified by someone else,
that they have likely had a
reasonable amount of time to put a stop to the abuse, and that they
failed to do so?


There is the one good case where a single abuser has a dynamic IP address;
but it's not a safe assumption that they will live in the same /24
next time the abuser dials in.

So not only does listing an entire /24 list innocent users' IP addresses,
it also does not necessarily effectively list the one abuser.

--
-JH

i dont think anyone would miss sorbs if it was gone, dare i say it not even
a single person

On Fri, Apr 6, 2012 at 9:48 PM, Jimmy Hess <mysidia@gmail.com> wrote:

> On Fri, Apr 6, 2012 at 8:13 PM, Jeroen van Aart <jeroen@mompl.net> wrote:
> > Brielle Bruns wrote:
> > to come from such a block is more often than not a necessity. It's very
> > unlikely to see 1 abuser in between an otherwise perfectly behaving
> network
> > neighbourhood.
>
> That's kind of vague to say it's "unlikely to see 1 abuser". What is
> the probability that
> more IPs in the same /24 are likely to harbor abusers, given that you
> have
> received abuse from one IP?
>
> And how have you discovered this?
> ( What is the criteria used to determine that it is unlikely, and what
> is your source of the information?)
>
> Are you assuming that if you've seen the abuse, that you probably
> weren't the first victim,
> that the ISP has probably already been notified by someone else,
> that they have likely had a
> reasonable amount of time to put a stop to the abuse, and that they
> failed to do so?
>
>
> There is the one good case where a single abuser has a dynamic IP address;
> but it's not a safe assumption that they will live in the same /24
> next time the abuser dials in.
>
> So not only does listing an entire /24 list innocent users' IP
> addresses,
> it also does not necessarily effectively list the one abuser.
>
> --
> -JH
>
>

On Fri, 06 Apr 2012 20:48:44 -0500, Jimmy Hess said:

> That's kind of vague to say it's "unlikely to see 1 abuser". What is
> the probability that
> more IPs in the same /24 are likely to harbor abusers, given that you have
> received abuse from one IP?

It's similar to pirhanas or cockroaches - they can't be found everywhere, but
if you spot one in a location, there's a near certainty that there's plent more
in the area.

Or if you don't like that, you can run a simple Monte Carlo simulation. Assume
256 customer slots, and that initially, there is a 3% chance that the next
customer to arrive is evil. Also add a feedback - each time you terminate an
evil customer in less than the average arrival time, the chance the next
customer is evil is cut by 10% of the current value. Each time an evil
customer is allowed to last 3 times the average arrival time, the chance of an
evil customer goes up 10%. Simulate for various termination times for
evil customers.

Are there any steady-state solutions where the *average* number of evil
users is one? Or does it decay down towards zero or upwards towards
a high number?

On 07/04/12 05:11, David Miller wrote:
>
>
> RBLs don't block emails. Operators of mail servers who use RBLs block
> emails (in part) based on information from RBLs.

If only one could convince end-users of this fact. More often than not,
end-user simply sees the company that they pay to provide them with
email service, unable to provide it.

>
> Noone has a "right" to send email to anyone else. Email is a
> cooperative agreement between sender and receiver. The receiver agrees
> to accept the email, but at any time and for any reason the receiver can
> stop agreeing to accept emails from a sender. It is completely legal to
> decide not to accept (i.e. block) emails from a sender.

Absolutely true. Of course, for the vast majority of end-users, they're
simply expecting to be able to exchange email with anyone that has an
email address. There's no connection between the end user, their local
mail service providers administrators, and the decisions they make about
who they'll exchange email with. Nevermind trying to make connections
between mail service providers...

>
> RBLs are not beholden to senders. RBLs are beholden to the receivers
> who use their RBL to preserve the quality of the RBL. RBLs are a
> meritocracy. If an RBL either lists too many valid senders or does not
> list enough bad senders, then receivers will notice and stop using the
> RBL on their servers.
>
Or receivers will be oblivious, and simply not care. (They don't know
what they're not receiving).

Consider an MSP with say, 1 Million mailboxes.
What proportion of those customers are going to need to be affected by a
poor RBL-based decision,
and what proportion of those are going to be motivated to complain,
and what proportion of those are going to get the attention of the right
people,
and what proportion of those will count for enough that the relevant
beancounters see fit to change their RBL usage?

Whilst i'm sure there's some players out there bucking the trend, the
reality is that the senders MSP wind up carrying a lot of the cost; they
have to find an out-of-band method of engaging the receiving MSP,
advising them of the predicament, and justifying some sort of exception;
they also obviously have to be seen to try to get off the RBL (and we've
seen how hard SORBS, notably, make this) and the receiving ISP can fall
back on the 'well everyone else is fine, so the vast majority of our
expected inbound email is fine, why should we care about you, and change
our behavior because of it?' .... Sending MSP then has to try to
explain the reality to their customer, and risk losing business because
their competitor isn't (right now) having the same problems...

Bottom of my rambly-line is that as a major point of issue with your
post; you're posting the position of the Network or Mail Service
Operator as it 'should' be, but not indeed how it actually is, in practise.

(And FWIW I agree with the poster who pointed out that RBL's would be
unnecessary if network operators took responsibility for the behavior of
their networks (ala their customers). The small players are usually
pretty damn good. It seems that the bigger you get, the less you care
about issues that affect a smaller proportion of your scale.

Which probably explains the attitude that several of the big players
take around rejecting email due to obscure reasons...

Mark.

> i dont think anyone would miss sorbs if it was gone, dare i say it not
> even a single person

while i would not dispute what you think you think, i think you are
thinking quite incorrectly

randy