-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 2021-01-21 at 16:20 +0000, Gregory Heytings via mailop wrote: > > First off, I'm subscribed to this list, there is no need to email me AND > > the list. > > > > Sorry, I was just honoring the "Reply-To:" header set by the list. > > > > It's what they themselves say: they changed their formula two days ago, > > > and because of this thousands IP addresses that were not listed are now > > > listed. See http://www.uceprotect.net/en/index.php?m=12&s=0 . > > > > I know they did that change, I support it just like I thing the PBL is a > > good thing. Are you saying they should be prohibited from making that > > change? > > > > The point is not whether they should be prohibited from doing this, the > point is whether it's a right thing to do. And yes, I do think it is > wrong to blacklist tens of thousands of IPs because a few of them (less > than 1%) misbehaved, and to ask the other 99% to pay to be whitelisted.
The PBL does just that. But I think you are wrong to use the term "blacklist", it's just a list. You could use that list as a whitelist if you wanted to. I highly encourage you to do so. :) > One concrete example: AS16276 has 3583744 IPs. Out of these, 2327 sent a > spam in the last 7 days according to uceprotect. That might seem like a > high number, but it's only 0.05% of the address space of that AS. > Because of this all IPs of AS16276 are blacklisted. 2327 IPs from that ASN sent spam in 7 days, and you are hear arguing that is OK?!? > (By the way, the numbers I gave in a previous email were a too low > estimation: they actually blocked millions of IPs (see above). If only > 0.1% of these blocked IPs paid their whitelist fee, that would mean an > income of at least 250,000 USD/year...) Why does 0.1% of those IPs need to send email? Do you know that even 10 of those 0.1% need to send email? > > > That's orthogonal to the point at hand. The point is that honest > > > customers can have their WordPress website hacked. This might indeed > > > happen because of apathy on the part of that customer, but a server > > > provider cannot do anything to detect customers that do not upgrade > > > their website regularly enough. The product they sell is a bare > > > machine in a datacenter. > > > > That is the problem, and it should not be a business model without > > consequences. It's not a stretch to say those bare metal machines are > > munitions, should they be allowed open access? Be careful what you ask > > for. > > > > AFAICS that business model, which is the one pretty much everyone uses > (Amazon, OVH, Hetzner, ...) is the only way for smaller and medium-sized > businesses to run a server. > > What other business model would you suggest? Are there existing providers > that use the better business model you have in mind? Yes, I can think of 4 right now, and I'm sure there are many more. One of those 4 is in your short list above. The a few things that make those 4 providers good are 1) They act on abuse reports, 2) they block outbound port 25 by default, and 3) they require real ID. - -Jim P. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAmAJr24ACgkQPcxbabkK GJ+LZA/+L8wS/Kr0wlN7Ul8d8LkttbOAgGQrl3mfAh4yeBIa5PBhdTzIBwOAzH0y 1XXg4mfHQwzVMuxsAinmqF39/IOQKsU/1kC6z/UqzE834kBwVhMxEvN3O1uw9cI1 VSnTZpynBZd/Zq9H5bnViBULCiFgHUy6EcRz0iD7JK9joM44+TDyKy3oVaTC8M6t A9LHlV/9plzWlH1wvpiOGxIDc5aSYMb1FQXeyUPyS2JYCJRN7QkDJI6rFDyxbYgM tbb25pB/njfqfBGXM7XUOSsgarAYz3zgPaiIvrOGQOyavA6nLOg8BE27iskYnpwv eWinQnrnWHo2zF4Ejk+lyleFSgnDG0nC83u5IL983wV4H1nXxKabfrE/syTowCPr bIErTuLtfHYa7mQSksq0vfLb3L9zEteXdryPBQNewiUJwB1KFNgGQsiysE7Zjcre rwl5ENhGmGTjquuJkLRATI3oLJF3PJML5ezJQLUhgLgS0Jb70Wa9Tk3oQsWR7e1i PcvQf27SVpYOyL+ytGyAvhSiD/Nv0aeQQml8c09jhwdVgu9EAp7g7Ux3iLmWcMb+ v9tBHOjUFK9S1JRljc8Wr5xr7jwI0lQoueVEi8r8Lk3MsvryfkV8ZXkRMAOr5B6h 36+iZpj6rtk3l5LnX2jT2s75YgK8atAAWFuncTgNccg5jt4A4yM= =wYZq -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop