Mike Hillyer.com

I’ve had one session accepted at the 2008 MySQL Conference & Expo (which is a good thing since I only submitted one session for nomination).

This year’s session is titled How to be Normal, a Guide for Developers. I decided to return to my old Normalization talk, but lean more towards the practical than the theoretical this year and work on common scenarios faced by developers rather than walk a person through the normal forms like I have previously done.

Here’s the abstract I’ll be sending in to replace the ugly one I submitted with:

At some point in every software project involving a database it becomes necessary for the developers who created (or inherited) the project to step back and take a look at their database. Many projects have a database schema that has evolved over time, with columns added here and tables added there, increasing complexity and often adding redundancy. Super-tables grow with more and more columns making ALTERs slow and backups difficult.

In this session MySQL author and speaker Mike Hillyer will guide the audience through the principles of database normalization and review some common normalization scenarios encountered by many application developers.

Topics include:

• What is normalization and what are its benefits?
• What are the normal forms?
  • First Normal Form
  • Second Normal Form
  • Third Normal Form
  • And so on…
• Normalization Scenarios
• Relationships and Joins
• How Much is Too Much?

This session is intended for a beginner to intermediate audience and is applicable to developers and administrators who deal with database design.

The Normalization talks are always well received and cover important principles, hopefully if you’re at the conference you can come in and participate.

I’ll be posting all my new MySQL related content here in an effort to create a single point for all my technical and non-personal content.

The Ferris Research blog has an entry on ISPs and whether spam blocking is at odds with the common carrier status that seems to protect them from certain liabilities:

This debate is happening again. Thanks to the good work done by MAAWG and others, ISPs are being encouraged to set up outbound spam filtering, to prevent virus-infected PCs sending spam from their networks and to encourage users to clean their infected machines by use of a walled garden. Naturally, some are expressing concern that such discrimination would count as another chink in their common carrier armor.

It’s time for the FCC and similar regulators in other countries to step up and make it clear that such genuinely useful — some would say essential — discrimination would not affect an ISP’s common carrier status.

I personally don’t think that ISPs should risk their common carrier status for filtering mail, but not because spam filtering is useful, instead because such filtering does not occur at the network level.

Let’s say a spam message enters the network of my ISP: the ISP does not block the packets containing the spam message at the edge of the network, instead the spam message is delivered without discrimination to the ISP’s mail server. The ISP’s mail server then filters the message and if the message is not spam the ISP will later deliver the message to my mail client across their network, again without discrimination.

It is the ISP’s network that acts as a carrier, not their mail servers. Even on the outbound side, it would be ISPs filtering mail entering their mail servers from inside the network for external delivery. In every case the network itself would just be carrying packets containing the messages to the appropriate mail servers.

Recently Digg linked to an article titled ‘Comcast Caught Filtering Political E-Mails‘.

The short version is that an online special interest group noticed that they were having issues with mail not being delivered when sent to Comcast addresses. They then worked their way though the Comcast abuse department to finally find that Symantec’s Brightmail was filtering on their domain name and identifying all their messages as spam. The cause for the block? 46,000 complaints filed against messages that contained the domain name of the special interest group. Symantec, once contacted was quick to remove the domain from its filters.

There’s a few lessons to be learned here about filtering and deliverability, first let’s look at some quotes from the article:

Disturbingly, Comcast did not notify us of this block.

Lesson One: There are no humans involved in the filtering process at an ISP. The filtering systems do not bring a message to an operator’s attention for a decision on whether or not a message is spam. Systems look at messages that users flag as spam and look for commonality, such as a domain name or key words and phrases. Odds are good your domain name was flagged by an automated system that never informed a human being about the addition to the database, especially not at Comcast. Comcast licenses the Brightmail technology and the last thing they want is a steady stream of new keywords and domains that are being blocked since they would not have the manpower to monitor it and wouldn’t know what to do with the data even if they did.

During the day on Friday we escalated our threats to flood Comcast’s executives with phone calls and cancellations, and we gave them deadlines. … Symantec was working for Comcast, and Comcast could insist that they shape up, or drop them. But Comcast wasn’t interested in doing that.

Lesson Two: ISPs don’t care about senders, they care about their customers. Their executives care even less about senders than their abuse department. Even if they had someone watching a stream of blocked domains and keywords, they are not worried thet a given sender is having trouble getting a message through until it’s a problem for their customers (and more specifically, a large percentage of their customers). ISPs know that their customers are more likely to complain about spam getting in than newsletters staying out.

Could we see two or three, or even one, of those 46,000 complaints? No, and Comcast claimed that Symantec wouldn’t share them with Comcast either.

Lesson Three: There are a certain number of ISPs that do share complaint information through Feedback Loops (FBLs). Generally FBLs are provided by webmail providers in the form of notification emails that let you know one of their customers has marked your message as spam. A reputable sender should be subscribed to every FBL service they can get their hands on, so they know when their mail is being complained against and so they can remove those who complain from all future mailings. Without being subscribed to FBLs you cannot get access to complaint data.

The other thing to keep in mind is that the complaints may not have come from Comcast users, since they are not a webmail provider, and Symantec would not have the permission of the ISPs from which they collect complaint data to share that complaint data externally.

By the time Comcast had passed the buck to the company that it was paying to filter its customers Emails, Brad Blog had posted an article about the situation and urged people to complain to Comcast.
http://www.bradblog.com/archives/00001602.htm

Brad quickly added Symantec phone numbers to the story on his website, and we called Symantec’s communications department, which fixed the problem in a matter of minutes.

Lesson Four: Use proper channels to resolve issues. The ISPs and filtering providers will not respond to threats or campaigns and they certainly have effective means at their disposal to ignore mass attempts to sway them. Instead, follow the procedures and channels in place for complaint resolution, stay friendly and you should see results.

Comcast effectively censors discussion of particular political topics, and impedes the ability of people to associate with each other, with absolutely no compulsion to explain itself. There is no due process. A phrase or web address is tried and convicted in absentia and without the knowledge of those involved.

Lesson Five: Mail filtering is apolitical, and it is not performed in a court of law. Filtering is performed in a computer system by automated scripts without bias. If you trip the filters you message ends up in a bulk folder or not delivered, it’s as simple as that. The goal is to impede the flow of spam arriving in the inboxes of the customers of the ISP, not to limit communication from non-spammers.

Well, we have no evidence to suggest that these 46,000 complaints actually exist, but we can be fairly certain that if they do, they were generated by someone politically opposed to our agenda. There’s simply no possible way that we’ve accidentally annoyed 46,000 random people with stray Emails and mistyped addresses.

Lesson Six:  The spam complaints are not limited to typo addresses, they also come from people who did not bother to click your unsubscribe link (you have an unsubscribe link, right?) and found it easier to just make your mail as spam to ensure they did not have to see it again.

Lesson Seven: Use double opt-in. When visiting the site of the special interest group, I was able to sign myself up for their newsletter without clicking on a link in a confirmation email. This means that a malicious individual could easily script a system to submit thousands of addresses into their site without the consent of those being subscribed. When the first mailing goes out, a good percentage of those unsuspecting subscribers would make the message as spam, and would do so again and again as the group send out fresh campaigns.   Any sender not using double opt-in confirmation emails is setting themselves up for attacks on their email reputation by malicious individuals.

Above all, though, this is a First Amendment issue, as is well laid out in this excerpt of a statement released today by People-Link.org, the organization hosting the www.afterdowningstreet.org site:

“This goes far beyond the normal anti-spam measures taken by major providers and represents an effective blocking of constitutionally protected expression and the fundamental right to organize and act politically on issues of concern.

“Most spam blocking measures focus on the email address or the IP address of the suspected spammer. While there are anti-spam measures directed at the body of the email, these usually target attachments that could contain virus programs.

“Targeting the inclusion of a website url can only have one outcome: that communications about that website and the issue it is presenting will be blocked from large numbers of people and that the communications from that site’s administrators and the campaign’s organizers will not reach their full constituency.

“Whether Comcast’s intention or not, this is effectively political and unconstitutional.

Lesson Eight: Filtering occurs on a number of levels. It includes the IP address of the sending MTA, the email address of the sender, the content of the subject line, attachments and it most certainly includes the body of the message. A virus scanner may pay specific attention to attachments, but a spam filter could not do its job without going over the body of the message in detail.

Yes, filtering on a domain name will keep people from hearing about that web site and its message, but we need to remember that the same rule applies to a political special interest group’s site as it does to buyviagra.com (yet nobody seems to get in an uproar about filtering of mail regarding the latter).

In the end, this is not political, it’s the same filtering that happens every day. It’s also not unconstitutional since this is a private service being provided to Comcast’s customers.  Finally, remember that computers are inherently stupid and thus Hanlon’s Razor comes into play:

Never attribute to malice that which can be adequately explained by stupidity.