Slashdot Mirror

We went through this before, with Bonded Spammer, which wanted spam filters to let their stuff through. I dump Bonded Spammer email into a separate folder, and it's almost all spam. It looks like we'll have to set our filters to recognize this new stuff, and dump it into the "bulk" folder. So how do you check for these new guys?

Ironport management finally decided they couldn't play both sides of the street, sold off Bonded Spammer to ReturnPath, and discontinued the "A-series". The A-series supposedly reaches end of life at the end of 2006, so there are probably still supported Ironport engines out there spamming away. After that, the community can consider whether Ironport is a white hat or not.

I work for a financial services company who has a clients who are supposed to receive emails from us related to trades. Since I manage our web presence, email deliverability is also my problem.

Here are the places to start:

Free Certification
AOL: http://postmaster.aol.com/whitelist/
Yahoo: http://add.yahoo.com/fast/help/us/mail/cgi_bulkmai l
Verizon: http://www2.verizon.net/micro/whitelist/request_fo rm.asp?id=isp

Reporting
Spamcop: http://www.spamcop.net/w3m?action=ispsignupform
Hotmail: http://postmaster.msn.com/snds/
Senderbase: http://www.senderbase.org/

Email Signing
SPF: http://www.openspf.org/
DomainKeys: http://domainkeys.sourceforge.net/

Paid Certification
Bonded Sender: http://www.bondedsender.com/
Habeas: http://www.habeas.com/
Goodmail: http://www.goodmailsystems.com/

A lot of providers outside the US have many of their own rules and regulations to follow, which makes it quite difficult to achieve deliverability. At the end of the day, we try to follow all the rules that have been laid out from existing companies and then deal with individual providers on a needs basis. The more users that use that ISP, the more we are willing to obey their individual rules.

Unfortunately, I see paid certification becoming the way of the future. If I can pay to guarantee to have my clients email delivered rather then negotiate with ISPs every other week based on their varying criteria, I'm pretty sure my company will pay for it. I don't like it, but results are the bottom line.

As long as MoveOn and other organizations practice responsible mailing list management, their delivery will be unchanged from the way it is today. So they're not fighting what they think they're fighting.

This is a whitelist that bypasses filters, not a whitelist that is the only way to get through. Bulk mailers who don't pay up will still be able to send to AOL, and can still participate in AOL's other whitelists.

And Goodmail's service isn't a matter of "pay and we'll let you in" so much as it's "pay and we'll do a background check to see if you're a spammer, and if you pass our criteria we'll put you in the fast lane." Hmm, that sounds a lot like Bonded Sender and Habeas. Remember the controversy here on /. when Hotmail started using Bonded Sender two years ago? How exactly did that play out?

But why let the facts get in the way of a good knee-jerk reaction? We like placing AOL as the big corporate enemy. They often are, of course, but in this case? It's all overreaction and misinformation stemming from mistakes in the initial press.

Check out some of the commentary at Planet Antispam to get some views from the anti-spam community. You'll be surprised to find most of them siding with AOL on this one.

I divert Bonded Spammer mail to a separate folder. Let's see what's in there:

• Spam from "alt.com", part of the Friendfinder spam network. Friendfinder had for a while the distinction of having the same IP address in both the SpamCop block list and the Bonded Sender allow list, both run by Ironport.
• Spam from Movies Unlimited Video, but only one, and I did buy something from them once, a long time ago.
• Spam from Bebo. Lots of it, all because Bebo doesn't use double opt in to verify e-mail addresses.
• An "invitation" from LinkedIn.
• A mail bounce from Google. (Google fixed that; for a while, they were signing their mail bounces, which made them a tool for denial of service attacks.)

That's Bonded Spammer's track record. Let's see how AOL does.

Meanwhile, charity groups, e-zines, and other legitimate free mailing lists that people sign up for will be screwed.

How?

No, really, how?

Where has AOL said that people who don't sign up for this list will be blocked?

This is a whitelist that bypasses filters, not a whitelist that is the only way to get through. Bulk mailers who don't pay up will still be able to send to AOL. Their mail will be subject to more scrutiny, sure. It'll be subject to as much scrutiny as... well, as it is today.

And as I recall, the Certified Email whitelist isn't a matter of "pay and we'll let you in" so much as it's "pay and we'll do a background check to see if you're a spammer, and if you pass our criteria we'll put you in the fast lane." Why, that sounds like Bonded Sender and Habeas. Remember the controversy here on /. when Hotmail started using Bonded Sender two years ago? How exactly did that play out?

But looking at it logically like this gets in the way of a good knee-jerk reaction.

And how is Goodmail any different from Bonded Sender or Habeas? And how many of these vendors is a company supposed to pay for the "privilege" of "bypassing" filters? It is extortion plain and simple. The only persons that are going to pay for these "services" are the ones that are not going to be spamming in the first place. Also how is the companies reputation affected by users who will go through the trouble of double-opt-in and still report the email as spam to the ISP; the highest number of these being AOL users by far, from my experience. Hell, I have several AOLers a day that report a confirmation for a submission that they signed up for as spam; let alone the number of complaints I receive from these morons after they confirm their subscription.

This is a business model marketed under the guise of protecting the consumer with the actual intent being to supplement income with regard to email. Nothing more nothing less.

First let me point out Bonded Sender. THis is not the same, but has the same effect. It is essentially putting up a bond (a few thousand dollars usually for even the slightest volume) and in doing so, you say "for every Spam message you get, take something from the bond to compensate yourself for it". This is a way for legitimate senders (CNN, Mailing lists, Slashdot, Microsoft's security updates, newspapers, etc) to white-list their e-mail with those recipients who follow this white-list (Hotmail, MSN, RoadRunner, etc for example, is one who does). It puts the "we swear we're not sending Spam, and we'll put money on it".

http://www.bondedsender.com/fees.html shows their rates (for If it costs $12.50 for 5000 users (1/4 cent per e-mail), to make big e-mail providers (particularly webmail providers) to like their e-mail, that's a legitimate cost to the cover and drinks they'll make off of each person. If it brings in one person it's probably worth it.

These folks aren't Spammers, in the same way that when you sign up for news on CNN or your favourite software company, they're not Spammers either. People _WANT_ and _CHOOSE_ to get their mail. It is BULK mail, and I'll admit that (bulk not meaning junk). Spam filters continue to get smarter in knowing the difference between Spam, Bulk, and Personal mail. Personal mail is sent by a user. Bulk mail is things you want like newsletters. Spam offers a bigger penis through the use of Viagikra *sic*.

ISPs that group bulk and Spam into one category are missing the point of a Spam filter. It is not to keep bulk e-mail out but to be programmed to determine what the mail someone wants (or may want) to read and something that is unsolicited. The solicited/unsolicited mix is the important one.

Person-to-person mail is good.
Solicited mail is good.
Unsolicited commercial e-mail is bad.

-M

Hotmail can no longer be used with Outlook because Microsoft admits it's easier to block everyone and charge for access rather than cancel the accounts of spammers.

What CAN-SPAM does do is make it a criminal offense to forge headers. As a result, spam from any "legitimate business" is easily identifiable from the header. So it gets filtered out.

This wasn't what the Direct Marketing Association expected. But that's what happened. As a result, the spams from legitimate businesses don't get delivered. Attempts to get around this "problem", like Bonded Spammer, didn't really catch on. So spam is almost useless to legitimate businesses now.

This leaves the people who forge headers. They're now criminals. So they've been forced out of legitimate web hosting services onto "bulletproof" web servers in marginal countries. They can't send directly any more, or their connection will be pulled or IP addresses blocked.

So now they have to find some illegal way to send spam. Which is getting harder. Most of the open relays have been plugged. They've been reduced to spamming through zombies taken over by viruses. This means they're committing serious felonies, and long jail sentences are a very real possibility.

Spam is now a branch of organized crime, not marketing. And it's highly visible organized crime, which makes it vulnerable. It's not that hard to follow the money. We need to push for more law enforcement priority in this area.

That's why spam is declining.

1) Start an IP reputation system
2) Sell mass mailing devices
3) Sell reputation for money (http://www.bondedsender.com/fees.html)
4) Profit! (Not yet, sadly. Customers are smarter than that.)

http://www.bondedsender.com/

And send unlimited messages without fear of being blocked for only $10k a year! (Remember from past Slashdot stories that spammers make millions and can easily afford this).

They have a special pricing for "Bulk" senders. "Legitimate commercial senders can apply today."

http://www.bondedsender.com/fees.html

http://www.bondedsender.com/

And send unlimited messages without fear of being blocked for only $10k a year! (Remember from past Slashdot stories that spammers make millions and can easily afford this).

They have a special pricing for "Bulk" senders. "Legitimate commercial senders can apply today."

http://www.bondedsender.com/fees.html

In practice it's often referred to as the "Bonded Spammer" program, as the central authority's criteria for trusting mail servers are somewhat looser than yours and mine. (Some spam filters even use it as a blacklist!) I believe any central authority will suffer from this same problem. Wherever you draw the line between "spam" and "not spam" there will be people undeservedly on the wrong side of it.

For instance I call it spam when an automated process sends anything other than a confirmation request to any unconfirmed email address. A vast number of "legitimate" businesses appear to disagree, judging by the huge loads of crap from them in my spam dump. (In these cases, I have no reason to doubt that _somebody_ entered a bogus address in my domain into some web signup form somewhere, but that's not enough excuse to start spraying ads at that address every day without confirmation.) Would companies that engage in the practice be allowed in the central database of trusted mail servers? Probably. Would my small organization's mail server be allowed? Not if we didn't pay the $N/t fee, which may well be more than we can reasonably afford.

Oh, yeah, Ironport claims their multimillion e-mail per hour senders are only for use by good guys. Right.

If you sign up with one of these "trusted sender" schemes, be very careful that there's no way mail bounces, virus-generated mail, or mail via open proxies can become "trusted". Your ID will be on the mail, and you'll be blamed. Spammers are going to be targeting those sites, since they provide a bypass around some spam filters.

I use Netscape's Bayesian filter as a second tier, and that removes about 60% of the remaining spam.

SpamCop was better, until IronPort bought them and they went black-hat, with Bonded Spammer and the Spam Engine.

The beef I have with this scheme is that since it's the user that's inconvenienced by the spam, the bond money should be sent to them in the event of a violation. The fact that Microsoft is the one getting the funds is what makes it seem like a money grab.

Why is everyone making the assumption that Microsoft receives bond debits? Microsoft does not. Even IronPort/BondedSender does not. Read the FAQ. Bond debits only go to non-profit organizations.

Where did that "$20,000 bond" figure come from? BondedSender's price list starts at $200, for nonprofits. The "bond" for sending 5,000,000 spams is only $1000. And for $2000, you get to send 50,000,000 spams. Per month.

Actually, (after quite a bit of searching, mind you) according to this Fees the fine, while small, would not be insignificant.

They're talking $20 per complaint, after your "free" complaints per month. Which, for the "low" volumne bulk sender( less than 1,000,000 per month), is 1 complaint per month.

So, for the above example, 10 complains - 1 free complaint * $20 is $180. The sign up costs are $375 Application, $500 license, $500 bond.

So after your first month, you've spent $875, bonded $500, e-mailed 500,000 messages, and lost $180.

And somewhere else, I thought read that if your bond drops below half, you have to replace it. So they've effectively created a charge system for spam.

This would be quite nice if they donated some of the bond money to, say, the SpamAssassin Development Team, or maybe SourceForge.

"This market-based mechanism allows email senders to ensure their message gets to their end user, and provides corporate IT managers and ISPs with an objective way to ensure only unwanted messages get blocked. For FAQs and white papers describing the Bonded Sender program, visit http://www.bondedsender.com

IronPort's bonded-sender service investigations are based on SpamCop. (There are a large number of SpamCop auto-SPAM-reporting products and servers). Basically, if you SPAM chances are you'll be reported to SpamCOP at a higher hit rate than your 'victims' are likely to respond to your "campaign".

They still cannot send spam, however, they may only send mail to registered users. If users complain, the company has to either prove they joined or pay up.

This doesn't jive with the terms on their website. Particularly read the section titled "consent." This section defines 'consent' so broadly as to include many cases where proof is not available, i.e. they do not require opt-ins be verified, they allow buying or renting lists from third parties, etc. They're explicitly allowing all the lame excuses spammers traditionally use when accused of spamming. So which is it - do they have to prove consent as you say, or do they not, as the official website says? This is very confusing.

Actually they offer a pricing scale where nonprofits pay only an application fee and a bond, and for profits have three schedules depending on how much they send.

I must say I'm really disappointed in this. Ironport have generally been good guys, but their trust level just plumetted. If you read the sender standards page you'll notice that, while they are at least trying to rule out some of the worst spam, their standards explicitly do allow spam (by diluting the concept of 'consent' to the point it's unverifiable and thus meaningless.) On the other hand, it doesn't sound like they're going to try to adjudicate complaints, just charge a small fee for each one and make judgements based on the sheer number of complaints, so it will be interesting to see how that works out. If enough end-users refuse to tolerate spam, that could effectively keep it out of the whitelist, even though the 'standards' are written to allow it.

IronPort

If you are interested in the rules that bonded senders have to ablige to:
IronPort's sender standards page.

Ironport's "sender" site.
IronPort's "receiver" site.

The bond is held by BondedSender, i.e. IronPort, not Microsoft. According to their site "Proceeds from bond debits are not retained by IronPort Systems and are instead shared with third-party non-profit organizations."

According to the fees page at bondedsender.com, $20 is taken out of the bond for each complaint received over some very small minimum. Sending a complaint for each bondedsender mail will cost the spammer $20! Haha! Now if only I could see some of that money.

Yeah, yeah, there are "legitimate uses" for this thing. Right. Sure.

Even worse, they have a "Bonded Sender program, under which spammers pay a fee to Ironport to bypass spam filters. They charge a fee of $20 for each complaint, but allow one free complaint per million spams. They're vague about what a "complaint" is, and admit they don't use "AOL complaints". They may be counting only complaints that reach abuse@bondedsender.com. Since they don't require that mail be marked as "approved by BondedSender", few people know how to complain. And they don't disclose their complaints, or who's in the "Bonded Sender" program.

They're trying hard to insure that all the major anti-spam systems are hardwired to let their spam through. They have patches for all the major spam detection programs. The patches bypass all other spam checking if the source IP address has the DNS record that says it's listed with BondedSender. Now you understand why they bought SpamCop.

A useful check for mail programs is to check the BondedSender whitelist, then run a conservative Bayesian spam filter on the content. If BondedSender says it's not spam, but the spam filter says it is, ship it off to the BondedSender abuse address. Definitely do this for honeypots. Any BondedSender mail that shows up at a honeypot should be reported on NANAE. That will help track how much, or how little, Ironport is really enforcing their rules.

Yeah, yeah, there are "legitimate uses" for this thing. Right. Sure.

Even worse, they have a "Bonded Sender program, under which spammers pay a fee to Ironport to bypass spam filters. They charge a fee of $20 for each complaint, but allow one free complaint per million spams. They're vague about what a "complaint" is, and admit they don't use "AOL complaints". They may be counting only complaints that reach abuse@bondedsender.com. Since they don't require that mail be marked as "approved by BondedSender", few people know how to complain. And they don't disclose their complaints, or who's in the "Bonded Sender" program.

They're trying hard to insure that all the major anti-spam systems are hardwired to let their spam through. They have patches for all the major spam detection programs. The patches bypass all other spam checking if the source IP address has the DNS record that says it's listed with BondedSender. Now you understand why they bought SpamCop.

A useful check for mail programs is to check the BondedSender whitelist, then run a conservative Bayesian spam filter on the content. If BondedSender says it's not spam, but the spam filter says it is, ship it off to the BondedSender abuse address. Definitely do this for honeypots. Any BondedSender mail that shows up at a honeypot should be reported on NANAE. That will help track how much, or how little, Ironport is really enforcing their rules.

Ironport, the owner of Spamcop, allows you to deposit a bond to certify that your e-mail is legitimate. More info at www.bondedsender.com.

Yep, I have the same prob but hope help is on the way, have your ISP look at:

https://www.bondedsender.com/

or

http://www.spamhaus.org/tld/index.html

Second one run by Spamhaus seems good. There's a comment board here, but most posters don't seem to get how it works... or have bothered to read the FAQ... hey sounds like Slashdot! ;->

cb1

Why not just create a paid whitelist (or lists) along the same lines as a dnsbl, charge companies to register and require that they abide by certain practices for being listed?

What? You mean like bonded sender.com?

It works really well. The sender puts cash on deposit with a third party, and if the third party gets to many spam complaints, the sender looses cash. Of course, since most AOL users are idiots, they don't count complaints from AOL against you.

The Bonded Sender program, where an email sender puts cash on deposit with a third party, and then forfeits that cash if the third party receives spam complaints, is an effective tool for identifying non-spam.

And like most sensible people, they realize that most AOL users are idiots and don't count count complaints from AOL users in determining if you're a spammer.

The Bonded Sender program, where an email sender puts cash on deposit with a third party, and then forfeits that cash if the third party receives spam complaints, is an effective tool for identifying non-spam.

And like most sensible people, they realize that most AOL users are idiots and don't count count complaints from AOL users in determining if you're a spammer.

Both habeas and bonded-sender are the stupidiest antispam ideas only beaten by this marvel. How can one expect spammers in non-US countries to abide US copyright rules is beyond me .. especially given that a half of the spam is sent from spoofed emails using hijacked machines or through open relays.

Isn't this what they do, at least at an ISP level?

For those unfamiliar with the concept, the idea is that you sign up with them, set up a "bond" with a bunch of money, and they add you to their RBL-type whitelist. When a mail server receives an email, they do a DNS-lookup of the sending-mailer's IP address suffixed with a specific domain, and if they're part of the whitelist, they can either let the email through, or as in SpamAssasssin's case, give it a -4.3 score to "help" it get through the filter.

If it was indeed a spam message, the user complains and Ironport deducts $20 from the bond, costing the sending company real money.

The only major hurdle is that the setup fees are far too big right now for anyone but big commercial mailers to use their service ($1000 just for the application fee, plus a multi-thousand dollar annual fee, separate from the "bond").

If another company could set up a similar but affordable service, and convince the majority of spam-filter software makers to use them, the penalty-based micropayment system could work even for individuals, while still allowing normal SMTP email a chance to get through (just less of a chance).

And of course, it's still not a perfect solution - it can easily be abused by spiteful users, but it along with advanced filters can make email a little more palatable.

As it is, there is no easy way to check if someone is a licensed user of the Habeas headers.

Habeas does have DNS whitelist that could be used to verify usage, but you have to go through the hassle of registering to use it. No thanks, I have enough administrivia to do.

It is trivial to fake habeas headers, and there is no easy way to verify. I give the service a short lifetime in its present form.

Compare Habeas with Bonded Sender. Instead of depending on pursuing spammers with copyright law, Bonded Sender runs on cash. The sender puts up a cash deposit, and when people complain of spam, they lose cash. And it's easy to check if the sender is on the bonded sender list.

And in a stroke of intelligence, Bonded Sender doesn't count AOL complaints as valid. You need to have a slight clue before your complaints count.

As it is, there is no easy way to check if someone is a licensed user of the Habeas headers.

Habeas does have DNS whitelist that could be used to verify usage, but you have to go through the hassle of registering to use it. No thanks, I have enough administrivia to do.

It is trivial to fake habeas headers, and there is no easy way to verify. I give the service a short lifetime in its present form.

Compare Habeas with Bonded Sender. Instead of depending on pursuing spammers with copyright law, Bonded Sender runs on cash. The sender puts up a cash deposit, and when people complain of spam, they lose cash. And it's easy to check if the sender is on the bonded sender list.

And in a stroke of intelligence, Bonded Sender doesn't count AOL complaints as valid. You need to have a slight clue before your complaints count.

Where is the ability for *genuine* (provably genuine) companies to register their services in such a way that rather than getting blacklisted immediately, they have the opportunity to respond to the issue raised? Is this a small or large price to pay to partially stem the tide of actual spam?

Bonded Sender might do what you want.

It's a database that identifies high-volume email sources. So you could say Senderbase is pretty much neutral.

These are also the people who came up with Bonded Sender - a whitelist with an economic incentive to keep senders honest. So they're hardly new to the anti-spam world.

The controversy seems to be over IronPort's hardware: they sell mail servers. Big friggin' whoop.

But Haight, who will stay with company, says he is concerned that the Bonded Sender program is too lenient. "I am not sure all its standards are tough enough," he said.

His comment was about Bonded Sender, not SpamCop.

No way, the guys at IronPort are fantastic.

If I've ever met a group of people who understand the Spam Problem, it's them.

This is *fantastic* news! The guys at IronPort Systems make the best damned mail routers I've ever seen. Bar none.

Their SenderBase and Bonded Sender programs are really a lead into solving the SPAM problem.

Both products integrate directly into the IronPort C60 mail appliances and automatically apply what they call "reputation filters" which let you control SPAM. You can throttle based on the "reputation score" from SenderBase, as well as traditional methods.

The fact that BrightMail is integrated also is a major bonus.

Back to the original point, I'd definitely give IronPort a chance here. They're a GREAT group of people (I've met everyone from the CEO on down), understand e-mail, and really want to do the Right Thing.

Check them out at: http://www.ironport.com

Unfortunately, my company's rules won't let me give a public testimonial as a satisfied customer, but believe me, if I could, I would!!

http://www.bondedsender.com/

Essentially a whitelist of senders, rather than a blacklist. There's been lots of whitelist talk, but I don't think anyone's taking it seriously because it would be difficult to get everyone to fall into line with this concept. Imagine how much mail your clients -wouldn't- get if it was to be implemented. But now, it's gotten to the point where the community HAS to do something, I mean really now. So I propose admins that are reading this hop onboard and sign up to see what they have to offer.

What I'd like to see is a community run list, like a polar-opposite RBL, that would do an open relay test, a reverse IP test, and would be open to human scrutiny. We could give ourselves 365 days to get the word out and implement it, that should be a good amount of time.

Hmm, gotta break out the pen..

There are actually quite a few workable schemes for preventing spam. Tim Bray is right that any system where sending is both free and anonymous will always be open to spam, but it's not necessary to charge on a per-message basis. One system that is beta-testing right now is Bonded Sender. With this system, the owner of an outgoing mail-sending server puts up money to guarantee that his system won't be sending spam (on the order of $1000 per server, with $500/year renewal). There's a contract that specifies what is spam and a third-party arbitrator for handling disputes. Existing mail-filtering software can easily check the BondedSender status via the DNS system, as they generally already check the DNS status of senders.

There are a couple of drawbacks to this. First, the IP verification won't work with dynamically-assigned addresses. Second, some smaller email senders may not want to spend as much as $1000 on this. Third, it doesn't help you if your ISP is not participating. All of these can be overcome by using a paid relayer, as Tim Bray suggests. It would be up to the relayer to determine how to prevent abuse of its own system.

Other systems work by verifying a digital signature and certificate of the sender, either on a per-message basis (S/MIME or PGP) or on a per connection-basis (using SMTP over TLS). This doesn't require a static IP address to verify identity.

Although it may seem complex and even chaotic, more than one mechanism will exist to prevent spam, even in the long-term. For a variety of legal, political, and financial reasons, no one solution will please everyone. We need to have some sort of meta-email system for allowing these to co-exist effectively.

What I propose is that an independent group be established which will provide a framework for interoperability. What needs to be done?

• A description of anti-spam policies. For example, Tim Bray's proposed SMTP4ALL charges $.01 per message. Or FirstClassEmail may charge $1 per message. BondedSender contractually forbids spam and requires a cash bond up front, as well as identity verification.

  There are a lot of possible policies. It should be up to the recipient to specify what policy is acceptable, but there needs to be a concise list so that the decision can be coded in a program.

• There also needs to be a way for the recipient to find the policy. For certificate-based systems, the policy can be encoded directly into the certificate, but the exact syntax needs to be defined. For other systems, something else needs to be devised.
• A way to describe the properties of an individual sender or message. It may be part of the sender's anti-spam policy that unsolicited mailings are allowed, but that each mail will be labeled with what type of mail it is, e.g. commercial, personal, political, charitable soliciting, etc. Similarly, a system such as Hotmail may want to label each user as to whether they are a verified, paying customer, or an anonymous, free customer.
• Some sort of meta-enforcement scheme. There needs to be a way of knowing if SMTP4ALL is really charging $.01 per message or if it's letting spammers send through at 1/1000 of that price. Is a CA shirking its duties?

  We don't want the chaos of the current RBL system. This is not something that should be c

There is no way for a subscriber to know what IP address our e-mails will come from, they change dynamically based on load.

The same basic solutions to letting your customers know what public key(s) you use can be used to let your customers know what IP addresses you use.

While most DNS based systems are blacklists, there are DNS based whitelists such as Bonded Sender. The current version of spamassassin recognizes them.

The IP address is an identity and the IP sequence numbers prevent the identity from being spoofed/forged. Authentication based on the IP address is not the ultimate solution, but it has the advantage that it is already in use.