Domain: bw.org
Stories and comments across the archive that link to bw.org.
Comments · 16
-
Re:Acronym soup.
-
Re:Except that email can be forged
This is EXACTLY why I have been saying for a long time now that we NEED to add authentication to SMTP, as this guy is trying to do.
This case merely proves what I've been saying for YEARS now: sooner or later, anonymity cannot be used as an excuse for lawlessness. At some point, you MUST draw the line between anonymity and the need to hold people accountable for their actions and abuses of the email system. -
If anyone wants authentication in SMTP
Why not check this out? I think this seems like a good solution, myself. Sure, people will say:
1) It will (for all practical purposes) eliminate the possibility of geeks who want to run their own mail servers on a DSL line. So what? There's no good reason for them to be doing that, except for fun or for malicious purposes.
2) It will be a blow to anonymity. So what? There has GOT to be a line drawn between anonymity and the need to hold people accountable for abuse of mail servers. Period.
Until people start to understand that there are tradeoffs in these things, things will be going nowhere. -
How about something BETTER!!!
Why not use AMTP instead of all these kludgy SMTP extensions/workarounds?
-
Why has nobody paid any attention to this?
In my opinion, AMTP could solve some of our troubles. If you had to be authorized to use a mail server, and if your route had to be verified as correct, I bet it could cut down on spam by at LEAST 50% or more. It might not eliminate the problem entirely, but even 50% would be a huge improvement. It might also make other spam-fighting tools like blacklisting more effective, the discovery of spam origins easier, and therefore, make it easier to prosecute spammers.
Sure, it might be a small blow to annonymity, but I say, so be it. If we are going to make any headway on the spam problem, we MUST be able to hold people accountable for abuses of mail servers. Unfortunately, accountability cannot be achieved without some sacrifices in anonymity guarantees. I think that ANY real solution must ultimately be a tradeoff between anonymity and accountability, and the sooner we realize this, the sooner we can start making any real headway. PERIOD. -
Re:Not for meThe Internet isn't Compuserve, or AOL. It's a network of IP hosts, and those are the entities which should have a facility for sending communications back and forth. There is no need for a central carrier for communications
The problem with IP addresses is that they are too broad. They are shared for lots of things, and it's easy for a spammer to switch between them. As a result, IP whitelists are infeasible, and IP blacklists will always interfere with legitimate traffic. Eliminating false positives is very important in the business world, and in this sense they are more likely to implement a correct solution than iconoclastic Linux-tards who don't mind a few core dumps or lost e-mails here and there.
Since the articles have been somewhat vague about the actual implementation, here's an example: Suppose each mail server has a public key associated with it. I could set up a free service that maintains a whitelist of non-spamming servers, and sysadmins could subscribe to it and use it to block spam. If they ever receive a spam from one of my whitelisted servers, they contact me, and I will remove it from the list.
Of course, this proposal is pretty infeasible, but there are some easy improvements. First, if other people are running whitelists as well, I could transitively include their lists in mine. This would also enable people to run mirrors of my list, reducing the load on my server (just like DNS). Also, to avoid human overhead, my software could automatically approve any certificate the first time it is queried, but with a 60-day waiting period to prevent spammers from simply generating new certificates. Or, groups like Verisign could do background checks or somesuch.
The point is that when someone receives a spam, there are now specific parties who have the power to remove the offending mailserver (not IP netblock) from the whitelist. These parties have well-defined relationships and are decentralized, so there is no need for central coordination or messy legislation, or even a specific definition of "spam". Each whitelist is free to coordinate its own activities, and users are free to subscribe to whatever whitelist fits their preferences. Lastly, it will not interfere with legitimate automated e-mails such as those generated by travelocity.com, e-bay.com, listserv, etc.
This concept has been suggested many times in various forms, e.g. Bill Weinman's AMTP, and it sounds like Yahoo has something similar in mind.
-Gonz
-
Re:Yahoo beats eariler proposals? I hope not.The AMTP proposal you cited has several very attractive advantages: First, it preserves anonymity. Second, it will not interfere with automated messages (e.g. mailing lists, e-commerce receipts, etc.) which are a big problem for humanized systems like camram. Third, since any group can act as an endorser of the digital certificates, it doesn't require a universal definition of "spam". And lastly, AMTP does not involve lawyers or politicians or particular governments, which makes it a very clean solution.
I support groups like CAUCE in spirit, but IMO spam is not a political problem. It is a technological problem of ancient protocols that are long overdue for an update. So if Yahoo or some other big player chooses to promote a custom protocol, let's hope that it is functionally equivalent to AMTP.
Of course, I foresaw all these things back in April. It's flattering to see that Yahoo is reading my Slashdot postings and taking heed, and only provides more support for my quantum theory that our universe is constructed from my perceptions.
:-)-Gonz
-
Yahoo beats eariler proposals? I hope not.
Would you rather choose a Yahoo product over an open standard that is under development? I'm speaking of AMTP, of course. (See AMTP author's site).
Yahoo's size doesn't give that much weight to their proposal. Yahoo's email is not used in business to business communication (do not count hot dog stands as businesses), so businesses can just aswell block everything that originates from *@yahoo.com if it is not directed to their consumer service department.
Also, reverse mx records provide much of the same benefits with minimal alterations needed to current email infrastructure. One DNS record added and small change in MTA software.
If Yahoo would really like to do a service to the internet community, they should rather consider looking AMTP and reverse mx records. -
Re:I won't be happy till
You mean a replacement like this:
http://amtp.bw.org/
I saw something the other day that it now has its own RFC. -
Re:but...does it work?njet wrote:
> So why is this SO different from using TLS ?
> Remember that smtp is still used and you have to be backward compatible....
From the FAQ:
Why not add this capability to SMTP as an option?
This solution will only work if it is exclusive of existing practice. In order to solve the problem we must stop accepting traffic from non- trusted sources.So the diffference is just that, it's not backward compatible
.... -
Re:So what DO we do?
Funny, Mail.app caught all but 3 of my 309 spam messages yesterday.
Yeah, yeah. And SpamAssassin has filtered out 562 spams for me since yesterday... at an average of 100K each or 50 megabytes in total. That's 50 megabytes of my upstream bandwidth that I've paid for.
This is not a solution. At best it's hiding the problem from us so we don't deal with it. A staggering proportion of the backbone bandwidth of the Internet is being eaten up by UCE, worms and other malware traffic.
We have to do better than this and an authenticated replacement for SMTP has to be one of the places to start.
-
A replacement for SMTP
I've been working on a proposal to replace SMTP for a few weeks now. It's called AMTP and it addresses two concerns in tandem: Authentication and Classification/Policies. I have a web site set up at http://amtp.bw.org/ for the project. There's an announcement list available if you want to find out when the draft is ready for comment.
-
Never down?
I don't think the
.org registry ever went down. The only Informative message here (IMHO) was from jrwilk01: "Responsible servers changed, all is well. Nothing to see here. Move along." It was marked Redundant and scored 0, just because the moderators only saw the whois record!Those of you with obsolete whois clients can do something like this:
$ whois slashdot.org@whois.publicinterestregistry.org
...
Billing Street1:Whois Server:whois.opensrs.net
...
$ whois slashdot.org@whois.opensrs.netOr just go to whois.bw.org.
-
Whois using only a browser
If all you want is to do whois:
- the Internic have a fill-in form you can use; all the examples given above can be read this way. However, this only works with gTLDs.
- If you want to look up (almost) any domain regardless of its TLD, try using BW Whois, which is clever and asks the correct NIC automatically. It fails on some odd cases like names in
.ac.uk, though.
-
They're screwing up what they got, too
I happened to be playing with WHOIS last night, and noticed that one of the (registered) domains I was looking at was showing a different registrar with different queries. That domain is registered with either NSI, or Hughes Electronic Commerce Inc, apparently depending on which server you get out of a round robin load sharing arrangement or something.
I reccomend BW Whois for those who want a whois client that functions like it's supposed to. Nice little perl script that even knows how to strip NSI's "drop dead before using this data" disclaimers. -
Few artists make any $ from record sales anywayEven with a major label, artists rarely make any money from record sales. The 10% or so that most deals pay is based on wholesale (minus all sorts of wild deductions) and is then divided between bandmembers, managers, engineers and other assorted staff and crew. A few pennies per sale is very little money -- even with millions of sales. Most of the money that the major stars earn are from performances, endorsements, promotions, publication, and other things incidental to the music.
It takes more luck than talent to get the majors' attention, so every little bit of exposure helps. While the freeware-music movement may not bring actual $$ to the artists, it does give us a small amount of exposure that we were not getting otherwise.
Methinks that's a good thing.
--Bill
Home: http://bw.org/