Slashdot Mirror
SpamHaus Behind .mail Top-Level Domain
securitas writes "The SpamHaus Project is the group pushing ICANN to create a new trusted-sender system and the .mail top-level domain. SpamHaus proposes that registrants under the .mail TLD would pay at least $2000 per year to and 'agree to abide by certain anti-spam mailing practices.' The interesting twist is that companies that comply with the US CAN-SPAM act - which SpamHaus opposed due to the legalization of bulk unsolicited commercial e-mail - would not be eligibile to register a .mail address.
The .mail TLD proposal was recently discussed on Slashdot."
This could probably be worded a little more clearly. Complying with the CAN-SPAM act is as easy as not doing anything at all. I think what the submitter means, correct me if I'm wrong, is the "one-shot" bulk mail that a company is allowed to send you under CAN-SPAM. Obviously, SpamHaus considers this spam, still, even though it's technically legal (I would tend to agree).
This new TLD proposal, according to their FAQ, is not aimed at stopping spam, or replacing the email infrastructure from the ground up. It's more towards legitimizing non-spam email. It may not be technically possible (not my area of expertise, I remember some nay-sayers in the last article discussion who at least sounded like they knew what they were talking about), but I still think their hearts are in the right place. Am I wrong?
I'm looking forward to the whitepaper they've promised on it.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
That's not quite correct. The SpamHaus rules wouldn't ban anyone who obeyed the CAN-SPAM act. Presumably most ordinary companies obey CAN-SPAM by refusing to do anything that vaguely resembles spamming, and they'd be just fine under the SpamHaus rules. What SpamHaus wants to do is to use a stricter definition of what constitutes spam, so that some senders who meet the terms of CAN-SPAM still wouldn't qualify.
There's no point in questioning authority if you aren't going to listen to the answers.
Give me a fucking break. I'll stick with my .com for now.
This is bad, as I host my own domain and send mail from it. I don't want to have to pay someone to host my mail server, and you know that plenty of ISPs will block mail that doesn't come from a .mail domain.
I certainly can't pay $2000 a year.
Set up a .spam level, and we can block everything from that if we want.
This is a retarded idea from the get-go.
We already have a perfectly good, workable proposal for sender validation. It's called SPF. It's free. It will work, like this proposal, when people adopt it.
Seriously, $2k to prove that you're not a spammer, by one organisation's definition of the phrase? That sounds like profiteering to me, much along the lines of Ironport's dodgy Bonded Sender (tm) program.
No thanks.
You're doing it wrong.
Because the cost of entry is high, and perhaps policed, it basically becomes a way of saying, "It's from a .mail domain, so it must NOT be spam."
.com, .net, .org, and .dust domains.
.mail domain? Death?
Whatever. Just like many whitelist methods, it has the standard flaws.
But I guess it couldn't hurt! Companies with the big bucks or with donors (I'm thinking Samba mailing lists, etc), could afford it.
The rest of us slobs would continue to crawl around in the
As an aside, could you have the same problem with this domain as with AOL's spam filtering, i.e., false reports? What are the punishments for violating the rules of the
Fellowship 9/11
The register article says $2000+ per year, the spamhaus faq just says they will cost $2000+. So is it a one-time fee (sounds good), or an annual fee?
I am guessing it is a one-time fee, and the renewal will be less. Spamhaus states the up front cost is high as the first roadblock for spammers -- why pay $2000 for the domain when you are going to get shutdown almost immediately after using it to send spam? It also is going to cost them more than normal to run this sTLD. So a large one-time fee makes sense.
Ironically, the word ironically is often used incorrectly.
This is just great... create a two-tiered system with "trusted" and "untrusted" e-mail servers. Guess who will own the "trusted" servers... corporations who can afford to pay the fee!
I would like the ability to run my own servers and web sites as an individual, please. We don't need ANY system of top level domains that favor corporations over non-corporations. Find another way around the problem, please.
Why don't you embrace your slashbotness instead of living in a dreamworld?
You can't send email anymore from yourdomain.com?
Is that what this is essentially saying?
I run my own correctly configured personal mail server, and paying $2000 a year for a .mail address is a ripoff for the three or four email addresses I've made myself (a firstname@lastname.net address and other various spam oriented addresses). I first thought it would be a good idea, but the $2000 makes it unreasonable for all but medium to large businesses. I definately dont see small companies of 10 people paying that much for a mail domain.
The Doormat
If you're not outraged, then you're not paying attention.
They want to charge me $2,000 for this? Come on, if I have a personal little domain for myself and the only people I ever email are my friends and cow-orkers, I have to pay $2,000 to be sure I'll get past spam filters? Ridiculous.
How am I supposed to fit a pithy, relevant quote into 120 characters?
$2K/yr is too rich for my blood. Other than the major ISPs, us little guys can't swing that. And unless they shut us out, they never will really stop the small servers so in the end, either the small guys close or this is an interesting waste of time.
Registration fees to send mail via .mail?! No way, I know lots of small shots that wouldn't be able to afford that.
Beyond that $2000 is chump change for spammers. It hurts no one but the honest guy, which is what government lately seems to be for, so perhaps it'll get pushed as a law. *sigh*
Oh, wait, that's the divorce tactic.
What the heck, it'd probably work for spammers, too.
A feeling of having made the same mistake before: Deja Foobar
Why not just create a paid whitelist (or lists) along the same lines as a dnsbl, charge companies to register and require that they abide by certain practices for being listed? What does a new TLD add other than additional ICANN bureaucracy?
I think recent innovations -- SPF being my favorite so far -- offer a lot more promise than a new TLD. But that's just me :-)
If it's not one thing it's your mother.
Why do they need the .mail TLD to pull this off? Why not just go right ahead and do it under mail.spamhaus.org? Is it the air of official legitimacy associated with a TLD that they're after?
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
Comment removed based on user account deletion
I have a server of my own, hosting my personal site, some sites for family and for a few charity organisations. Total income for hosting: $0. If I would need to buy another domain like this, just to be able to send mail, my costs will triple.
.mail is NOT an option if it costs more than $5!!!
I cannot afford this. Meaning I will have to close all sites.
Personally, I think SPF is the best solution so far. It may not stop spam, but at least it stops forging headers, like the headers of 99,9% of spam in my inbox are.
.sig: No such file or directory
Having rules for who can spam (or send bulk email, whatever) but I really dont' care about that. What I want is a reliable way to accept the mail I want. Right now it's using a spam filter, because even "legitimate" mail from companies that have opt out mechanisims are mail that I don't personally want to see. So they get filtered out with all the rest, and I'm left with (mostly) the mail that I want to get from friends, family, mailing lists, and whatnot.
.email domain isn't going to solve this, because people don't trust bulk email. No one should click on the unsub links that you get in mail simply because you never know if it's going to add you into a 'good emails' list or actually do what it says it's doing.
Even having a legit
-1 rambling
for a major schizm of internet mail protocols.
Which will leave "companies able to pay $2k/year" on one side, and "individuals capable of installing their own mail server" on the other.
This will cause a bit of disruption at first, as a few competing standards emerge, but in the long run, it will make blocking corporate traffic far easier (yeah, I get soooo much legit email from non-individuals... I think I can count the past year's on one hand). And with a bit of care, the non-corporate protocol will finally include several of the oft-discussed but as-yet-unimplemented techniques for completely locking out spam (or at least making it trivial to identify the source).
And encryption. Don't forget encryption. The non-corporate protocol should include end-to-end crypto, now that Big Brother can watch us on a whim right from the privacy of our own ISP's back door.
Ok, then they need to update their FAQ, question 9 "What does a domain cost and why?":
The use of each domain will cost over US$2000. The price may vary depending on the registrar one uses.
This high cost will insure that most spammers will not bother and attempt to sign up for one, and if they do, it will be a high cost for what will be a very short time period of spamming.
The cost also pays for the much greater than normal vetting procedures places requesting this domain will go though before one is granted to them.
Emphasis mine. Sounds to me like $2000 is the lower limit.
*sigh*
Wouldnt that cost be pushed to the end user? Doesnt that mean we're going to have to pay for email?
Sounds like a recipe for email tax. I think the only way to really stop this is to stop the 200 or so people per spam message that actually respond to spam and make it a profitable business.
Why can't they make important ones like .bg, .gg, .mfm, .ffm, .fist, .bound, .gaged, .pets? I mean why do only TransVestites get to have their own TLD?
Open Source Java DAO Generator
Do you think that Yahoo! or Microsoft's Hotmail would pay that $2,000 just so people could send email from them. Would smaller free e-mail companies even be able to afford it?
.mail domain, would that stop spam? How much spam do you get already that comes from Yahoo! or Hotmail or some other free email survice.
Even if those free email places did pay for a
This would either get rid of free email or let spam live, both while closing down the small free email services. I don't like either option, we should do something else.
the only email that'll make it past everyone's spamfilters would be that from MXes in the .mail TLD. ...and those of us who can't shell out $2k/year just to have our private domain in .mail are just screwed.
Brilliant idea. While we're at it, why don't we just let ICANN authoritatively say who can and can't send mail, and be done with it? It's not like their board is captured or anything.
.@.
If a company or provider isn't sending or supporting spam then why the hell would give a damn about someone else's spam filters? That is the only reason for this whitelist. I mean if they aren't sending spam then why should they be concerned about loosing mail to someone else's spam filters? Why would they want to drop $2k per domain for another whitelist? If perhaps I was a company that did mass mail customers like Sears, JCPenny's, or Amazon then maybe I would want to get on a popular whitelist. That said, why in the hell would I as an average joe or I as a typical ISP give a hoot about what someone else's spam filters do with my non-spam? If their filters are mistakenly tagging my mail as spam their customers will bitch and the problem will get fixed. It doesn't concern me.
I really don't see the point in a .mail TLD. Steve is a smart guy. Even at that I absolutely can not see his reasoning here. This is really a dumb idea. I make a point to personally blacklist domains that use tools that break email such as TMDA. I guess I'll just have to add another check to my rules.
This is the most asinine thing ever. First of all no one is every going to implement something like this that requires someone not to comply with US law. It just won't happen.
Secondly, wtf. $2000 a year? That's insane. Right now, I can use my own mail server and only pay the $8/year domain registration fee. And that's the way it should be. People with enough tech savvy (and it doesn't take much these days) should be running their own mail servers. Open relays aren't an issue with modern mail servers (you have to work pretty hard to create one these days), and running your own mail server gives you a lot of fine-grained control over how you filter Spam for yourself (for example, using a catch-all email and using a different email for everything, letting you track how your address gets disseminated, and blocking addresses that get 'liberated')
It seems like some of these anti-Spam people hate Spam so much they completely lose track of what Email is for and the people it's supposed to be used by, everyone. Email black holes are one thing, but it's wrong to apply them as filters for people without their knowledge or consent. I read a salon article about a woman who, when roadrunner implemented RTBL she lost out on tons of email, including email from potential employers (she was a freelance author). She still got tons of Spam, of course.
I don't believe that technical solutions alone will stop Spam, but they, with real legal enforcement can probably reduce it a lot.
I'm also tired of these top-down authoritarian systems that put a few people in control of email (like e-stamps, or this insane plan, etc) before we even get good solutions like SPF working. Once people start checking SPF records a lot of this crap will get a lot better.
autopr0n is like, down and stuff.
Spam that complies with CANSPAM would not be affected by SPF, actualy, as there are no forged headers. But it would be obvious who sent it and it would allow much better prevention.
One change I'd make, though, is rather then using IP address, use digital signatures.
autopr0n is like, down and stuff.
SPF is close to the best anti-spam idea out there.
Everyone on Slashdot sends one email to spamhaus.org.
Step 1) Schwab sends email
Step 2) mail client verifies that mail.schwab.com points to the same server as mail.schwab.com.mail.spamhaus.org.
Step 3) profit.
autopr0n is like, down and stuff.
I haven't RTA, but how does this exactly deal with the spam that comes from zombied computers and/or spoofed email addresses? While I wouldn't waste $2K to send spam, a spammer (who is paying for almost nothing else that he's using to send the crap anyway) wouldn't care about that money because it's not his. Thus he has no incentive (in fact, he has a larger incentive) to commit illegal acts - because spam that is whitelisted is likely to be more effective that spam that isn't.
At best, this seems like a large fine for not having sufficient security on your server (or for getting a virus that exploits an unpatched hole), which could be done more fairly by some other authority. At worst, it would be a cash cow for the certifying authority while driving legitimate email (since most mail is probably from nonservered or clueless people) elsewhere. This doesn't seem like a good idea, but I could be mistaken.
I can beat their offer and simply block .mail email to my .com and .us domains. It'll cost me nothing ($0) but a good laugh.
So I buy personal.mail and then I sell you
lastname.net.personal.mail for $1. I sell freakiedeakie.org.personal.mail to someone else for $1 and so on and so forth until I get my $2000 back?
I could hack bind so that I can throttle reverse lookups per domain so that I can keep my bandwidth low and target the small market.
Since ANYONE could do this, there is no reason to jack up the price. However, for SLA would be best-effort only (since I am not a real company)
And if I get my 2001st subscriber, I would be in the black (Woo hoo)
That should have been "might not be eligible to register a .mail address.
In all probability, most people would be compliant with both CAN-SPAM and the .mail requirements (modulo being willing to pay $2K/year to send email).
Free Software: Like love, it grows best when given away.
As someone who frequently runs up 'cheap' linux servers for various network services, I enjoy the ease with which I can put up a mail server. $2000 may not be much for corporate mail domains, but this will be very restrictive for people like myself. One of the big points in linux/open source has always been the accessibility of enterprise-class technology for the cost of source tar download. I'm all for castrating the spammers, but when the solution negatively affects legitimate users there is a problem.
I think this is terrible. I run my own mail server, because ISP's are generally terrible at delivering mail. They have to worry about thousands (or hundreds of thousands, or even millions) of users, I have to worry about... well... me. If my server goes down, it's probably my fault. If their server goes down, it's their fault and I get to put up with it. I don't like that.
Furthermore, since when should it be a requirement to spend thousands of dollars to serve content to the Internet? Doesn't this go against what the Internet has stood for since its inception?!
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
Someone please explain to me exactly how a smal/mid-size locally owned bussines can afford 2k to send mail ? They claim spammers wont pay the 2 grand on their webpage, thats bullshit. Spammers can and will pay this. You will however be excluding small bussiness's and personal domains.
And also exactly WHERE the money is going to ? The last thing we need is one governing body trying to control mail for the "betterment of all, so long as it helps our bottom line". We dont need a spam czar, or a spam conglomerate. We need the existing people to work together to prevent spam. ALL spam.
This is a half assed idea.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Yes, it does sound a lot like profiteering, and like Ironport's Bonded Sender or Habeas's Not-A-Spammer Haiku headers. It's a bit easier to check at SMTP Envelope Time instead of parsing headers after receiving an email message (though BondedSender.org has a DNSWL server you could use.) But the big difference between one .MAIL for the entire world vs. many .My-Whitelist.com businesses is that Linford thinks they can talk more receivers into accepting the One Centralized ICANN-Blessed Solution than the crowd of decentralized competitors can, and therefore they can talk more people into paying them to get bonded.
I much prefer decentralized competitive approaches, but if I were running a mail server, I'd rather only put in a couple of whitelist or blacklist checks, rather than needing to keep track of which 50 whitelist services were real, which were out of business, which were bogus fronts for spammers, which were free to mail receivers, which charged money to receivers, which were aggregators of other services' information, etc. It's probably harder to get most mail systems to check N whitelists and accept the message if at least one of them hits than it is to get them to check N blacklists and reject if at least one of them hits, but it's also a lot safer to trust a random whitelist than a random blacklist, because if it goes flaky and over-aggressive like some of the DNSBLs, you're not throwing away real messages - you're accepting messages from people you might not want, and giving them a lower level of spam filtering, but a moderate level of false negatives, while annoying, is much less of a problem than false positives, and it warns you that there's a problem you need to fix.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Right, this will work wonderfully, because no spammer would ever think of spoofing their headers so they appear to be coming from a .mail domain...
-A. Coward
I've heard it mentioned a few times in the replies to this article, but no links. Can anybody hook me up with some informational goodness?
This plan serves several purposes:
1. Sell a new TLD to millions
2. Overcharge behaving customers
3. Create a fee for running a mail server
4. Make unwanted $big-company-name email legit
I'm just not getting how this proposal would do much. I read through the text of the proposal, which is written in fairly obtuse language I just couldn't quite plod through right now.
The US government doesn't have any jurisdiction outside its borders, so US laws that don't stop spam now wouldn't stop anything if you required the spam to have a .spam domain name. Other countries may let you send your soldiers in to hunt for Osama, but they haven't found him, and they're not going to support armed raids looking for something as trivial (if annoying) as spammers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I only came up with this idea a year ago, and have been aggressively promoting it on slashdot, but a new TLD would be useless. No self-respecting mail system can afford to shut out all other domains in such a trusted system. The whitelist system needs to be applied to the Internet proper, with SMTP licensing. Now if spamhaus wants to limit just SMTP relays for .mail, that follows my plan, but ALL users should subsidize the effort and not just the domain holders... that's not fair as it would really be the general populace that would benefit from a whitelisted SMTP network.
So if I want _MY_ server to be "legitimate" I have to cough up two grand and pay them?
I don't think so!
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
this is even worse then microsofts ideas on stopping spam. realisticly you cannot stop large amounts of mail or the ability to send email to anyone without cutting down on the usefulness of email. you can however do some things to all but wipe it out. 1: have governments pursue spammers to the ends of the earth, catch them and make them do jail time, then have them on a good bahavour bond which forbidds them from using a computer. 2: have all mailservers do reverse look ups. this makes it easier to enforce rule 1. 3: isp's instigate spam filtering, VERY loosely. these 3 steps would wipe 99% of spam off the planet, use current technology that works, and won't break anything ( cept the spammers )
If you mod me down, I will become more powerful than you can imagine....
The purported advantage of One ICANN-blessed Top-Level .mail whitelist is that it would be more obvious to everybody who receives email that this is the whitelist they want, as opposed to keeping track of 50 different whitelist companies (some good, some useless, some bogus spammer fronts), and obvious to everybody who sends large-volume email that this is the whitelist they want to pay, instead of paying 50 different whitelist companies (some popular with large or small mail receivers, some totally ignored by the market). Because after all, this is DNS, it's hierarchical, and There Can Be Only One TLD for that purpose, so there's no need for decentralized ratings and competition and keeping track of the karma of different rating lists, and competition isn't necessary. Maybe Linford's right, maybe he's wrong, but go RTFA so you can see what _he_ says he means rather than just listening to me ranting about what his proposal _really_ means.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
M$ making this same proposal. Flame on.
I just love it when a bunch of crazy fuckers with just as much a chip on their shoulder as the spammers have go and push for something like this. 2k a year? bullshit. they can suck my dick.
Steve's Computer Service, Hobbs, NM
ICANN will control tld and Spamhaus will control mail... Sorry this does not sound like a good thing to me. Instead of the one big Satan we have in ICANN (at least according to alot of people I have still yet to pass judgement on ICANN) we will have two once Spamhaus gains control of the would be .mail tld. On one hand we will have ICANN doing their thing which alot of people dont like while Spamhaus forces you to pay $2000 a year to send email...
I'm sorry I hate spam as much as the next person but to give control of who can and cant send email to one company just doesnt justify the cost in the end to freedoms on the Internet.
Lets face it all it will take is one even medium sized ISP to adopt Spamhauses .mail domain as a filter. God forbid a major ISP adopts this. Once that happens we will now are forced to pay an inflated price for another domain name...
I don't know I say screw this if ICANN excepts this one over a what I feel will be more helpful as far as cleaning up the Internet goes such as the .xxx tld...
Heck I don't know what I would do at least in the operating system world I have Linux as an alternative to windows...
Like I mentioned in the prior discussion on this, just because you have a .mail TLD won't stop spammers. TLDs are in DNS, and in the final analysis, it's all arbitrary, as you can use ANY word as a top level domain. That's why you have alternate roots like OpenNIC.
This sig no verb.
What you are referring to is enforceability of those laws. True, the US may not be able to enforce its laws against those resident in other countries who do not have presence or assets in the USA.
But it means anyone connected with such an operation better not have assets in the US. Or even visit the US.
And, depending on how the law is drafted, perhaps no person in the US (or with assets there) better use such an operation to *send* spam, or face being prosecuted, or other consequences. Vide internet gambling.
So that US laws, alone, could stop (a) American spammers; and (b) anyone in or doing business with America or visiting America or with assets there (NYSE shares, anyone?) from *using* overseas spammers who do not comply with US law.
And for those that are left, the US can just lean on other countries to enact similar laws, either as part of international treaties (GATT and TRIPS, anyone?) or bilateral trade treaties, or just by leaning on them.
Methinks that would do a great deal to cut down on spam...
If you doubt this, see how effectively the US is able to export its copyright laws to other countries. Or Sarbanes-Oxley, as applied to foreign lawyers or accountants. And how it is now doing the same thing with bank secrecy laws (with an emphasis on terrorism; it has done the same previously with respect to evasion of US taxes). There are many relevant links.
Yes it is! And that's one really good thing about this idea, there can be no "joe jobs", the sending server is tied to the domain name. Kinda cool.
SPF does this too, but spammers can have SPF records, in fact if it gets popular, most will.
Back in 1999 I worked in Silicon Valley. EDS who ran some lotus servers at where I worked charged .25 an email. So a Mass mailing about friday company bowling costed $80. I thought that was insane. So I built my own server on a HP-UX box. Saved the company over $1200 a month especially using some fancy aliasing and integrating it into corporate structure. Now I thought 25 cents was INSANE for email. Now this $2k deal is LUDICROUS.. I would almost tend to think some right wing liberal republican movement is behind this (and I am a registered republican).
This will never fly, anyone who backs this is insane and for the ones that do. Its all about profit.. Nothing else. It just allows the more elite to send email to each other which the little guys suffer. Dam I feel like a mom and pop game shop watching a bestbuy being built across the street .. hmph :/
There's no Freedom like UFP-dom
You are correct.
Spelling notwithstanding, $2000 is irrelevant if it does not work. The only solution is to make it impossible to SMTP mail without some validation of the sender. This must be done with no expense or unusual hoops to jump through, and let's not let the fascists control this one - you know who I mean.
You can't rely on whitelists; automated blacklists don't work since spammers steal our 'net identity to spam us and others, causing innocents to be blacklisted.
As it is, I could spam all day using postfix or sendmail with a random domain name as the sending domain. This is just crazy. It is in a sense criminal, since my bandwidth is being used without my permission by all of the attachments coming every hour. LIKE I GIVE A RAT'S ASS ABOUT PHARMACEUTICALS, NIGERIA, OR HOT STOCK TIPS!
CAUTION! rant follows:
God Damn It! Get the fuck off the net you cheap-ass cowards. It's like my dog barking at the other dogs until I open the gate - if we can find a way to unmask these spamming motherfuckers, it will stop. (Viral mailings notwithstanding.)
OK, I'm better now.
Faith is the very antithesis of reason, injudiciousness a critical component of spiritual devotion. Jon Krakauer
Perhaps that is *exactly* what they have in mind. You will not be able to afford it, along with billions and billions ( sorry, channeling Carl there.. ) of others.
It '133ts up the playing field, leaving many fewer mail servers out there to be compromised.
emt 377 emt 4
The people handing out the domains in your whack-a-mole ( good imagery, btw ), example will hand them out to spammers nilly-willy, but for .mail, they will not.
I think $2000.00 for a spammer is probably chum change. And maybe an extra little bit to grease the skids a bit would also be chump change.
emt 377 emt 4
I am sick of people coming up with ways to screw small ISPs, community mail servers, personal domains, and the rest with things like email stamps, and this is the worst I've seen so far. I will now boycott spamhaus and everything they touch. This is just another dishonest grasp at cash in the name of public good, just like ARIN.
The technology exists to combat spam without becoming elitist corporate arseholes. First, public key crypto, with certificates distributed via DNS, could indicate which IP servers are authorized to originate mail for a given domain/subdomain. Second, asymmetrical computational puzzles can be used with unknown/suspicious senders.
What we need is credit card processing firms cracking down on their customers who are spammers. Because in the end, it comes down to someone entering their credit card number, and at that point the end-spammer (i.e. the business interest at the head of the spam conspiracy, not the middle men) becomes known.
Why don't some people get together, and make a petition type thing, like saying, that if this happens, all the signers will block .mail email's from their mail server. It might encourage some companies and organizations who would be for it to reconsider if their emails will be blocked by quite a few people.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
This won't do any good; it's a whitelist that ISPs will have to pay to be listed on. The problem with that is the ISP's users will still spam if they want to. It dosn't prevent forging headers, so it won't stop spam.
What will happen when a subscribing ISP's customers send spam? The ISP will be notified, and told that if they don't cancel the user they'll be removed from the whitelist. Blacklists operate under the same premise, and we're still looking for better ways to stop spam. What would make a whitelist any better?
I work for an ISP, and our users are told before signing up for service that we don't tolerate spamming of any sort. That doesn't stop them from spamming, it just gives us a legal excuse for deleting their accounts when they do.
Common sense is not so common.
On the other hand, the $2000 a year fee isn't going to do jack. Those who send spam do so because it's really darn profitable. To them, the $2000 a year is peanuts. To a service provider who can barely make ends meet and wants to expand its quality of service and options for customers, $2000 may be the difference between breaking even and going bankrupt. That's kind of like trying to protect individual inventors working in their basement by making the patent fees $200,000 or something. That'll only serve to accomplish the opposite of the intended result.
The bottom line is this: Make it difficult for spammers, not for legitimate users. A certain standard should be devised that includes technical as well as contractual devices to make it extremely difficult for any spammer to last any time at all on the .mail TLD. And mail received from non-.mail TLDs could automatically go into a "bulk mail" folder, or would not be downloaded from the server at all, except for the "From:" address and perhaps a digital signature, so the user (or his filters) can decide what to do with that information. And maybe that needs to happen with ALL mail, not just non-.mail TLD mail.
Let em have their fun. .mail tld validation can be yet another test that my SpamAssassin installation will use to determine how likely mail is to be spam. If they implement it well, then the test will even get a largish score over the long haul...
installed, you don't have to update your content filters, or keep doing challenge-response. Each domain is responsible for publishing and maintaining its own SPF records, but that
not much of a burden at all.
All the people who are complaining about running a small set of domains and not being able to afford $2000 are missing the point.
This is designed to force all mail to go through the .mail TLD. If you run a small set of domains, you'll need to get mail service (even if it's just forwarding your mail through one of their servers) from someone with a .mail domain. Yes, this makes the net more hierarchical than it is now, but that's the whole idea: a hierarchical system can enforce rules, and we clearly need some rules to break the spammers.
Now, I'm not sure this is the best way to do it. But it certainly seems like it could be effective.
-esme
You kinky mathematicians...
The US laws against internet gambling are fairly inappropriate, constitutionally, but it's especially easy to firewall your way around US-based spam laws by using a couple of foreign corporations. You don't need to be personally responsible for spamming - some foreign corporation can do it, and they can also hire you to provide them with perfectly legal services that seem to use up most of their profits from spamming. And you don't even need to go offshore - you spend $100 to set up a Delaware corporation, and you don't do the spamming, the corporation does, and if it gets caught, well, bummer, John Ashcroft can burn its corporate papers at the stake at high noon and you're still not in jail. (OK, you've got to spend another $100 for your next spammer-shell, but you've gotten your couple of thousand dollars cut from selling fake Viagra pills to the hundred suckers who fell for your 10,000,000-message spam.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
... to me that the people behind the proposal are complete morons.
As someone pointed out in a thread above there is no good reason to just use a reverse blacklist (like DNSRBL et al.) which identifies certain senders as non-spammers instead of identifying them as spammers.
"[...] set up to be more robust and attack resistant [...]". Oh please. If you get $2k from each and every person/corp. in your whitelist you sure as hell can afford some professional DNS hosting for your whitelist.
HAND.
Every ISP will have to provide some pass-through SMTP server for home users, this mail server will be registered as a .mail server.
Most ISP's already do have such servers.
Add some virus filters for Microsoft-worm-of-the-week and E-mail begins to make sense again.
-- From Denmark
SMTP + SPF identify the sender as being who he says he is.
If the sender happens to be a spammer with an SPF record, it'll pass all the tests.
This proposal adds to an SPF type deal. Now e-mail will not only identify the sender as being who he says he is, but will say "he's not a spammer either".
Now one can let the e-mail pass. I know if all the list-mail sent to our boxes didn't have to churn thought Spam-Assassin and our own Procmail traps, it'd save mucho time.
Do you think anyone, ever the richest spammer could afford $2000 each time he wants to spam for a few minutes? Did you see where the spammer does not control the domain, but the anti-spammers do? Hell, they'll have their hands on both the spammers wallet AND on his "peanuts"! One mistake, and they put the squeeze on both! Me likes!
Well, I guess I won't be able to run my own mail server anymore... I guess I'll have to leave that to big greedy corporations who can afford $2k a year for the privelege... oh, and BTW, email will no longer be free, either, because that cost will be recouped...
YET ANOTHER instance of something open and free being handed over to corporate america for its exploitation...
just charging 2000 $ wont stop the spam problem, when someone is caught spamming the domain has to be dropped.
.com, .net, .org or any other domain name when a spammer is caught?
then again, why cant we drop
if spammers can afford to hop isps every few days they can surely afford the $2000 a year for the .mail domain. This top level domain is worthless and should be shot down before it even gets anywhere.
Well, if you run a mail server, you should know how to make it relay via your ISP's passthrough server. Which must have a .mail name, if it wants to be able to send mail to me.
.mail domain - sorry, blocked by default.
If you spam me, I'll complain to you ISP - simple to find from the headers - and the ISP will handle your case appropriately.
What will be a thing of the past is hijacked xDSL PC's which are doing mail-zombie work. They don't have a
-- From Denmark
The Internet is not e-mail! It is completely inappropriate to base the DNS name of your organization on what is effectively a content label specific to one particular service. This is the same reason .kids and .xxx are bad.
Heck, let's say I run a porn service, and want to take advantage of this mail feature. I now have to use two different DNS domains? That's stupid.
Just as PICS can give you digitally-signed content ratings for the web, some other service can give you digitally-signed ratings/labels for e-mail. Extend SMTP to, perhaps, operate over TLS or SSL, or at least perform some sort of mutual check that both sides have a SpamHaus certificate that says they're not a spammer, and you can possibly "secure" the connection.
Or just digitally sign your e-mail messages and only accept digitally-signed e-mail. Tweak your trust relationships (for PGP-style signatures) or drop your trust from any roots that are seen to sponsor spammers, and you're all set.
SPF does this too, but spammers can have SPF records, in fact if it gets popular, most will.
Today, 99% of spam is delivered with a forged MAIL FROM value, precisely what spf stops. You say spammers will get SPF records: let them - we'll know their real domains, which we can then blacklist, and which will make tracking them down for legal action that much easier, and having to register a new domain for every two or three spamming runs will change the cost/benefit analysis to spammers - and that will make a difference.
Money!!!
And does anyone other than spammers know if $2000 per spam run will actually cut out the profits in the game?
If not, the people getting the $2000 per domain have just found a way to tax the spam industry $2000 per spam run.
Shoud I do the 1, 2, 3, profit joke here?
This is a BAD IDEA.
A Nony Mouse
I receive maybe 5 spams a day, which are almost all caught by spamassassin. It's not hard to keep it down to that, if you are careful about how you handle your email addresses.
I'd much rather stick with the status quo, than have to pay $2000 for running a mail server.
Everyone and there dog provides email service, if this address isn't anything other than like the .arpa tld, it will fail totally.
Perhaps might have hot.mail and yahoo.mail, but I can't see any others signing up for it.
Full story at
.mail TLD and related concept is remarkably similar to a patent I filed in Australia and it could be the answer to all our email problems, if a few changes are made:
http://www.intechcomm.net.au
Originally posted 28/1/04.
Copyright Joshua Leisk. This article may be reproduced, provided it is reproduced in its entirety, without alteration.
I am posting this story, as the
SPAM. Currently unsolicited email from less than 0.2% of the online community wastes time and impacts the productivity of the other 99.8%, as well as impeding network bandwidth and creating traffic costs. SPAM represents over 65% of all email sent.
EMAIL VIRUSES. Mass-mailing viruses cause significant financial damage to organisations and individuals alike. At least 60% of all the services my IT outsourcing company currently performs is virus-related.
I think we have all come to the realization that the problem in eliminating SPAM and email viruses, is that even though it is impossible to verify the legitimacy of all email being exchanged, we still accept mail from any software capable of transmitting mail, as though it were a trusted source of information! Many mail servers are flawed by inept security and administrators, many countries have no anti-SPAM laws, every successful mass-mailing virus has its own SMTP engine and of course we suffer the deliberately configured SPAM email servers employed by dodgy SPAM 'barons' every day to solicit millions of people to buy dodgy 'Viagra', dodgy University degrees and enough porn to humble a veteran pornographic movie star - all for the sake of making a dishonest dollar at every body else's expense.
The simple fact is, you cannot prevent the shady 0.2% of the online community from targeting the remaining 99.8% of us without a global mail exchanging system that has zero-tolerance for unsolicited mail and an effective way of globally policing the system. Message filtering and 'real-time block lists' will never provide an effective solution, because it is a never-ending race to identify, report and 'block' SPAM and 'rogue' mail servers, which then merely rise like a 'phoenix from the ashes' hours later, under a new domain name, or a new IP address, when shut down by Internet authorities. Currently SPAM recipients are always one step behind the SPAM senders and feeling helpless to their plight. Why should we allow ourselves to be victims of our flawed technology, allowing rogue mail servers to financially impair rest of the Internet community?
When SPAM and viruses already makes up more than 50% of all email sent, it becomes more logical and far simpler to protect the legitimate email, rather than trying to filter the illegitimate email!
The only way to permanently eliminate SPAM and email viruses is to establish a mail server authority to register and regulate email servers, in much the same way as the Domain Name System, thus allowing enforceability, financial accountability and liability to those who SPAM, or allow SPAM to propagate. You need a license to own a gun or anything else capable of significantly impacting others, so why not an email server? Currently, Australians pay an average $45 per year to register a '.com.au' domain name, as well as the additional hosting fees to facilitate the DNS system and traffic caused by it, thus creating orderly domain name management. We wouldn't tolerate chaos and anarchy in the Domain Name System, so why should the email system be any different?
I propose that we MUST construct a global registry of certified closed-relay, 'spoof'-proof email servers, married to the verified details of the server's owner, who are possibly placed under a financial security bond, depending on the age of the domain name and previous history, to operate it SPAM-free and then prevent all 'registered' email servers from receiving email from any 'unregistered' email server (or be cleaned and filed separately - see "'Softer' Variation of the Concept"), or accepting email client submi
While true, the .mail proposal would make use the DNS service, which is
relatively secure, distributed, reliable, and fairly efficient. That helps
avoid problems with DOS attacks, which spammer-listing sites have suffered
from.
Also, it gives an immediately obvious and effective place to complain about abuse. You just complain about foobar.com to abuse@foobar.com.mail, and the arbiters at .mail get the message, not the perpetrators at foobar.com.
Yes, that's the penalty - if you allow spam to be sent from the mailserver you promised to never send spam from, the mailservers for that domain will no longer be publicized as being spam-free (because they're not).
Several things slow the spammer down, if not stop him. First he must have already owned the "key" domain (e.g. "foobar.com") for six months before he is allowed to get the corresponding .mail domain ("foobar.com.mail"). Second,
the WHOIS info for both foobar's is investigated by the .mail organization for
validity (in several ways unclear to me). Third, the anti-spammers
controlling .mail may use measures like spam honeypots and being eagle-eyed to
make sure that $2000 doesn't get him much return. The economics of buying
throwaway .mail domains aren't likely to pay off.
They hedge some on whether ISPs will do this. They suggest the ISP will have to have tight limits on the number of emails that can be sent by their customers (at least through the ISP's trusted mailserver).
The vetting of the WHOIS info is meant in part to make this difficult. You're not going to get many .mail domains under the same or similar registrations.
I don't know the extent of the checking, but maybe a spammer would have to set
up a new front-person and address as well as domain every three days and
maintain each set for 6 months to get a pipeline of throwaway .mail domains.
That doesn't seem too likely, especially by a spam-friendly ISP.
Yes, but I don't think anyone views this as the only way to send mail or fight spam. You can always send without involving .mail; your message w
Sure, that's more expensive than a free yahoo account or a forged address pretending to be at yahoo, but it's still basically free and highly disposable. It's less than the cost of a list of N million freshly verified opt-in spam-free email addresses, and it's less than the profit on that first bottle of fake herbal Viagra you get some sucker to buy.
SPF doesn't try to guarantee that a given domain is ok - only that mail claiming to be from that domain probably is from that domain. If that's a domain you recognize, that may be meaningful; if it's a domain you don't recognize, it's not highly meaningful. Smalltime spammers aren't going to pay $2K for a Spamhaus certificate, partly because they often don't have the money and partly because they aren't sure it'll make them enough additional profit to justify it; they'll probably pay $10 for yet another new domain name. On the other hand, big legitimate bulk emailers (like commercial newsletter publishers, or product-support mail) might very well pay $2K because they hope to save that much money on email administrator time due to reduced bounces, plus they'll be able to support more paying customers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A patent? On this?! Will you patent the wheel & fire next?
It is? This idea is so wrong in SO many ways! Is this post a troll?
Where did you get this #? Other than out of your arse?
Who are these "Internet authorities?" Do they have flashy-badges?
You work for the Gestapo don't you?!
So sending email is like shooting people? Some aren't even sure a license to own a gun is a good idea.
"MUST"? So no other idea before or after yours will have merit?
Wow! You really want to kill email to save it huh?
Wow, "contracts with users", why didn't anyone else think of that. Vile spammers would NEVER break a contract. This MUST be a troll post right?
I await your plan to "bind" spammers to any authority's rules!
So, no email can flow out of a server without a "(suggested) US$2500+" bond? Hey, why not take 10 years per-capita income from some poor asian nation's ISP. You work for the tax department don't you?
So EVERY client software must now be changed? You work for Micro$oft don't you? How about changing the operating systems too?!
Oh my... yeah, as if admins aren't busy enough, now they must answer every request from the unwashed masses of users who wish to send 51 christmas cards... ouch, that smarts!
So EVERY server software must now be changed? You DO work for Micro$oft don't you?
Every email is tagged with some special ID huh? You work for the NSA don't you?
Uh, open relays account for less than
Ah, finally, the "let's break SMTP" part. We all knew it was coming didn't we!?
I am going to take the time to address each of those comments, pointless and flamebait as most of them are:
... enforceability, financial accountability and liability"
... so why not an email server"
... sent from an unregistered email server, it is simply rejected "
"a patent I filed in Australia"
A patent? On this?! Will you patent the wheel & fire next?
JL> I patented this before I discovered that bondedsender.com or any other similar concept existed. I believe Microsoft has patented the 'Caller-ID' concept, also. I know a lot of people don't like software patents, but until a better way of rewarding inventors is created, what else is there? This is capitalism, not communism, you know.
___
"the answer to all our email problems"
It is? This idea is so wrong in SO many ways! Is this post a troll?
JL> So list them. If you take the time to read the whole concept details, you will see its fair for everybody EXCEPT the spammers and email virus creators.
___
"Currently unsolicited email from less than 0.2%"
Where did you get this #? Other than out of your arse?
JL> Do the maths. The bulk of the world's spam is apparently sent from less than 5000 people. There are over 36 million domain names registered.
___
"when shut down by Internet authorities"
Who are these "Internet authorities?" Do they have flashy-badges?
JL> The sender's ISP's, real-time block lists, government and law enforcement.. I believe there are already lawsuits commenced under the CAN-SPAM act in the USA.
___
" register and regulate
You work for the Gestapo don't you?!
JL> Next you'll tell me you don't believe the DNS is a good thing. I'm not proposing anything significantly different.
___
"need a license to own a gun
So sending email is like shooting people? Some aren't even sure a license to own a gun is a good idea.
JL> Do you have ANY idea what the world currently spends to deal with viruses and spam? Do you register your car? Do you have a drivers' license? Do you have a problem with laws and regulation? What's wrong with a gun license? Wouldn't you like to know that someone who owns a gun is adult and responsible and not some psychopath or homocidal maniac?
___
"MUST construct a global registry"
"MUST"? So no other idea before or after yours will have merit?
JL> Everything has merit. However, sender accountability is the *only* long-term solution. Besides, without a register of mail servers, how else can you permanently get rid of email viruses?
___
"email
Wow! You really want to kill email to save it huh?
JL> SMTP was originally designed for academics and the military. Spam and email viruses came much later. If SMTP has been created with any prior knowledge of the commercialisation of the Internet, it would have been made more secure to start with. Besides, I have also detailed a method that allows the email to be received, yet processed in such a way that it presents no harm to the recipient other than potentially wasting the user's time deleting spam.
___
"The mail server owner(s) should also enter into a contract with its users"
Wow, "contracts with users", why didn't anyone else think of that. Vile spammers would NEVER break a contract. This MUST be a troll post right?
JL> You already agreed to some sort of 'Terms and Conditions' when you joined up with your ISP. This is merely a modification of those terms. In some ISP's cases, those terms are already included.
___
"binding them to abide by the mail server authority's rules"
I await your plan to "bind" spammers to any authority's rules!
JL> If they are known and accountable, why not? Isn't that the basis of all law?
___
"required the new owner to supply a security bond of (suggested) US$2500+"
So, no email can flow out of a server without a "(suggested) US$2500+" bond? Hey, why not take 10 years per-capita income from some poor asian